ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    I can't even

    Scheduled Pinned Locked Moved Water Closet
    wtfi cant eventhat is not how that works
    1.9k Posts 73 Posters 741.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      Network drive loaded onto a Cisco router. Um... https://community.spiceworks.com/topic/2084210-need-help-with-network-storage-encryption

      Reid CooperR 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller
        last edited by

        This guy doesn't seem to know what a NAS is, a router, BitLocker or encryption.

        1 Reply Last reply Reply Quote 0
        • Reid CooperR
          Reid Cooper @scottalanmiller
          last edited by

          @scottalanmiller said in I can't even:

          Network drive loaded onto a Cisco router. Um... https://community.spiceworks.com/topic/2084210-need-help-with-network-storage-encryption

          So he encrypted a drive and is surprised that it is encrypted?

          1 Reply Last reply Reply Quote 0
          • DustinB3403D
            DustinB3403 @JaredBusch
            last edited by

            @jaredbusch said in I can't even:

            @DustinB3403 here is my home ERL.

            The part that is going over with Unencrypted PAP is testuser/Testing!123.
            But it is going over the Existing IPSEC tunnel that was set up with the PSK.

            jbusch@jared:~$ show configuration commands vpn | grep l2tp
            set vpn l2tp remote-access authentication local-users username testuser password 'Testing!123'
            set vpn l2tp remote-access authentication mode local
            set vpn l2tp remote-access client-ip-pool start 10.254.203.2
            set vpn l2tp remote-access client-ip-pool stop 10.254.203.10
            set vpn l2tp remote-access dhcp-interface eth0
            set vpn l2tp remote-access dns-servers server-1 8.8.8.8
            set vpn l2tp remote-access dns-servers server-2 8.8.4.4
            set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
            set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret NOTGONNATELLYOU
            set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
            set vpn l2tp remote-access mtu 1492
            

            So without the "Require encryption" the preshared key is sent in plain text?

            JaredBuschJ 1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch @DustinB3403
              last edited by

              @dustinb3403 said in I can't even:

              @jaredbusch said in I can't even:

              @DustinB3403 here is my home ERL.

              The part that is going over with Unencrypted PAP is testuser/Testing!123.
              But it is going over the Existing IPSEC tunnel that was set up with the PSK.

              jbusch@jared:~$ show configuration commands vpn | grep l2tp
              set vpn l2tp remote-access authentication local-users username testuser password 'Testing!123'
              set vpn l2tp remote-access authentication mode local
              set vpn l2tp remote-access client-ip-pool start 10.254.203.2
              set vpn l2tp remote-access client-ip-pool stop 10.254.203.10
              set vpn l2tp remote-access dhcp-interface eth0
              set vpn l2tp remote-access dns-servers server-1 8.8.8.8
              set vpn l2tp remote-access dns-servers server-2 8.8.4.4
              set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
              set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret NOTGONNATELLYOU
              set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
              set vpn l2tp remote-access mtu 1492
              

              So without the "Require encryption" the preshared key is sent in plain text?

              I do not know enough about the protocols to definitively answer that, but the entire IPSEC protocol does not use the PSK until phase 2. Phase 2 is encrypted with the exchanges sent in phase 1.

              The preshared key used in your example and mine is an IPSEC bit, not an L2TP bit.

              DustinB3403D 1 Reply Last reply Reply Quote 0
              • DustinB3403D
                DustinB3403 @JaredBusch
                last edited by DustinB3403

                @jaredbusch said in I can't even:

                @dustinb3403 said in I can't even:

                @jaredbusch said in I can't even:

                @DustinB3403 here is my home ERL.

                The part that is going over with Unencrypted PAP is testuser/Testing!123.
                But it is going over the Existing IPSEC tunnel that was set up with the PSK.

                jbusch@jared:~$ show configuration commands vpn | grep l2tp
                set vpn l2tp remote-access authentication local-users username testuser password 'Testing!123'
                set vpn l2tp remote-access authentication mode local
                set vpn l2tp remote-access client-ip-pool start 10.254.203.2
                set vpn l2tp remote-access client-ip-pool stop 10.254.203.10
                set vpn l2tp remote-access dhcp-interface eth0
                set vpn l2tp remote-access dns-servers server-1 8.8.8.8
                set vpn l2tp remote-access dns-servers server-2 8.8.4.4
                set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
                set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret NOTGONNATELLYOU
                set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
                set vpn l2tp remote-access mtu 1492
                

                So without the "Require encryption" the preshared key is sent in plain text?

