Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] SecuRemote 4166/Win2K changes from udp to esp mid-sessi on

To: "'[email protected]'" <[email protected]>, "Minder, Brian" <[email protected]>, [email protected]
Subject: RE: [FW1] SecuRemote 4166/Win2K changes from udp to esp mid-sessi on
From: "Minder, Brian" <[email protected]>
Date: Fri, 12 Jan 2001 13:04:07 -0500
Sender: [email protected]

I'm forcing udp encapsulation by virtue of being generally skeptical of
autonegotiation.  By the same token, I would rather force a port on a switch
into 100Mb-Full Duplex than hope the switch and the server/NIC can come to a
common understanding.

I'll pull out the forced mode and try it, but part of me hope it doesn't fix
the issue.

Thanks,

-Brian


> -----Original Message-----
> From: Byoung Sun Yu [mailto:[email protected]]
> Sent: Friday, January 12, 2001 10:47 AM
> To: 'Minder, Brian'; [email protected]
> Subject: RE: [FW1] SecuRemote 4166/Win2K changes from udp to esp
> mid-session
> 
> 
> 
> I haven't seen this before, but let me suggest one thing.
> Why do you force udp encapsulation? You don't have to force it. FW can
> automatically detect whether it is behind the NAT device or 
> not. There are
> some exceptions that NAT devices which does not change port 
> number even in
> Hide NAT. In such cases, you might want to 'force' it. But in 
> general, you
> are not supposed to use forced mode for encapsulation.
> 
> So I suggest to try without forced mode. But I'm just 
> suggesting this to see
> if there is any difference and to find any work around to 
> this problem.
> 
> In my experiences, CP's product on W2K needs to be more 
> polished regardless
> it is FW or SR. I wouldn't be suprised if you see this kind 
> of weirdness.
> 
> Thanks,
> 
> Sun Yu, CISSP
> Lucent Worldwide Services
> 
> 
> > -----Original Message-----
> > From: [email protected]
> > [mailto:[email protected]]On Behalf Of
> > Minder, Brian
> > Sent: Friday, January 12, 2001 8:39 AM
> > To: [email protected]
> > Subject: [FW1] SecuRemote 4166/Win2K changes from udp to esp
> > mid-session
> >
> >
> >
> >
> > I'm testing SecuRemote build 4166 on Win2K and I've noticed 
> consistent
> > oddness.  While I have "force_udp_encapsulation (true)" on
> > the client, the
> > session seems to change back and forth from udp to esp over
> > time.  Clients
> > with routable addresses continue to function, but this breaks
> > clients who
> > are connecting from behind a NAT device.  Anyone have any
> > insight as to what
> > might cause this?  I am not experiencing this issue with other
> > builds/platforms.  Dumps of portions of the session are below.
> >
> > Thanks,
> >
> > -Brian
> >
> > Here's the problem environment:
> >
> > P440 running 4.1-SP2/IPSO-3.2.1
> > Hybrid IKE w/ TACACS
> > Win2K SP1 w/ SecuRemote 4166 with "force_udp_encapsulation (true)"
> >
> >
> >
> > The symptoms are:
> >
> > The client connects, is challenged, and authenticates.  
> Everything is
> > working great, sometimes for quite a while.  A tcpdump of the
> > connection
> > shows something like the following:
> >
> > 13:23:34.332713 roadwarrior.2746 > myfirewall.2746:  udp 196
> > 13:23:34.335601 myfirewall.2746 > roadwarrior.2746:  udp 588
> > 13:23:34.688933 roadwarrior.2746 > myfirewall.2746:  udp 148
> > 13:23:34.689969 myfirewall.2746 > roadwarrior.2746:  udp 172
> > 13:23:34.989065 roadwarrior.2746 > myfirewall.2746:  udp 172
> > 13:23:34.989882 myfirewall.2746 > roadwarrior.2746:  udp 108
> >
> > After some period of time there's some keying traffic, and
> > the session is
> > suddenly over esp!  At this point a client who is connecting
> > from behind a
> > NAT device gets the message "Connection with site SITENAME
