I can't even
-
"Despite the name "Unencrypted PAP", the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN."
Um... how come you'd have someone manually change the settings to something obviously broken?
-
@dustinb3403 said in I can't even:
"Despite the name "Unencrypted PAP", the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN."
Um... how?
Because...
Everything is a VPN = Unencrypted PAP is a VPN = Is Encrypted
-
@bigbear said in I can't even:
@dustinb3403 said in I can't even:
"Despite the name "Unencrypted PAP", the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN."
Um... how?
Because...
Everything is a VPN = Unencrypted PAP is a VPN = Is Encrypted
But why force changing a setting to a configuration that is clearly broken. When it works just fine using the optional flag.
It's wrong, no? Why set the encryption type to "Required" when encryption for PAP isn't an option. Even if the VPN is encrypted using IPSec.
That one setting is what has me wondering what the hell is going on there.
-
@dustinb3403 said in I can't even:
@bigbear said in I can't even:
@dustinb3403 said in I can't even:
"Despite the name "Unencrypted PAP", the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN."
Um... how?
Because...
Everything is a VPN = Unencrypted PAP is a VPN = Is Encrypted
But why force changing a setting to a configuration that is clearly broken. When it works just fine using the optional flag.
It's wrong, no? Why set the encryption type to "Required" when encryption for PAP isn't an option. Even if the VPN is encrypted using IPSec.
That one setting is what has me wondering what the hell is going on there.
I think they are just affirming that, due to the pre-shared key, it is okay to use PAP and not to be worried that you are losing security.
-
@scottalanmiller said in I can't even:
Just confirmed that she has backups. Sadly, they are Backup Exec.
See you in 94 hours when that restore completes with degraded data.
-
@bigbear said in I can't even:
@dustinb3403 said in I can't even:
@bigbear said in I can't even:
@dustinb3403 said in I can't even:
"Despite the name "Unencrypted PAP", the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN."
Um... how?
Because...
Everything is a VPN = Unencrypted PAP is a VPN = Is Encrypted
But why force changing a setting to a configuration that is clearly broken. When it works just fine using the optional flag.
It's wrong, no? Why set the encryption type to "Required" when encryption for PAP isn't an option. Even if the VPN is encrypted using IPSec.
That one setting is what has me wondering what the hell is going on there.
I think they are just affirming that, due to the pre-shared key, it is okay to use PAP and not to be worried that you are losing security.
The bigger issue is, setting the flag can't be done with powershell, it has to be set manually.
Which in my mind would actually break things. Is there harm in leaving the encryption set to "Optional" when that is actually the only reasonable approach.
-
@scottalanmiller said in I can't even:
@dashrender said in I can't even:
@rojoloco said in I can't even:
@eddiejennings said in I can't even:
17 years in IT? https://community.spiceworks.com/topic/2083921-help-errror-e1810-hdd-1-hdd2-hdd3-fault-on-poweredge-2900-production-server?page=1#entry-7357313
She even says in the post - "I have no idea what I'm doing". Not something to post publicly if you claim to have 17 years in IT.
This goes to another recent thread about the home lab vs 'work experience' just because you "worked" in IT for 17 years doesn't mean you know shit about it.
Great catch. One day in a home lab might easly have provided more useful knowledge and experience than seventeen years working in a company doing this stuff.
Also goes to show that just having a cert doesn't mean anything, it's what you learned along the way. CISSP, and an MCSE? Come on....
-
@r3dpand4 said in I can't even:
@scottalanmiller said in I can't even:
Just confirmed that she has backups. Sadly, they are Backup Exec.
See you in 94 hours when that restore completes with degraded data.
I think that they are talking about a month before even knowing what is happening.
-
@r3dpand4 said in I can't even:
@scottalanmiller said in I can't even:
@dashrender said in I can't even:
@rojoloco said in I can't even:
@eddiejennings said in I can't even:
17 years in IT? https://community.spiceworks.com/topic/2083921-help-errror-e1810-hdd-1-hdd2-hdd3-fault-on-poweredge-2900-production-server?page=1#entry-7357313
She even says in the post - "I have no idea what I'm doing". Not something to post publicly if you claim to have 17 years in IT.
