Re: [leaf-user] ipsec problem
Tibbs, Richard wrote: Charles, On the nat-traversal issue in bering fws -- I thought that parameter was if there was a router downstream that would subsequently nat the connection. I had an exchange with Microsoft about the need for a patch on the XP (or any machine) going through a nat box like bering. And I think a while back someone on the list volunteered that nat_traversal=yes was ineffective. There is a NAT box...the home FW between your XP system and the internet. The nat_traversal=yes could be ineffective...I don't use nat_traversal, so I'm not sure. IIRC it's not something that can be negotiated at connection time, however, so both ends need to be setup with agreeing NAT-T settings at configuration time. Let me try a domain name in my XP IPsec config, as well as -- I think -- the office fw config. Right? IOW, here is my current xp box security policy on the outbound direction: Mirr Desc Proto srcport destport srcDNS Scraddr destDNS destaddr Y - any any any myIPmyIP/32 Subnet 192.168.10.0/24 and for inbound. Y - any any any Subnet 192.168.10.0/24 myIPmyIP/32 So, at least the destdns for inbound needs to be mydomain.com and office fw ipsec.conf should have leftid = mydomain.com ? I don't grok XP ipsec config, and the above looks more like firewall rules than an IPSec connection config. If this were two linux boxen, they should have something like the following in the config files on *BOTH* ends of the link: conn roadwarrior [EMAIL PROTECTED] [EMAIL PROTECTED] ... NOTES: - These ID's could also go in conn %default, an included file, etc. - The @ sign is important! If you don't include the @, the name is resolved and the IP address is used as the identifier, typically *NOT* what you want (you're defaulting to the IP address of ipsec0 for the identifier already, by not specifying [left|right]id). - The ID's provided/expected by each end must match, (along with other settings, like [L|R]subnet, etc) or you'll get the 'no suitable connection' error. - I don't know how you specify this sort of ID in XP...perhps google can help you. BTW, don't know if it matters by I notice that the homefw ipsec conf has both left=216.12.22.89 left=%deafultroute. Could that be any problem? It could, but I suspect the latter value simply overwrites the earlier one (check the man page and your log files to be sure). One other issue that might be causing you problems: Are you establishing any IPSec links between your home FW and the office FW? If so, the problem could be that the office FW is getting confused by the fact that you've got multiple connections comming from the same IP address, which already has identity information associated with it (this would also explain the errors in the log about no valid connection description). Using explicit IDs might help you, but it might not (depends on what your other tunnels are like, as there are limitations based on when various information is transfered and how ipsec figures out which connection description to use). You fundamental problem is that the office FW can't figure out which connection description applies to the inbound connections from your XP box, and this is pretty much by definition a configuration problem (or a problem with the architecture of your network not properly taking into account the limitations of identifying inbound ipsec connections). If using explicit IDs doesn't get you anywhere, try to up the debugging level and post more information from your logs when trying to get the XP box to connect. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] ipsec problem
Charles, On the nat-traversal issue in bering fws -- I thought that parameter was if there was a router downstream that would subsequently nat the connection. I had an exchange with Microsoft about the need for a patch on the XP (or any machine) going through a nat box like bering. And I think a while back someone on the list volunteered that nat_traversal=yes was ineffective. Let me try a domain name in my XP IPsec config, as well as -- I think -- the office fw config. Right? IOW, here is my current xp box security policy on the outbound direction: Mirr Desc Proto srcport destport srcDNS Scraddr destDNS destaddr Y - any anyany myIPmyIP/32 Subnet 192.168.10.0/24 and for inbound. Y - any anyany Subnet 192.168.10.0/24 myIPmyIP/32 So, at least the destdns for inbound needs to be mydomain.com and office fw ipsec.conf should have leftid = mydomain.com ? BTW, don't know if it matters by I notice that the homefw ipsec conf has both left=216.12.22.89 left=%deafultroute. Could that be any problem? Rick. -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] Sent: Friday, January 21, 2005 2:18 PM To: Tibbs, Richard Cc: leaf-user@lists.sourceforge.net Subject: Re: [leaf-user] ipsec problem Tibbs, Richard wrote: > Dear list, sorry for long post. > > I am having an issue with IPsec. > I have a WinXP machine that can build a successful SA just outside > "office" firewall (Bering 1.2) in road-warrior mode, but not from behind > another bering 1.2 "home" firewall. Nat traversal patch is on WinXP. > > home-subnet - homefw --ethsw -- internet --ethsw- officefw--offic-sub > 192.168.1.0 | | 192.168.10.0 > Winxp (.3) | | > won't work here will work Will work > > I have moved the laptop farther away from office fw and as soon as I am > behind a NAT device, I get this message from officefw: > > "road-warrior"[4] 216.x.y.z #5: no suitable connection for peer > '192.168.1.3' > > What could be wrong here? I'm not sure exactly what's wrong, but the errors in the log tickle my memory, especially: > Jan 21 18:31:46 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: > responding to Main Mode from unknown peer 216.x.y.z > Jan 21 18:31:47 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: > Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' > Jan 21 18:31:47 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: no > suitable connection for peer '192.168.1.3' The last message indicates a problem with your connection description (the information provided while negotiating an SA doesn't match anything in ipsec.conf). It looks to me like IPSec is defaulting to using the IP address as it's identifier, and you may be running into problems when this doesn't match the 'visible' IP of the connection on the other end (due to NAT). Try putting [left|right]id stanzas in your ipsec.conf file(s). I like to use unresolved names, ie: [EMAIL PROTECTED] (see ipsec.conf man page for details and other options). Also, you mention enabling nat-traversal on the XP machine, but your connection defaults set nat_traversal=no, and the road-warrior connection descriptions don't seem to override this. This mis-match could also be causing your problem (or adding to it). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ipsec problem
