Hi

I need to use Cisco VPN (version 3.5.1). My personall firewall of choice is OP. How to make them both work together ? Should I allow RAWSOCKET and ESP protocol, something more or something less ?

Thanks for any information,


B.

Hi Brok and welcome. I don't have a clue. Maybe someone will show up that has a setup like yours and can help.
Can you get some help from Cisco as to what needs to be allowed? Sometimes you can get help that way.
BTW you can always experiment with the rules and see what happens. If you come up with something that works, run some scans and see if you still seem stealthed.

I have Cisco VPN software, but I'm not sure which version. Whichever one came right before they started packaging Zone Alarm in it. Anyway, I believe all I did was set up the address of the VPN server (wherever you're connecting) as a trusted host. Then, all traffic to and from that location is allowed, including any utilities pointing there (like Cisco VPN).

I believe I had all kinds of problems getting it to work until I did this, so if this isn't acceptable to you (security-wise) then, sorry I can't help further. I'd be interested to know, however if anyone has found another way to make it work.

OK, here goes some more details:
operating system: Windows 2000 SP2 + current hotfixes
software installed:
- Cisco VPN client ver 3.5.1 (driver version 3.5.1 E)
- Outpost Firewall (version 1.0.1511.1038)
OP configuration:
1 - ESP protocol is enabled (Options > System > Settings > Add ... "Where the protocol is IP and type is ESP Allow it" ) .
2 - CVPND (Cisco VPN service) has full access to network (Options > Application > Add "c:\program files\cisco systems\vpn client\cvpnd.exe" ... Always trust this app)
network configuration: nothing fancy. NIC is 3Com 905B-TX, services bound to it are: Deterministic Network Enhancer (i.e. Cisco VPN driver), Internet Protocol (DHCP). Client for MS Network is NOT bound, neither File and Printing Sharing.

Problem: after VPN connection is established, virtual route cannot be secured, unless I stop firewall for a while. Exactly what happens: after connection is established, my client receives from router configuration of VPN route (e.g. 10.0.0.0 mask 255.255.255.0). This route remain non-secured till first packet is passed through it. Problem is that - while OP is running - packets are discarded by CVPND. Workaround I have found is: stop OP service, wait few seconds, ping computer on the other side of VPN route. While OP is _not_ running, packets are not discarded by CVPND. At this moment route becomes secure (ie. Security Association is being created for the virtual route). After route is secured I can start OP. VPN connection will now work fine. What is really disturbing here, is that I have to stop OP to establish SA, because CVPND for some reason "does not trust" packets that came through firewall to establish Security Association (as stated in CVPND documentation: "VPN Client rejected [these packets] because they did not come from the secure VPN device gateway.") . OP does not block any packets, it's configuration seems good enough. I tried releasing it's configuration to virtually "no firewall" (system configuration, trusted networks), no success.

Can anybody help with this ? TIA


B.

Maybe I'm missing something here, but to me it looks like you need to get the address of the VPN server in Outposts' trusted zone.
You didn't say if you had the free or pro version, but you need the pro.

I'm evaluationg Pro version.

I put my VPN server in trusted addresses - still nothing. I also edited global rules to allow almost all packets (I created on top following rules: allow unknown protocols, allow all IP protocols, allow all UDP) - did not helped :( .

But there is something that helps :)
1 - unbind Deterministic Network Enhancer in NIC properties (DNE driver installed by Cisco VPN Client, required by CVPNDRV)
2 - restart computer
3 - make sure OutpostFirewall service is running
4 - bind Deterministic Network Enhancer in NIC configuration

Now I can dial VPN, everything works... it seems that DNE have to be bound to NIC _after_ OP service is started. Now I'm seeking a way to reconfigure services dependencies in registry to force this.

I seem to remember something about the GRE protocol and VPN. You might do a search on that in the forum and see what comes up. You can allow gre in the system rules.