This goes to another recent thread about the home lab vs 'work experience' just because you "worked" in IT for 17 years doesn't mean you know shit about it.
Great catch. One day in a home lab might easly have provided more useful knowledge and experience than seventeen years working in a company doing this stuff.
Also goes to show that just having a cert doesn't mean anything, it's what you learned along the way. CISSP, and an MCSE? Come on....
She has a CISSP?
-
@dustinb3403 said in I can't even:
"Despite the name "Unencrypted PAP", the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN."
Um... how come you'd have someone manually change the settings to something obviously broken?
Because it is not broken. It is simply unencrypted. But, it is being sent over an already encrypted channel. So the authentication is never in the clear.
This is precisely how you have to setup L2TP in Windows talking to an Ubiquiti router also.
-
@jaredbusch said in I can't even:
@dustinb3403 said in I can't even:
"Despite the name "Unencrypted PAP", the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN."
Um... how come you'd have someone manually change the settings to something obviously broken?
Because it is not broken. It is simply unencrypted. But, it is being sent over an already encrypted channel. So the authentication is never in the clear.
This is precisely how you have to setup L2TP in Windows talking to an Ubiquiti router also.
So is it adding something to the connection?
-
@dustinb3403 said in I can't even:
@jaredbusch said in I can't even:
@dustinb3403 said in I can't even:
"Despite the name "Unencrypted PAP", the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN."
Um... how come you'd have someone manually change the settings to something obviously broken?
Because it is not broken. It is simply unencrypted. But, it is being sent over an already encrypted channel. So the authentication is never in the clear.
This is precisely how you have to setup L2TP in Windows talking to an Ubiquiti router also.
So is it adding something to the connection?
It is the USER authentication being sent.
-
@DustinB3403 here is my home ERL.
The part that is going over with Unencrypted PAP is testuser/Testing!123.
But it is going over the Existing IPSEC tunnel that was set up with the PSK.jbusch@jared:~$ show configuration commands vpn | grep l2tp set vpn l2tp remote-access authentication local-users username testuser password 'Testing!123' set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access client-ip-pool start 10.254.203.2 set vpn l2tp remote-access client-ip-pool stop 10.254.203.10 set vpn l2tp remote-access dhcp-interface eth0 set vpn l2tp remote-access dns-servers server-1 8.8.8.8 set vpn l2tp remote-access dns-servers server-2 8.8.4.4 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret NOTGONNATELLYOU set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn l2tp remote-access mtu 1492 -
This just arrived in my email
Who still uses Windows 2000?
-
@nerdydad said in I can't even:
This just arrived in my email
Who still uses Windows 2000?
Believe it or not, someone on this thread from yesterday
-
Today's gem:
User: Paper shredder in [another user]'s office has died after 10 years. I can find the identical one [from a vendor] but [it's used, and I'm not comfortable buying used]. Any thoughts on where to find the same one?
Me: The odds of you finding an identical replacement for a 10 year old device are slim to none. Better approach would be determine desired features, set a price point, and go shopping.
User: Let me see what I can come up with.
-
@eddiejennings said in I can't even:
Today's gem:
User: Paper shredder in [another user]'s office has died after 10 years. I can find the identical one [from a vendor] but [it's used, and I'm not comfortable buying used]. Any thoughts on where to find the same one?
Me: The odds of you finding an identical replacement for a 10 year old device are slim to none. Better approach would be determine desired features, set a price point, and go shopping.
User: Let me see what I can come up with.
User: Desired features = at least 10 years old, looks and works just like the old one.
You : ..............
User : what are "specifications"???
-
Umm.
-
WTF is wrong with people?
-
@scottalanmiller said in I can't even:
WTF is wrong with people?
I keep getting answers to questions I ask in Slack while I type stuff in Spiceworks, causing me to be beind you :P.
