[leaf-user] Probably OT: Cisco VPN Passthrough Bering 1.2

James Neave Thu, 15 Apr 2004 04:31:06 -0700

Hi,

We're trying to connect the Cisco VPN Dialer (v3) to a Cisco VPN
concentrator through a Bering 1.2 box performing firewalling and NAT,
pretty standard stuff.


The rules we use are:

Policy = No traffic allowed period.
Rules for this case:

ACCEPT loc:192.168.x.y net:a.b.c.d udp 500
ACCEPT loc:192.168.x.y net:a.b.c.d udp 4500
ACCEPT loc:192.168.x.y net:a.b.c.d 50

Now, this is why it is probably OT.
It work fine on Win2K SP1 boxes
It does NOT work on Win2K SP4 and WinXP SP1
So currently is seems to be a Windows problem, not a LEAF problem.

However we have been assured that it *should* work. Of course, no help
is forthcoming from Cisco.

(Side Note: Why do people eschew free solutions for lack of support? Our
client must have paid 1000s for that VPN box, but we don't get any help.
We're a 3rd party but it's not even like our client can ask for help.)

Logs at the end of this message.

Probably nothing to do with LEAF, but if anybody can shed any light!

Thanks,

James.

--------

Anyway, here are some logs I've collected.

First WinDump, kinda equivalent to tcpdump I guess. IKE failed.
INVALID-HASH-INFORMATION may suggest packet mangling broke a signature?

11:14:58.506130 IP james.WIN2KDOMAIN.1367 >
colo-62-105-97-range129.as15758.net.62514: udp 12
11:14:58.512641 IP james.WIN2KDOMAIN.1368 >
colo-62-105-97-range129.as15758.net.62514: udp 8
11:14:58.513100 IP james.WIN2KDOMAIN.1369 >
colo-62-105-97-range129.as15758.net.62514: udp 8
11:14:58.518808 IP james.WIN2KDOMAIN.500 >
colo-62-105-97-range129.as15758.net.500: isakmp: phase 1 I agg: [|sa]
11:14:58.594708 IP colo-62-105-97-range129.as15758.net.500 >
james.WIN2KDOMAIN.500: isakmp: phase 1 R agg: [|sa]
11:14:58.601393 IP james.WIN2KDOMAIN.500 >
colo-62-105-97-range129.as15758.net.500: isakmp: phase 1 I inf: (n:
doi=ipsec proto=isakmp type=INVALID-HASH-INFORMATION)

Next up, the Cisco Logger, sais pretty much the same thing, IKE failed.
More detailed I guess.

1      11:24:34.845  04/15/04  Sev=Info/6       DIALER/0x63300002
Initiating connection.
2      11:24:34.845  04/15/04  Sev=Info/4       CM/0x63100002
Begin connection process
3      11:24:34.845  04/15/04  Sev=Info/4       CM/0x63100004
Establish secure connection using Ethernet
4      11:24:34.845  04/15/04  Sev=Info/4       CM/0x63100024
Attempt connection with server "62.105.97.129"
5      11:24:34.860  04/15/04  Sev=Info/6       IKE/0x6300003B
Attempting to establish a connection with 62.105.97.129.
6      11:24:34.860  04/15/04  Sev=Info/4       IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID, VID) to
62.105.97.129
7      11:24:34.954  04/15/04  Sev=Info/5       IKE/0x6300002F
Received ISAKMP packet: peer = 62.105.97.129
8      11:24:34.954  04/15/04  Sev=Info/4       IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID, VID, VID, VID, KE, ID, NON, HASH)
from 62.105.97.129
9      11:24:34.954  04/15/04  Sev=Info/5       IKE/0x63000059
Vendor ID payload = 09002689DFD6B712
10     11:24:34.954  04/15/04  Sev=Info/5       IKE/0x63000001
Peer supports XAUTH
11     11:24:34.954  04/15/04  Sev=Info/5       IKE/0x63000059
Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100
12     11:24:34.954  04/15/04  Sev=Info/5       IKE/0x63000001
Peer supports DPD
13     11:24:34.954  04/15/04  Sev=Info/5       IKE/0x63000059
Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100
14     11:24:34.954  04/15/04  Sev=Info/5       IKE/0x63000001
Peer is a Cisco-Unity compliant peer
15     11:24:34.954  04/15/04  Sev=Info/5       IKE/0x63000059
Vendor ID payload = 3E1AE87FDF4D1C40CE41D30ED2964D10
16     11:24:34.954  04/15/04  Sev=Warning/3    IKE/0xE3000056
The received HASH payload cannot be verified
17     11:24:34.954  04/15/04  Sev=Warning/2    IKE/0xE300007D
Hash verification failed... may be configured with invalid group
password.
18     11:24:34.954  04/15/04  Sev=Info/4       IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 62.105.97.129
19     11:24:34.954  04/15/04  Sev=Info/4       IKE/0x6300004A
Discarding IKE SA negotiation
20     11:24:34.954  04/15/04  Sev=Info/4       CM/0x63100014
Unable to establish Phase 1 SA with server "62.105.97.129" because of
"DEL_REASON_IKE_NEG_FAILED"
21     11:24:34.954  04/15/04  Sev=Info/5       CM/0x63100027
Initializing CVPNDrv
22     11:24:35.001  04/15/04  Sev=Info/4       IPSEC/0x63700014
Deleted all keys
23     11:24:35.001  04/15/04  Sev=Info/4       IPSEC/0x63700014
Deleted all keys
24     11:24:35.032  04/15/04  Sev=Warning/3    DIALER/0xE3300008
GI VPNStart callback failed "CM_IKE_ESTABLISH_FAIL" (3h).


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Probably OT: Cisco VPN Passthrough Bering 1.2

Reply via email to