NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] SecuRemote 4166/Win2K changes from udp to esp mid-session




I'm testing SecuRemote build 4166 on Win2K and I've noticed consistent
oddness.  While I have "force_udp_encapsulation (true)" on the client, the
session seems to change back and forth from udp to esp over time.  Clients
with routable addresses continue to function, but this breaks clients who
are connecting from behind a NAT device.  Anyone have any insight as to what
might cause this?  I am not experiencing this issue with other
builds/platforms.  Dumps of portions of the session are below.

Thanks,

-Brian

--
Brian Minder <[email protected]>
Systems and Network Engineering, onehealthbank.com



Here's the problem environment:

P440 running 4.1-SP2/IPSO-3.2.1
Hybrid IKE w/ TACACS
Win2K SP1 w/ SecuRemote 4166 with "force_udp_encapsulation (true)"



The symptoms are:

The client connects, is challenged, and authenticates.  Everything is
working great, sometimes for quite a while.  A tcpdump of the connection
shows something like the following:

13:23:34.332713 roadwarrior.2746 > myfirewall.2746:  udp 196
13:23:34.335601 myfirewall.2746 > roadwarrior.2746:  udp 588
13:23:34.688933 roadwarrior.2746 > myfirewall.2746:  udp 148
13:23:34.689969 myfirewall.2746 > roadwarrior.2746:  udp 172
13:23:34.989065 roadwarrior.2746 > myfirewall.2746:  udp 172
13:23:34.989882 myfirewall.2746 > roadwarrior.2746:  udp 108

After some period of time there's some keying traffic, and the session is
suddenly over esp!  At this point a client who is connecting from behind a
NAT device gets the message "Connection with site SITENAME has failed" and
has to reboot (not just restart SecuRemote) to reconnect.

13:32:51.297712 roadwarrior.isakmp > myfirewall.isakmp:  isakmp v1.0
exchange QUICK_MODE encrypted
        cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 42fd0406 len: 164
13:32:51.300268 roadwarrior.isakmp > myfirewall.isakmp:  isakmp v1.0
exchange QUICK_MODE encrypted
        cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 5dc43f5f len: 60
13:32:51.311456 myfirewall.isakmp > roadwarrior.isakmp:  isakmp v1.0
exchange QUICK_MODE encrypted
        cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 42fd0406 len: 60
13:32:51.339565 roadwarrior.isakmp > myfirewall.isakmp:  isakmp v1.0
exchange QUICK_MODE encrypted
        cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 5dc43f5f len: 60
13:32:51.428555 myfirewall.isakmp > roadwarrior.isakmp:  isakmp v1.0
exchange QUICK_MODE encrypted
        cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 42fd0406 len: 60
13:32:51.538545 myfirewall.isakmp > roadwarrior.isakmp:  isakmp v1.0
exchange QUICK_MODE encrypted
        cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 42fd0406 len: 60
13:33:08.798800 esp roadwarrior > myfirewall spi 0x9B73C1CA seq 1 len 124
13:33:08.799560 esp myfirewall > roadwarrior spi 0x90B9CDF6 seq 1 len 124
13:33:09.134993 esp roadwarrior > myfirewall spi 0x9B73C1CA seq 2 len 76
13:33:15.235756 esp roadwarrior > myfirewall spi 0x9B73C1CA seq 3 len 452
13:33:15.249257 esp myfirewall > roadwarrior spi 0x90B9CDF6 seq 2 len 84
13:33:41.612521 esp roadwarrior > myfirewall spi 0x9B73C1CA seq 4 len 124
13:33:41.613161 esp myfirewall > roadwarrior spi 0x90B9CDF6 seq 3 len 124
13:33:41.979623 esp roadwarrior > myfirewall spi 0x9B73C1CA seq 5 len 76

Even better, sometimes after a rekey the client is using udp encapsulation
while the FW is using esp, or vice versa:

13:51:12.284988 roadwarrior.isakmp > myfirewall.773:  isakmp v1.0 exchange
QUICK_MODE encrypted
        cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 14cd7e32 len: 60
13:51:12.374089 myfirewall.773 > roadwarrior.isakmp:  isakmp v1.0 exchange
QUICK_MODE encrypted
        cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 7e5149e2 len: 60
13:51:12.385145 roadwarrior.isakmp > myfirewall.773:  isakmp v1.0 exchange
QUICK_MODE encrypted
        cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 14cd7e32 len: 60
13:51:12.484044 myfirewall.773 > roadwarrior.isakmp:  isakmp v1.0 exchange
QUICK_MODE encrypted
        cookie: 957753f17d529538->a7d1bae62e962ec0 msgid: 7e5149e2 len: 60
13:51:19.253692 esp roadwarrior > myfirewall spi 0x9B73C1CD seq 1 len 452
13:51:19.265618 myfirewall.2746 > roadwarrior.2746:  udp 76
13:51:44.409883 esp roadwarrior > myfirewall spi 0x9B73C1CD seq 2 len 124
13:51:44.410559 myfirewall.2746 > roadwarrior.2746:  udp 116
13:51:44.810868 esp roadwarrior > myfirewall spi 0x9B73C1CD seq 3 len 76
13:52:17.206839 esp roadwarrior > myfirewall spi 0x9B73C1CD seq 4 len 124
13:52:17.207597 myfirewall.2746 > roadwarrior.2746:  udp 116
13:52:17.545791 esp roadwarrior > myfirewall spi 0x9B73C1CD seq 5 len 76


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.