Hi Jakub,
On Fri, Nov 2, 2012 at 3:40 PM, Jakub Pietkun <jpietkun@gmail.com> wrote:
> Hi Antonio,
>
> I got too deep into details, but wanted to share the level of my knowledge
> on protocols/tcpip/networking on the start. Which is really basic.
>
> I meant that on Windows (I scan a Nortel network device, not regular network
> card for regular uses), I see communication with only one IP ( port 17 ;-)
just to confirm what you write:
On Windows PC you have (at least) one network interface that
corresponds to a real network device (ethernet or WiFi). When you
start VPN, on this interface you can only see encrypted packet, so not
really useful.
Beside it, there is another interface that is where all the
un-encrypted communication happens. This is where you run wireshark
and where you see communication with only one IP and only on port 17.
Correct?
>
> ), thus this IP sends the banner and when I click "Accept" the traffic
> begins.
With wireshark you can save the sniffed data.
If you send us the saved file, it could help to understand what has
been added to the simple TCP connection to QOTD.
I think you can share that file, since should not provide any secret
information.
The file will contain only the IP of the QOTD server, so no security
issue (that IP is only accessible when the VPN is already connected).
But will contain the message in the banner (e.g. could include company
name). I let you judge if it is safe to sent it out.
If you prefer, you can consider sending it only privately to my email.
It is still not clear if the communication with QOTD server it the
trigger to confirm the VPN connection. Could still be that some other
information is sent encrypted and not visible in your wireshark log.
But this is all what we have now.
Would be useful to save a file in which you do not press the "accept"
button, to see how the QOTD server replies (if it replies).
Then a second file in which you get the banner, wait 10 seconds then
press "accept", then wait at least other 10 seconds before stop
wireshark activity.
Would be also useful a third file taken in Linux.
Use a persistent tun on which you sniff with wireshark.
The start vpnc connection and within 30 seconds telnet to the QOTD server.
Don't know if you can provide it too.
> So I assume a similar action must happen on Linux (or more -
> despiite the OS).
> On LInux, I connect with telnet to QOTD on port 17, get the message/banner
> and connection closes automatically. So does VPN connection.
>
> Can You tell in more details why to connect to QOTD server? How to send a
> response to QOTD server? I assume this will make a stable connection with
> VPN.
I only have access to an old Nortel server.
On this server the QOTD server follows the "usual" behaviour of
"every" QOTD servers.
It accept connections on port 17, as soon as the connection is
established the server sends a text message and server suddenly close
the TCP connection.
For what I understand by our talking, in your case the connection is
not closed immediately, but is waiting for some kind of reply from the
VPN client.
The simpler way to verify it is to write a simple program that mimic
the VPN client.
So using VPNC to create the encrypted tunnel then, in a separate
shell, run the connection to QOTD which includes the reply.
Antonio
>
> Regards
> Jakub
>
>
> 2012/10/31 Antonio Borneo <borneo.antonio@gmail.com>
>>
>> Hi Jakub,
>>
>> On Wed, Oct 31, 2012 at 7:28 AM, Jakub Pietkun <jpietkun@gmail.com> wrote:
>> > Hello,
>> >
>> > With the help of wirechark I have analyzed what's going during
>> > establishing
>> > a vpn connection on Windows. I see a 3-way handshake and further, a PUSH
>> > packet. And finally, when Accept button is pressed, it sends a packet
>> > with
>> > flags FIN,ACK and determined SEQ and ACK values to QOTD server. All
>> > those
>> > packets are exchanged with the IP of QOTD server.
>>
>> These are very interesting observations.
>> So there is a handshake on QOTD server following press of "Accept" button.
>>
>> > I cannot observe the same on Linux. In fact, in wireshark I cannot see
>> > tun
>> > interface and don't know how to make wireshark see it. In fact, I cannot
>> > see
>> > tun interface with command "ifconfig". I can observe network traffic
>> > only on
>> > eth0 interface.
>>
>> You will not find the same sequence in Linux, since current vpnc does
>> not implement any connection with QOTD server.
>>
>> The tun interface is normally created dynamically by vpnc at start,
>> and destroyed as soon as vpnc exit.
>> You can bypass this by creating a persistent tun interface with
>> command tunctl, e.g. "tunctl -n -t tun3", then start wireshark on it.
>> You also need to specify the persistent tun interface to vpnc, using
>> command line "--ifname tun3" or "Interface name tun3" in config file.
>>
>> > What I tried is to send this packet to QOTD server with hping3 but it
>> > didn't
>> > help. Probably I have to simulate all the "handshake" sequence.
>>
>> I think so. Today I use "telnet" to get message from QOTD server, but
>> it does not handle any handshake. Just standard TCP connection.
>> I would suggest you to work with vpnc as is today and write the code
>> to talk with QOTD server "outside" vpnc. This gives you the
>> flexibility to run it more than once in the same connection. When you
>> get something working we could think about integrating it in vpnc or
>> keeping it as separate binary.
>>
>> Best Regards,
>> Antonio Borneo
>>
>>
>> > Please help. I really want to use Linux at work, but at the moment I
>> > must
>> > use virtual Windows to connect to vpn.