GRE is already allowed ... this rule is ready "of the box" I just turned it on. Problem is definitely not in rules - I already allowed almost everything (unknown protocols; all IP protocols, including GRE and anything else; all UDP; and VPN server is in trusted IPs) and problem is still there. The only one way I've found so far is to start OutpostFirewall before DNE (driver bound to NIC by Cisco VPN client) is started. Unfortunately, DNE is kernel driver bound to network adapter, and it's not easy to force something before it.

Sorry for my poor English ;)

B.

Be aware that attack detection logs will be empty, once cisco vpnclient is installed! At least, this was my experience some time ago, and I had a really hard time finding out the cause of those empty logs...

If someone gets different results (attack detection fully working), please tell us/me.


Regards
Petersen

Petersen, thanks for the hint! It appears that Attack Detection plug-in is responsible for the problem! I turned it off (started, but not enabled) and problem is gone!

When it's turned on, at the very moment when virtual route is about to be secured, attack detection is logging attack "My address" (yes, very strange type of attack ... remote address is my own IP!) . Of course, virtual route cannot be secured, and VPN does not work. If you disable "Attack Detection" plug-in, everything works just fine :D

Now I wonder, if there is any chance to have Attack Detection plug-in working together with VPN :confused:

Do you have the address that is showing in the attack detection log in the Trusted Zone?

Yes, it is MY OWN address :confused: See bellow (copied from log):
2002-05-10 18:13:26 My address 62.179.7.117

My IP is 62.179.7.117 . I do not understand - CVPND is attacking my computer ?

Another thing: putting my IP in trusted zone does not help. The only option (so far) is to disable attack detection

Brok, the entries in the attack detection log are caused by many things. Depending on the settings Of T3 and T4 in the protect.lst file, you may be getting connection request initiated after the connection was supposed to be terminated.
There are several threads about Agnitum attacking users, and numerous connection attempts that should not be there.
Anyway, it just occurred to me, if you are having problems, attack detection has nothing to do with it. If you try to surf and cant, check your blocked log and see what's there.
I have read about some hardware devices broadcasting to Outpost and changing some of the settings on the hardware fixed the problem.
Also just to make sure I'm not assuming something I shouldn't, you have the pro version and you have the IP of the VPN in the options>policy>trusted zone, right? If you do and the IP shows up blocked, somethings wrong.

Thanks :) I can surf, I can use email ... I pretty much know how to use firewalls, and I do not have "mysterious attacks" from port UDP 53 of my DNS server, or from TCP 20 of FTP server ;)
File protect.lst is as it was when I installed Outpost; I did not modified it. Values are T3=6000; T4=3000; T7=128 (maybe I should make it smaller ?) T8=50; T9=30 .
About blocked packets: none logged. I do not have blocked packets (well, not in this case; I have some blocked attempts to port 80 of various sites made by MSIMN.EXE, it's side effect of receiving ads in emails) . CVPND.EXE has all necessary rights, and this program is owner of all packets send/received by VPN. I even tried to put all IPs (*.*.*.*) in trusted zone, but the problem is still there: VPN cannot secure virtual route; attack detection is logging "My address" event; nothing is blocked :|

but the problem is still there: VPN cannot secure virtual route;
Ok, I guess I don't know what this means then. Give me as much info as you can on what should be happening and is not.
You don't have to write a book. :) Just a brief description will do.

Installing debug plugin would help, but I cannot find it on this site :( . Or debug version of OP ? Where can I get it from, and - first of all - what tool would be better to find "what's up" ? I'd like to record some more info ... the only thing OP is showing right now, is "My address" attack

http://www.agnitum.com/download/OutpostDebugInstall.exe

Here ya go. Lets give it a try. ;)

Thanks. I have some more info. When I ping other side of VPN channel, and VPN route is about to be secured, following event is logged in packet.log:
1. pinging other side of (not yet secured) virtual route
13:30:35 7: Send 62.179.7.117 (~) -> 10.0.8.7 ICMP 8/0 60 bytes allowed by FFFFFFF9 [00-10-EE-88-89-54 -> 00-03-6C-4A-A4-A8]

