RDP 6.1 (Windows7) towards Win2008T2 Servers through OpenBSD VPN Tunnels does not work...using RDP in XP SP3 (accros the same VPN tunnel) does
Hello, Been using OpenBSD boxes for VPN tunnels between sites for some 5 years now. Works like a charm (using OpenBSD 3.8 boxesI know I know, but upgrading 25+ boxes around the globe is low on the prio-list J) Starting to use more and more W2008R2 Servers on those locations and I noticed that using the RDP client under Windows 7 does not connect to a W2008R2 server on a remote location. (locally on that location it works fine). When using the RDP Client in a Windows XP SP3 machine, it works ok (towards the same server across the same VPN tunnel) ! Looked at everything, did not understand..until I noticed that this only happens on remote locations where I use a VPN tunnel with OpenBSD boxes. On connections that have a VPN tunnel via a different setup (like with Fortigates for example) this problem is not (!) present. So, in short ` a remote location, with a Windows 2008 R2 server, connecting to it from a different location, with a XP SP3 machine works fine (RDP), from the same different location with a Windows 7 RDP it does not. Does 2 locations are connected via OpenBSD 3.8 boxes (isakmpd). The pf settings are open in the sense that it allows ALL traffic (inside the VPN Tunnel) between the 2 sites within the tunnel : pass in quick on $ext_if from $vpnboxremote to any # allow traffic from VPNBOX Remote pass in on $int_if from any to $remoterange # allow traffic to Remote I do have the following in the pf.conf : scrub in all max-mss 1250 no-df scrub out all max-mss 1250 no-df As we have some problems on certain locations with the standard MTU sizes, I placed these to solve that problembut if I remove those, the problems remains. So that cannot be it Anyone seen this problem before ? I don't understand why (for some reason) the OpenBSD VPN connection makes a difference in connecting to remote server with a different RDP version. I would expect it does not 'touch' the traffic to make a difference between the 2 ? Regards Willem
Re: RDP 6.1 (Windows7) towards Win2008T2 Servers through OpenBSD VPN Tunnels does not work...using RDP in XP SP3 (accros the same VPN tunnel) does
Hello Stuart, Sometimes its so simple :-) Indeed, as I use 4.x and higher in daily live, I had that default in my mind and was thinking it does that already But in 3.8 it does not So I added the 'keep it in state' and that solved it. I admit, should have tried that first... Thanks for the quick response ! Regards Willem -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Stuart Henderson Sent: Monday, May 23, 2011 11:05 AM To: misc@openbsd.org Subject: Re: RDP 6.1 (Windows7) towards Win2008T2 Servers through OpenBSD VPN Tunnels does not work...using RDP in XP SP3 (accros the same VPN tunnel) does On 2011-05-23, * VLGroup Forums for...@vanleeuwen.nl wrote: So, in short ` a remote location, with a Windows 2008 R2 server, connecting to it from a different location, with a XP SP3 machine works fine (RDP), from the same different location with a Windows 7 RDP it does not. I think RDP is a red herring, I expect this is to do with different TCP behaviour on newer versions of Windows, specifically that it now uses window scaling so that larger TCP buffers can be used. The wscale information (only present in TCP SYNs) is needed to handle sequence number tracking, so it's important to create states on the SYNs and not intermediate packets later in the session, so in 2006 we changed defaults so that 'pass' rules now use an implicit flags S/SA keep state which avoids most problems relating to this.
IPSEC.CONF with Dynamic IP address (parse HOST name) doesnt seem to work
Hello everyone, I have several VPN tunnels between OBSD 3.8 systems (LAN to LAN via VPN). These all have fixed IP addresses and all works fine :-) . However, now I have a OBSD 3.8 system that gets a Dynamic IP address. I mapped that address to a hostname using DynDNS.org Using ipcheck.py (a python program) it keeps the DynDns.org DNS servers up-to-date when a IP change occurs. So far, so good. I was hoping to simply use the DynDns host name in the IPSEC.CONF file, but that doesnt seem to work :-(( . For this mail I changed the name to remote5.dyndns.org. The real name pings ok can Ii can use it to SSH into the machine. # # IPSEC to remote location 5 # Active host, remote location is passive # ike esp from 172.17.0.0/16 to 192.168.76.0/22 peer remote5.dyndns.org ike esp from openbsd ip to 192.168.76.0/22 peer remote5.dyndns.org ike esp from openbsd ip to remote5.dyndns.org Note the remote5.dyndns.org instead of a IP address. When I load this config file I get : # ipsecctl -f /etc/ipsec.conf /etc/ipsec.conf: 46: could not parse host specification /etc/ipsec.conf: 47: could not parse host specification /etc/ipsec.conf: 48: could not parse host specification ipsecctl: Syntax error in config file: ipsec rules not loaded How to get around this, that is, get the host named 'parsed' inside the ipsec.conf file towards the correct IP address ? regards Wiljoh