Tibbs, Richard wrote: Dear list, sorry for long post. I am having an issue with IPsec. I have a WinXP machine that can build a successful SA just outside "office" firewall (Bering 1.2) in road-warrior mode, but not from behind another bering 1.2 "home" firewall. Nat traversal patch is on WinXP. home-subnet - homefw --ethsw -- internet --ethsw- officefw--offic-sub 192.168.1.0 | | 192.168.10.0 Winxp (.3) | | won't work here will work Will work I have moved the laptop farther away from office fw and as soon as I am behind a NAT device, I get this message from officefw: "road-warrior"[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' What could be wrong here? I'm not sure exactly what's wrong, but the errors in the log tickle my memory, especially: Jan 21 18:31:46 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: responding to Main Mode from unknown peer 216.x.y.z Jan 21 18:31:47 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' Jan 21 18:31:47 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' The last message indicates a problem with your connection description (the information provided while negotiating an SA doesn't match anything in ipsec.conf). It looks to me like IPSec is defaulting to using the IP address as it's identifier, and you may be running into problems when this doesn't match the 'visible' IP of the connection on the other end (due to NAT). Try putting [left|right]id stanzas in your ipsec.conf file(s). I like to use unresolved names, ie: [EMAIL PROTECTED] (see ipsec.conf man page for details and other options). Also, you mention enabling nat-traversal on the XP machine, but your connection defaults set nat_traversal=no, and the road-warrior connection descriptions don't seem to override this. This mis-match could also be causing your problem (or adding to it). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ipsec problem
Dear list, sorry for long post. I am having an issue with IPsec. I have a WinXP machine that can build a successful SA just outside "office" firewall (Bering 1.2) in road-warrior mode, but not from behind another bering 1.2 "home" firewall. Nat traversal patch is on WinXP. home-subnet - homefw --ethsw -- internet --ethsw- officefw--offic-sub 192.168.1.0 | | 192.168.10.0 Winxp (.3) | | won't work here will work Will work I have moved the laptop farther away from office fw and as soon as I am behind a NAT device, I get this message from officefw: "road-warrior"[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' What could be wrong here? TIA, Rick The ipsec configs of both firewalls are displayed below. When trying to tunnel from home, The auth.log on office fw says Jan 21 18:31:46 firewall pluto[1025]: packet from 216.x.y.z:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 0004] Jan 21 18:31:46 firewall pluto[1025]: packet from 216.x.y.z:500: ignoring Vendor ID payload [4048b7d56ebce885...] Jan 21 18:31:46 firewall pluto[1025]: packet from 216.x.y.z:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Jan 21 18:31:46 firewall pluto[1025]: packet from 216.x.y.z:500: ignoring Vendor ID payload [26244d38eddb61b3...] Jan 21 18:31:46 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: responding to Main Mode from unknown peer 216.x.y.z Jan 21 18:31:47 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' Jan 21 18:31:47 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' Jan 21 18:31:47 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: sending notification INVALID_ID_INFORMATION to 216.x.y.z:500 Jan 21 18:31:48 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' Jan 21 18:31:48 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' Jan 21 18:31:48 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: sending notification INVALID_ID_INFORMATION to 216.x.y.z:500 Jan 21 18:31:50 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' Jan 21 18:31:50 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' Jan 21 18:31:50 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: sending notification INVALID_ID_INFORMATION to 216.x.y.z:500 Jan 21 18:31:54 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' Jan 21 18:31:54 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' Jan 21 18:31:54 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: sending notification INVALID_ID_INFORMATION to 216.x.y.z:500 Jan 21 18:32:02 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' Jan 21 18:32:02 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' Jan 21 18:32:02 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: sending notification INVALID_ID_INFORMATION to 216.x.y.z:500 Jan 21 18:32:18 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' Jan 21 18:32:18 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: no suitable connection for peer '192.168.1.3' Jan 21 18:32:18 firewall pluto[1025]: "road-warrior"[4] 216.x.y.z #5: sending notification INVALID_ID_INFORMATION to 216.x.y.z:500 firewall: -root- == office ipsec.conf # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute #interfaces="ipsec0=eth0" # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes nat_traversal=no # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. #authby=rsasig # Authentication by pre-shared secret key authby=secret right=%defaultroute #left=%defaultroute rightsubnet=192.168.10.0/24 #leftnexthop=%direct rightfirewall=yes pfs=yes auto=add #leftrsasigkey=%dns #rightrsasigkey=%dns conn road-warrior left=%any = home ipsec.conf #