2. rejected packet :(
13:30:35 7: Receive 62.179.7.117:0 (~) -> 127.0.0.1:62515 (~) UDP 320 bytes allowed by 26E rejected by plugin 15 (0) [00-03-6C-4A-A4-A8 -> 00-10-EE-88-89-54]

In firewall.log is logged following:
13:30:35 7: Receive 62.179.7.117:0 (~) -> 127.0.0.1:62515 (~) UDP 320 bytes allowed by 26E rejected by plugin 15 (0)

In protect.log is logged following:
13:30:35 MY ADDRESS detected from 62.179.7.117 (~)

... and virtual route cannot be secured. Rule 26E (from stat.log) is:
CVPND:*<>0/0:* UDP allow [255] 0000026E
CVPND:*<>0/0:* TCP allow [255] 0000026E
ie. "Allow activity for application CVPND.EXE"; it seems to work OK, as packet is being allowed by this rule. Packet is rejected by attack protection plugin :( / It's configuration is (from protect.log):
13:27:57 Protect cfg: 65535,6,600,6000,3000,100,10,128,50,30,600,6000,5

I recorded rejected packet (using NETMON tool), it's header is:
ETHERNET: Destination address : 0010EE888954
ETHERNET: Source address : 00036C4AA4A8
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 320 (0x0140)

Frame contents is:
00000000 00 10 EE 88 89 54 00 03 6C 4A A4 A8 08 00 00 00 .....T..lJ......
00000010 00 00 0E 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 45 00 00 3C EC 55 00 00 80 01 F6 3C 0A 00 08 07 E..<.U.....<....
00000030 3E B3 07 75 00 00 4C 5C 02 00 07 00 61 62 63 64 >..u..L\....abcd
00000040 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 efghijklmnopqrst
00000050 75 76 77 61 62 63 64 65 66 67 68 69 C5 0C 84 59 uvwabcdefghi...Y
00000060 64 CF FB F9 70 EC 62 C0 E7 EA 62 E1 C7 86 35 B0 d...p.b...b...5.
00000070 BB A0 8D 9C 2E E3 C5 F8 AB 7C 4D 19 E9 41 E1 FA .........|M..A..
00000080 69 87 48 75 F0 F2 D3 F7 51 54 DE 81 D3 C0 24 6B i.Hu....QT....$k
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............

I believe that because this packet is rejected, CVPND doesn't receive some required information from it's driver (or vice-versa), and result is that route cannot be secured.

If I disable attack protection, following conversation is taking place:

1. pinging other side of (not yet secured) VPN route
13:33:56 7: Send 62.179.7.117 (~) -> 192.168.3.9 ICMP 8/0 60 bytes allowed by FFFFFFF9 [00-10-EE-88-89-54 -> 00-03-6C-4A-A4-A8]

2. critical packet is being exchanged between CVPND service and its driver
13:33:56 7: Receive 62.179.7.117:0 (~) -> 127.0.0.1:62515 (~) UDP 320 bytes allowed by 26E [00-03-6C-4A-A4-A8 -> 00-10-EE-88-89-54]