> > has failed" and
> > has to reboot (not just restart SecuRemote) to reconnect.
> >
> > 13:32:51.297712 roadwarrior.isakmp > myfirewall.isakmp:  isakmp v1.0
> > exchange QUICK_MODE encrypted
> >         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> > 42fd0406 len: 164
> > 13:32:51.300268 roadwarrior.isakmp > myfirewall.isakmp:  isakmp v1.0
> > exchange QUICK_MODE encrypted
> >         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> > 5dc43f5f len: 60
> > 13:32:51.311456 myfirewall.isakmp > roadwarrior.isakmp:  isakmp v1.0
> > exchange QUICK_MODE encrypted
> >         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> > 42fd0406 len: 60
> > 13:32:51.339565 roadwarrior.isakmp > myfirewall.isakmp:  isakmp v1.0
> > exchange QUICK_MODE encrypted
> >         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> > 5dc43f5f len: 60
> > 13:32:51.428555 myfirewall.isakmp > roadwarrior.isakmp:  isakmp v1.0
> > exchange QUICK_MODE encrypted
> >         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> > 42fd0406 len: 60
> > 13:32:51.538545 myfirewall.isakmp > roadwarrior.isakmp:  isakmp v1.0
> > exchange QUICK_MODE encrypted
> >         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> > 42fd0406 len: 60
> > 13:33:08.798800 esp roadwarrior > myfirewall spi 0x9B73C1CA
> > seq 1 len 124
> > 13:33:08.799560 esp myfirewall > roadwarrior spi 0x90B9CDF6
> > seq 1 len 124
> > 13:33:09.134993 esp roadwarrior > myfirewall spi 0x9B73C1CA
> > seq 2 len 76
> > 13:33:15.235756 esp roadwarrior > myfirewall spi 0x9B73C1CA
> > seq 3 len 452
> > 13:33:15.249257 esp myfirewall > roadwarrior spi 0x90B9CDF6
> > seq 2 len 84
> > 13:33:41.612521 esp roadwarrior > myfirewall spi 0x9B73C1CA
> > seq 4 len 124
> > 13:33:41.613161 esp myfirewall > roadwarrior spi 0x90B9CDF6
> > seq 3 len 124
> > 13:33:41.979623 esp roadwarrior > myfirewall spi 0x9B73C1CA
> > seq 5 len 76
> >
> > Even better, sometimes after a rekey the client is using udp
> > encapsulation
> > while the FW is using esp, or vice versa:
> >
> > 13:51:12.284988 roadwarrior.isakmp > myfirewall.773:  isakmp
> > v1.0 exchange
> > QUICK_MODE encrypted
> >         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> > 14cd7e32 len: 60
> > 13:51:12.374089 myfirewall.773 > roadwarrior.isakmp:  isakmp
> > v1.0 exchange
> > QUICK_MODE encrypted
> >         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> > 7e5149e2 len: 60
> > 13:51:12.385145 roadwarrior.isakmp > myfirewall.773:  isakmp
> > v1.0 exchange
> > QUICK_MODE encrypted
> >         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> > 14cd7e32 len: 60
> > 13:51:12.484044 myfirewall.773 > roadwarrior.isakmp:  isakmp
> > v1.0 exchange
> > QUICK_MODE encrypted
> >         cookie: 957753f17d529538->a7d1bae62e962ec0 msgid:
> > 7e5149e2 len: 60
> > 13:51:19.253692 esp roadwarrior > myfirewall spi 0x9B73C1CD
> > seq 1 len 452
> > 13:51:19.265618 myfirewall.2746 > roadwarrior.2746:  udp 76
> > 13:51:44.409883 esp roadwarrior > myfirewall spi 0x9B73C1CD
> > seq 2 len 124
> > 13:51:44.410559 myfirewall.2746 > roadwarrior.2746:  udp 116
> > 13:51:44.810868 esp roadwarrior > myfirewall spi 0x9B73C1CD
> > seq 3 len 76
> > 13:52:17.206839 esp roadwarrior > myfirewall spi 0x9B73C1CD
> > seq 4 len 124
> > 13:52:17.207597 myfirewall.2746 > roadwarrior.2746:  udp 116
> > 13:52:17.545791 esp roadwarrior > myfirewall spi 0x9B73C1CD
> > seq 5 len 76
> >


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Re: your mail
Next by Date: RE: [FW1] how to use GUI client on Win2000Pro??
Previous by thread: [FW1] RE: nokia ip330 not saving changes
Next by thread: RE: [FW1] SecuRemote 4166/Win2K changes from udp to esp mid-sessi on
Index(es):
- Date
- Thread