[FW1] Strange SecuRemote problem

["Roelandts, Guy" <Guy.Roelandts@FW1-NOSPAMCompaq.com>]

Hi all on the list,

 

    Has anyone seen the following behviour of SecuRemote ?

 

    We have two Nokia boxes, with IPSO 3.3 and FW-1 4.1-SP2 using VRRP, in front of them we

have a Cisco Router. We have configured the Nokias to allow VPN connections, if we use build

4174 on Windows Nt, through a dial-up connection, everything works fine, if we use the build

4157 on Windows 98 everything works fine too, but if we use build 4174 on Win 98 the VPN fails.

 

    We have taken traces and it seems the Cisco is the culprit one, but we don't know what could

casue this, a succesfull VPN establishment shows  :

 

18:52:53.476564 0a:0b:0c:od:0e:0f 40:42:63:54:0:0 0800 206: 2.2.2.2.500 > 1.1.1.1.500: isakmp 1.0 msgid 32b0a8b2 cookie f65939210a9970dc->b02573c2b63fce0b: phase 2/others ? oakley-quick[E]: [|hash] (ttl 55, id 53880)
18:52:53.530622 40:42:63:54:0:0 0a:0b:0c:od:0e:0f 0800 102: 1.1.1.1.500 > 2.2.2.2.500: isakmp 1.0 msgid 32b0a8b2 cookie f65939210a9970dc->b02573c2b63fce0b: phase 2/others I oakley-quick[E]: [|hash] (ttl 128, id 38650)
18:52:53.770592 40:42:63:54:0:0 0a:0b:0c:od:0e:0f 0800 102: 1.1.1.1.500 > 2.2.2.2.500: isakmp 1.0 msgid 32b0a8b2 cookie f65939210a9970dc->b02573c2b63fce0b: phase 2/others I oakley-quick[E]: [|hash] (ttl 128, id 39420)
18:52:53.975549 40:42:63:54:0:0 0a:0b:0c:od:0e:0f 0800 102: 1.1.1.1.500 > 2.2.2.2.500: isakmp 1.0 msgid 32b0a8b2 cookie f65939210a9970dc->b02573c2b63fce0b: phase 2/others I oakley-quick[E]: [|hash] (ttl 128, id 40190)

 

 an unsuccesfull VPN establishment shows :

...

18:36:09.941243 40:42:63:54:0:0 0a:0b:0c:od:0e:0f 0800 134: 1.1.1.1.500 > 2.2.2.2.500: isakmp 1.0 msgid bbdcd111 cookie 300ef71a02d51127->9535149c694694f3: phase 2/others I #6[E]: [|hash] (ttl 128, id 52730)
18:36:10.396268 40:42:63:54:0:0 0a:0b:0c:0d:0e:0f 0800 586: 1.1.1.1.500 > 2.2.2.2..500: isakmp 1.0 msgid 1aaef9ce cookie 300ef71a02d51127->9535149c694694f3: phase 2/others I oakley-quick[E]: [|hash] (len mismatch: isakmp 748/ip 544) (frag 53500:552@0+) (ttl 128)

18:36:10.873354 0a:0b:0c:0d:0e:0f 40:42:63:54:0:0 0800 70: 2.2.2.1 > 1.1.1.1: icmp: host 2.2.2.2 unreachable - admin prohibited filter for 1.1.1.1.500 > 2.2.2.2.500: [|isakmp] (frag 53500:552@0+) (ttl 118) (ttl 247, id 44207)

 

    --> it seems that the problem comes from the packet length.

Met vriendelijke groeten - Bien � vous - Kind regards

Guy ROELANDTS
Compaq Software Engineer - Belgium
E-mail : Guy.Roelandts@compaq.com
Tel: +32(02)729.77.44 (options  3 - 3 - 1)
Fax: +32(02)729.77.65