[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] IKE security issu at udp port 500

Subject: Re: [Openvpn-users] IKE security issu at udp port 500
From: Charlie Hosner <chosner@xxxxxxxxx>
Date: Tue, 19 Oct 2004 08:41:41 -0400 (EDT)

OpenVPN uses udp port 5000 (5001,5002,etc) so you do not even need to open 500. If you have assigned OpenVPN to use 500, then nessus is probably picking it up and is confused by OpenVPN's strange response to nessus's attempted connection tests.

The thing to remember with scanners like Nessus and Nmap is that they try to connect, then report a systems state based on what they expected to happen. These reports a usually nothing more than a guess. So if Nessus expects an IPSec server at udp 500 then it will attempt to negotiate an IKE session with this server to ensure it is indeed IPsec. If OpenVPN is runnning there, it will not respond correctly to IKE requests (which is shouldn't) and this will confuse Nessus. Nessuss will then report that it tried to negotiate IKE with port 500 and it didn't work so..... and here is the problem with scanners...... it will report that you have a security problem at udp 500 because usually when you don't have IPsec running there it means that someone has installed a trojan to look like IPsec. If you have a legitamate service running there(like OpenVPN), you can ignore Nessus' complaints. You always have to think through the responses of scanners, never take them as 100% reliable.

Charlie

On Tue, 19 Oct 2004, venne wrote:

hi, i've openvpn 1.6@debian woody, and my nessus told me that i've a IKE requests bogus at ipsec server at udp port 500.

i know that openvpn uses DH mechanisme to negociate, is it necessary too allow udp port 500? if yes, how could I make it safe? is there any patch?should I update to 2.0?
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Follow-Ups:
- Re: [Openvpn-users] IKE security issu at udp port 500
  - From: venne

References:
- [Openvpn-users] TUN/TAP device
  - From: Sebastien Venot
- [Openvpn-users] IKE security issu at udp port 500
  - From: venne

Prev by Date: Re: [Openvpn-users] Status of XP SP2 and OpenVPN
Next by Date: Re: [Openvpn-users] IKE security issu at udp port 500
Previous by thread: Re: [Openvpn-users] IKE security issu at udp port 500
Next by thread: Re: [Openvpn-users] IKE security issu at udp port 500
Index(es):
- Date
- Thread