                I do not know enough about the protocols to definitively answer that, but the entire IPSEC protocol does not use the PSK until phase 2. Phase 2 is encrypted with the exchanges sent in phase 1.

                The preshared key used in your example and mine is an IPSEC bit, not an L2TP bit.

                So then it shouldn't matter, "Require encryption" or Optional or Minimal should do nothing to add / improve the encryption since IPSEC is doing all of it.

                Does anyone know the protocols well enough to explain this? Why is "Require encryption" recommended, when it doesn't follow/appear to follow the standard and actively reports an error if you attempt set this up via powershell.

                1 Reply Last reply Reply Quote 0
                • JaredBuschJ
                  JaredBusch
                  last edited by

                  In Fedora 25 + Cinnamon, it looks like this by default.

                  0_1510184209095_8694d8c1-b821-409b-ab9b-76bab820bb05-image.png

                  0_1510184170148_239ba96e-2f82-4afa-966d-ddd781ae19d3-image.png

                  0_1510184247530_92bbd057-7e18-4d43-9899-ca4c4c5f2bac-image.png

                  DustinB3403D ObsolesceO 2 Replies Last reply Reply Quote 2
                  • DustinB3403D
                    DustinB3403 @JaredBusch
                    last edited by

                    @jaredbusch said in I can't even:

                    In Fedora 25 + Cinnamon, it looks like this by default.

                    0_1510184209095_8694d8c1-b821-409b-ab9b-76bab820bb05-image.png

                    0_1510184170148_239ba96e-2f82-4afa-966d-ddd781ae19d3-image.png

                    0_1510184247530_92bbd057-7e18-4d43-9899-ca4c4c5f2bac-image.png

                    And as expected nothing there for PAP is offering "Require encryption". I wonder if it's just weirdness or if there is some bug that without "encryption" information is passed in plain text. . . (some how. . . )

                    1 Reply Last reply Reply Quote 0
                    • ObsolesceO
                      Obsolesce @JaredBusch
                      last edited by

                      @jaredbusch said in I can't even:

                      In Fedora 25 + Cinnamon, it looks like this by default.

                      0_1510184170148_239ba96e-2f82-4afa-966d-ddd781ae19d3-image.png

                      I wouldn't use any of those authentication protocols except MSCHAPv2... uncheck the rest of them.

                      DustinB3403D 1 Reply Last reply Reply Quote 0
                      • DustinB3403D
                        DustinB3403 @Obsolesce
                        last edited by

                        @tim_g said in I can't even:

                        I wouldn't use any of those authentication protocols except MSCHAPv2... uncheck the rest of them.

                        He is just showing the options on Fedora, as I'm trying to figure out a weird setting recommendation by Cisco to "require encryption" when using PAP and IPSEC.

                        It's several posts above this. . . might be worth its own topic.

                        1 Reply Last reply Reply Quote 0
                        • DustinB3403D
                          DustinB3403 @JaredBusch
                          last edited by

                          @jaredbusch said in I can't even:

                          @DustinB3403 here is my home ERL.

                          The part that is going over with Unencrypted PAP is testuser/Testing!123.
                          But it is going over the Existing IPSEC tunnel that was set up with the PSK.

                          jbusch@jared:~$ show configuration commands vpn | grep l2tp
                          set vpn l2tp remote-access authentication local-users username testuser password 'Testing!123'
                          set vpn l2tp remote-access authentication mode local
                          set vpn l2tp remote-access client-ip-pool start 10.254.203.2
                          set vpn l2tp remote-access client-ip-pool stop 10.254.203.10
                          set vpn l2tp remote-access dhcp-interface eth0
                          set vpn l2tp remote-access dns-servers server-1 8.8.8.8
                          set vpn l2tp remote-access dns-servers server-2 8.8.4.4
                          set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
                          set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret NOTGONNATELLYOU
                          set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
                          set vpn l2tp remote-access mtu 1492
                          

                          So with regards to this bit The part that is going over with Unencrypted PAP is testuser/Testing!123. I wonder if requiring encryption is actually encrypting the username and password.