>> >
>> > Regards
>> > Jakub
>
>
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
On Fri, Nov 2, 2012 at 3:40 PM, Jakub Pietkun <jpietkun@gmail.com> wrote:
> Hi Antonio,
>
> I got too deep into details, but wanted to share the level of my knowledge
> on protocols/tcpip/networking on the start. Which is really basic.
>
> I meant that on Windows (I scan a Nortel network device, not regular network
> card for regular uses), I see communication with only one IP ( port 17 ;-)
just to confirm what you write:
On Windows PC you have (at least) one network interface that
corresponds to a real network device (ethernet or WiFi). When you
start VPN, on this interface you can only see encrypted packet, so not
really useful.
Beside it, there is another interface that is where all the
un-encrypted communication happens. This is where you run wireshark
and where you see communication with only one IP and only on port 17.
Correct?
>
> ), thus this IP sends the banner and when I click "Accept" the traffic
> begins.
With wireshark you can save the sniffed data.
If you send us the saved file, it could help to understand what has
been added to the simple TCP connection to QOTD.
I think you can share that file, since should not provide any secret
information.
The file will contain only the IP of the QOTD server, so no security
issue (that IP is only accessible when the VPN is already connected).
But will contain the message in the banner (e.g. could include company
name). I let you judge if it is safe to sent it out.
If you prefer, you can consider sending it only privately to my email.
It is still not clear if the communication with QOTD server it the
trigger to confirm the VPN connection. Could still be that some other
information is sent encrypted and not visible in your wireshark log.
But this is all what we have now.
Would be useful to save a file in which you do not press the "accept"
button, to see how the QOTD server replies (if it replies).
Then a second file in which you get the banner, wait 10 seconds then
press "accept", then wait at least other 10 seconds before stop
wireshark activity.
Would be also useful a third file taken in Linux.
Use a persistent tun on which you sniff with wireshark.
The start vpnc connection and within 30 seconds telnet to the QOTD server.
Don't know if you can provide it too.
> So I assume a similar action must happen on Linux (or more -
> despiite the OS).
> On LInux, I connect with telnet to QOTD on port 17, get the message/banner
> and connection closes automatically. So does VPN connection.
>
> Can You tell in more details why to connect to QOTD server? How to send a
> response to QOTD server? I assume this will make a stable connection with
> VPN.
I only have access to an old Nortel server.
On this server the QOTD server follows the "usual" behaviour of
"every" QOTD servers.
It accept connections on port 17, as soon as the connection is
established the server sends a text message and server suddenly close
the TCP connection.
For what I understand by our talking, in your case the connection is
not closed immediately, but is waiting for some kind of reply from the
VPN client.
The simpler way to verify it is to write a simple program that mimic
the VPN client.
So using VPNC to create the encrypted tunnel then, in a separate
shell, run the connection to QOTD which includes the reply.
Antonio
>
> Regards
> Jakub
>
>
> 2012/10/31 Antonio Borneo <borneo.antonio@gmail.com>
>>
>> Hi Jakub,
>>
>> On Wed, Oct 31, 2012 at 7:28 AM, Jakub Pietkun <jpietkun@gmail.com> wrote:
>> > Hello,
>> >
>> > With the help of wirechark I have analyzed what's going during
>> > establishing
>> > a vpn connection on Windows. I see a 3-way handshake and further, a PUSH
>> > packet. And finally, when Accept button is pressed, it sends a packet
>> > with
>> > flags FIN,ACK and determined SEQ and ACK values to QOTD server. All
>> > those
>> > packets are exchanged with the IP of QOTD server.
>>
>> These are very interesting observations.
>> So there is a handshake on QOTD server following press of "Accept" button.
>>
>> > I cannot observe the same on Linux. In fact, in wireshark I cannot see
>> > tun
>> > interface and don't know how to make wireshark see it. In fact, I cannot
>> > see
>> > tun interface with command "ifconfig". I can observe network traffic
>> > only on
>> > eth0 interface.
>>
>> You will not find the same sequence in Linux, since current vpnc does
>> not implement any connection with QOTD server.
>>
>> The tun interface is normally created dynamically by vpnc at start,
>> and destroyed as soon as vpnc exit.
>> You can bypass this by creating a persistent tun interface with
>> command tunctl, e.g. "tunctl -n -t tun3", then start wireshark on it.
>> You also need to specify the persistent tun interface to vpnc, using
>> command line "--ifname tun3" or "Interface name tun3" in config file.
>>
>> > What I tried is to send this packet to QOTD server with hping3 but it
>> > didn't
>> > help. Probably I have to simulate all the "handshake" sequence.
>>
>> I think so. Today I use "telnet" to get message from QOTD server, but
>> it does not handle any handshake. Just standard TCP connection.
>> I would suggest you to work with vpnc as is today and write the code
>> to talk with QOTD server "outside" vpnc. This gives you the
>> flexibility to run it more than once in the same connection. When you
>> get something working we could think about integrating it in vpnc or
>> keeping it as separate binary.
>>
>> Best Regards,
>> Antonio Borneo
>>
>>
>> > Please help. I really want to use Linux at work, but at the moment I
>> > must
>> > use virtual Windows to connect to vpn.
>> >
>> > Regards
>> > Jakub
>
>
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
