[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ipsec-vpn: XPSP2 stopped working, was ok before



Hello list,

we are running a 50+ W2k/XP-client -> OpenBSD IPSEC VPN (X.509-certificates,
no PSK) without any troubles for more than a year now. Upgraded to 3.6,
some clients now using NAT-T UDPENCAP, works.

Last week, one user showed up with his XPSP2 notebook, couldn't connect to
the gateway any more (said he didn't change anything (Windows user :-)).

Debugging showed that Main Mode CERTREQUEST on his notebook wasn't followed
by Quick Mode anymore, instead INFO showed up - this is the point where
the connection setup failed. (Failure isolated to this single client, other
clients working fine.)

Later, the user "changed something" (sorry, no detailed information, Windows
user :-) and connection setup worked again without any troubles, as it
always did. OK, this is funny Windows XP.

Today, another user showed up, exactly the same problem. Even worse: he has
no idea what "changing something" he should do to make his notebook work
again.


Has anyone seen this "INFO instead of Quick Mode after CERTREQUEST" behavior? What's broken on the XPSP2 notebooks?

Thanks for any hints,
Peter Griessl

----------------------------------


Clients (wlans1, wlans27): Windows XP SP2 (tested with an without XP's builtin Firewall) Gateway (143.130.40.1): OpenBSD 3.6, isakmpd-Patch 005


A. THIS IS HOW IT SHOULD BE

CERTREQUEST
-----------
11:40:51.242736 wlans1.ihs.ac.at.isakmp > 143.130.40.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: d99fce66d6c65405->70044b9480b525d7 msgid: 00000000 len: 1252
payload: ID len: 127 type: DER_ASN1_DN = "(not shown)"
payload: CERT len: 809
payload: SIG len: 132
payload: CERTREQUEST len: 152 [ttl 0] (id 1)


11:40:51.252817 143.130.40.1.isakmp > wlans1.ihs.ac.at.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: d99fce66d6c65405->70044b9480b525d7 msgid: 00000000 len: 994
payload: ID len: 25 type: FQDN = "ipsecgw.ihs.ac.at"
payload: CERT len: 809
payload: SIG len: 132 [ttl 0] (id 1)


and now QUICK_MODE
------------------
11:40:51.311906 wlans1.ihs.ac.at.isakmp > 143.130.40.1.isakmp: [udp sum ok] isakmp v1.0 exchange QUICK_MODE
cookie: d99fce66d6c65405->70044b9480b525d7 msgid: 1bf49cc9 len: 284
payload: HASH len: 24
payload: SA len: 44 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 32 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x513fd26e
payload: TRANSFORM len: 20
transform: 1 ID: 3DES
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute GROUP_DESCRIPTION = 2
payload: KEY_EXCH len: 132
payload: NONCE len: 24
payload: ID len: 12 type: IPV4_ADDR = 143.130.40.128
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0 [ttl 0] (id 1)




B. THIS IS THE BROKEN CLIENT

CERTREQUEST
-----------
11:42:20.776007 wlans27.ihs.ac.at.isakmp > 143.130.40.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: 3be7a576abe8e83d->61874ea4fcffccf5 msgid: 00000000 len: 1100
payload: ID len: 126 type: DER_ASN1_DN = "(not shown)"
payload: CERT len: 807
payload: SIG len: 132
payload: CERTREQUEST len: 5 [ttl 0] (id 1)
11:42:20.786111 143.130.40.1.isakmp > wlans27.ihs.ac.at.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: 3be7a576abe8e83d->61874ea4fcffccf5 msgid: 00000000 len: 994
payload: ID len: 25 type: FQDN = "ipsecgw.ihs.ac.at"
payload: CERT len: 809
payload: SIG len: 132 [ttl 0] (id 1)


INFO instead of QUICK_MODE
--------------------------
11:42:29.527750 wlans27.ihs.ac.at.isakmp > 143.130.40.1.isakmp: [udp sum ok] isakmp v1.0 exchange INFO
cookie: 3be7a576abe8e83d->61874ea4fcffccf5 msgid: b62111f2 len: 84
payload: HASH len: 24
payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1
cookie: 3be7a576abe8e83d->61874ea4fcffccf5 [ttl 0] (id 1)