[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] SecuRemote 4166/Win2K changes from udp to esp mid-session
I'm testing SecuRemote build 4166 on Win2K and I've noticed consistent oddness. While I have "force_udp_encapsulation (true)" on the client, the session seems to change back and forth from udp to esp over time. Clients with routable addresses continue to function, but this breaks clients who are connecting from behind a NAT device. Anyone have any insight as to what might cause this? I am not experiencing this issue with other builds/platforms. Dumps of portions of the session are below. Thanks, -Brian -- Brian Minder <[email protected]> Systems and Network Engineering, onehealthbank.com Here's the problem environment: P440 running 4.1-SP2/IPSO-3.2.1 Hybrid IKE w/ TACACS Win2K SP1 w/ SecuRemote 4166 with "force_udp_encapsulation (true)" The symptoms are: The client connects, is challenged, and authenticates. Everything is working great, sometimes for quite a while. A tcpdump of the connection shows something like the following: 13:23:34.332713 roadwarrior.2746 > myfirewall.2746: udp 196 13:23:34.335601 myfirewall.2746 > roadwarrior.2746: udp 588 13:23:34.688933 roadwarrior.2746 > myfirewall.2746: udp 148 13:23:34.689969 myfirewall.2746 > roadwarrior.2746: udp 172 13:23:34.989065 roadwarrior.2746 > myfirewall.2746: udp 172 13:23:34.989882 myfirewall.2746 > roadwarrior.2746: udp 108 After some period of time there's some keying traffic, and the session is suddenly over esp! At this point a client who is connecting from behind a NAT device gets the message "Connection with site SITENAME has failed" and has to reboot (not just restart SecuRemote) to reconnect. 13:32:51.297712 roadwarrior.isakmp > myfirewall.isakmp: isakmp v1.0 exchange QUICK_MODE encrypted cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 42fd0406 len: 164 13:32:51.300268 roadwarrior.isakmp > myfirewall.isakmp: isakmp v1.0 exchange QUICK_MODE encrypted cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 5dc43f5f len: 60 13:32:51.311456 myfirewall.isakmp > roadwarrior.isakmp: isakmp v1.0 exchange QUICK_MODE encrypted cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 42fd0406 len: 60 13:32:51.339565 roadwarrior.isakmp > myfirewall.isakmp: isakmp v1.0 exchange QUICK_MODE encrypted cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 5dc43f5f len: 60 13:32:51.428555 myfirewall.isakmp > roadwarrior.isakmp: isakmp v1.0 exchange QUICK_MODE encrypted cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 42fd0406 len: 60 13:32:51.538545 myfirewall.isakmp > roadwarrior.isakmp: isakmp v1.0 exchange QUICK_MODE encrypted cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 42fd0406 len: 60 13:33:08.798800 esp roadwarrior > myfirewall spi 0x9B73C1CA seq 1 len 124 13:33:08.799560 esp myfirewall > roadwarrior spi 0x90B9CDF6 seq 1 len 124 13:33:09.134993 esp roadwarrior > myfirewall spi 0x9B73C1CA seq 2 len 76 13:33:15.235756 esp roadwarrior > myfirewall spi 0x9B73C1CA seq 3 len 452 13:33:15.249257 esp myfirewall > roadwarrior spi 0x90B9CDF6 seq 2 len 84 13:33:41.612521 esp roadwarrior > myfirewall spi 0x9B73C1CA seq 4 len 124 13:33:41.613161 esp myfirewall > roadwarrior spi 0x90B9CDF6 seq 3 len 124 13:33:41.979623 esp roadwarrior > myfirewall spi 0x9B73C1CA seq 5 len 76 Even better, sometimes after a rekey the client is using udp encapsulation while the FW is using esp, or vice versa: 13:51:12.284988 roadwarrior.isakmp > myfirewall.773: isakmp v1.0 exchange QUICK_MODE encrypted cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 14cd7e32 len: 60 13:51:12.374089 myfirewall.773 > roadwarrior.isakmp: isakmp v1.0 exchange QUICK_MODE encrypted cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 7e5149e2 len: 60 13:51:12.385145 roadwarrior.isakmp > myfirewall.773: isakmp v1.0 exchange QUICK_MODE encrypted cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 14cd7e32 len: 60 13:51:12.484044 myfirewall.773 > roadwarrior.isakmp: isakmp v1.0 exchange QUICK_MODE encrypted cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 7e5149e2 len: 60 13:51:19.253692 esp roadwarrior > myfirewall spi 0x9B73C1CD seq 1 len 452 13:51:19.265618 myfirewall.2746 > roadwarrior.2746: udp 76 13:51:44.409883 esp roadwarrior > myfirewall spi 0x9B73C1CD seq 2 len 124 13:51:44.410559 myfirewall.2746 > roadwarrior.2746: udp 116 13:51:44.810868 esp roadwarrior > myfirewall spi 0x9B73C1CD seq 3 len 76 13:52:17.206839 esp roadwarrior > myfirewall spi 0x9B73C1CD seq 4 len 124 13:52:17.207597 myfirewall.2746 > roadwarrior.2746: udp 116 13:52:17.545791 esp roadwarrior > myfirewall spi 0x9B73C1CD seq 5 len 76 ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|