3. CVPND service is establihing secured route between my computer and VPN server
13:33:56 7: Send 62.179.7.117:500 (~) -> 194.xxx.xxx.xxx:500 UDP 824 bytes allowed by 26E [00-10-EE-88-89-54 -> 00-03-6C-4A-A4-A8]
13:33:56 31: Send 62.179.7.117:500 (~) -> 194.xxx.xxx.xxx:500 UDP 824 bytes allowed by 26E [00-10-EE-88-89-54 -> 00-03-6C-4A-A4-A8]
13:33:56 31: Receive 194.xxx.xxx.xxx:500 -> 62.179.7.117:500 (~) UDP 224 bytes allowed by 26E [00-03-6C-4A-A4-8C -> 00-10-EE-88-89-54]
13:33:56 7: Receive 194.xxx.xxx.xxx:500 -> 62.179.7.117:500 (~) UDP 224 bytes allowed by 26E [00-03-6C-4A-A4-8C -> 00-10-EE-88-89-54]
13:33:56 7: Send 62.179.7.117:500 (~) -> 194.xxx.xxx.xxx:500 UDP 80 bytes allowed by 26E [00-10-EE-88-89-54 -> 00-03-6C-4A-A4-A8]
13:33:56 31: Send 62.179.7.117:500 (~) -> 194.xxx.xxx.xxx:500 UDP 80 bytes allowed by 26E [00-10-EE-88-89-54 -> 00-03-6C-4A-A4-A8]

4. ping again other side of (already secured) VPN route
13:33:57 7: Send 62.179.7.117 (~) -> 192.168.3.9 ICMP 8/0 60 bytes allowed by FFFFFFF9 [00-10-EE-88-89-54 -> 00-03-6C-4A-A4-A8]

5. packet is being encapsulated in IPSec protocol and send to VPN server
13:33:57 31: Send 62.179.7.117 (~) -> 194.xxx.xxx.xxx Unknown 50 112 bytes allowed by 276 [00-10-EE-88-89-54 -> 00-03-6C-4A-A4-A8]

6. I received reply from VPN server!
13:33:57 31: Receive 194.xxx.xxx.xxx -> 62.179.7.117 (~) Unknown 50 112 bytes allowed by 276 [00-03-6C-4A-A4-8C -> 00-10-EE-88-89-54]

7. unpack reply from IPSec packet ... it's ICMP reply, everything works!
13:33:57 7: Receive 192.168.3.9 -> 62.179.7.117 (~) ICMP 0/0 60 bytes allowed by FFFFFFF9 [00-03-6C-4A-A4-8C -> 00-10-EE-88-89-54]

Rule 276 (from stat.log) is:
0/0:50<>0/0:50 IP allow [11] 00000276
ie. "Where the protocol is IP and type is ESP Allow it" - it works OK, as you can see above.

Maybe this problem cannot be solved on this formu, and I should send debug logs to outpostbugs@agnitum.com ?

Thanks for your help, again :D

Please do. Its out of my league. :confused:

Everybody who has this problem please install Debug plug-in and send logs to outpost@agnitum.com

See instructions here (http://www.outpostfirewall.com/forum/showthread.php?threadid=980)

This solution actually came to me in May from Agnitum support. It works great:
Set T1 = 65503 in protect.lst file in Outpost install folder.
Reboot. Reply if error remains.


B.

I use a Nortel VPN at work and one thing that I had to do to get everything working was make a global rule allowing AH (authentication header) protocol. not sure if that will help on the Cisco VPN or not, but until I added it the only way I could run OP was in disabled or allow most modes. After I can use all modes and everything works just like it is supposed to.

Brok,
I attempted the T1 setting as you described with no change. Do you have any other suggestions?

I tried getting it to work in 2.0 but haven't been succesful yet, following the recommendations in this thread (adding host subnet to trusted zone; run in "allow most" mode"; stop the Attack Detection plugin. Even "exit and shutdown Outpost" does not work.

After launching the VPN client all Internet traffic stops until the computer is rebooted. I blame vsdatant.sys which comes with the VPN client - a ZoneLabs stateful filter that, even when disabled, onflicts with OP. I will eventually have to switch to other firewalls that seem to work (Sygate, Norton), ZA Plus 4.x) :boo:

Sorry this is 7 months late, but:

I have Cisco VPN (version 3.5.1) running with OP Pro 2.0 on Win 98 using TCP split tunnel connect as of today.

I'm not entirely comfortable with the blanket enable allowed to the VPN but this is what allowed it to work:

Add a "Global System Rule" of

"where the remote host is <vpn host IP>"
"ALLOW IT"

That's it.