                          But how, how does it work?

                          ObsolesceO 1 Reply Last reply Reply Quote 0
                          • ObsolesceO
                            Obsolesce @DustinB3403
                            last edited by

                            @dustinb3403 said in I can't even:

                            I wonder if requiring encryption is actually encrypting the username and password.

                            The username/password being encrypted depends on the authentication method. If using PAP, they are sent in clear text, for example.

                            DustinB3403D bigbearB 2 Replies Last reply Reply Quote 0
                            • DustinB3403D
                              DustinB3403 @Obsolesce
                              last edited by

                              @tim_g said in I can't even:

                              @dustinb3403 said in I can't even:

                              I wonder if requiring encryption is actually encrypting the username and password.

                              The username/password being encrypted depends on the authentication method. If using PAP, they are sent in clear text, for example.

                              That is my point of contention, cisco recommends "requiring encryption" when using PAP, yet it doesn't matter.

                              So why bother with a recommendation that clearly doesn't work? Is it just to provide the warm and fuzzies?

                              scottalanmillerS 1 Reply Last reply Reply Quote 2
                              • scottalanmillerS
                                scottalanmiller @DustinB3403
                                last edited by

                                @dustinb3403 said in I can't even:

                                So why bother with a recommendation that clearly doesn't work? Is it just to provide the warm and fuzzies?

                                Reasonably likely.

                                DustinB3403D 1 Reply Last reply Reply Quote 1
                                • DustinB3403D
                                  DustinB3403 @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in I can't even:

                                  @dustinb3403 said in I can't even:

                                  So why bother with a recommendation that clearly doesn't work? Is it just to provide the warm and fuzzies?

                                  Reasonably likely.

                                  Is that in any way reasonable to you as a professional?

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @DustinB3403
                                    last edited by

                                    @dustinb3403 said in I can't even:

                                    @scottalanmiller said in I can't even:

                                    @dustinb3403 said in I can't even:

                                    So why bother with a recommendation that clearly doesn't work? Is it just to provide the warm and fuzzies?

                                    Reasonably likely.

                                    Is that in any way reasonable to you as a professional?

                                    No, but neither is choosing Cisco 😉

                                    DustinB3403D 1 Reply Last reply Reply Quote 2
                                    • DustinB3403D
                                      DustinB3403 @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in I can't even:

                                      @dustinb3403 said in I can't even:

                                      @scottalanmiller said in I can't even:

                                      @dustinb3403 said in I can't even:

                                      So why bother with a recommendation that clearly doesn't work? Is it just to provide the warm and fuzzies?

                                      Reasonably likely.

                                      Is that in any way reasonable to you as a professional?

                                      No, but neither is choosing Cisco 😉

                                      touche.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller
                                        last edited by

                                        That's mostly tongue in cheek, but only mostly.

                                        bigbearB 1 Reply Last reply Reply Quote 0
                                        • bigbearB
                                          bigbear @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in I can't even:

                                          That's mostly tongue in cheek, but only mostly.

                                          Cisco wasn't his choice, nor Meraki...

                                          I gotta get back to my desktop and read closer. I did see your point though originally. And is it only recommends to use PAP?

                                          scottalanmillerS DustinB3403D 2 Replies Last reply Reply Quote 0
                                          • bigbearB
                                            bigbear @Obsolesce
                                            last edited by

                                            @tim_g said in I can't even:

                                            @dustinb3403 said in I can't even:

                                            I wonder if requiring encryption is actually encrypting the username and password.

                                            The username/password being encrypted depends on the authentication method. If using PAP, they are sent in clear text, for example.

                                            Yeah he's got that. When you click on his link search the page for PAP and read the boxes comment. That's what we are mulling over.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 96
                                            • 97
                                            • 5 / 97
                                            • First post
                                              Last post