IPSec client from behind a NAT

Hi guys

Anybody managed to configure an IPSec client (WinXP) to access a Win2K3 from
behind a NAT ? I always get 547 event ID saying :
IKE security association negotiation failed.

....

Failure Point:

Me

Failure Reason:

No policy

The policy is there, I bet. Google doesn't help at this time.



Thanks

Igor

What are you using for authentication? Kerberos, certificate, pre-shared
key? Is this WinXP client part of same domain as Win2K3?

Mike

"Igor Dombrovan" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi guys
>
> Anybody managed to configure an IPSec client (WinXP) to access a Win2K3
from
> behind a NAT ? I always get 547 event ID saying :
> IKE security association negotiation failed.
>
> ...
>
> Failure Point:
>
> Me
>
> Failure Reason:
>
> No policy
>
> The policy is there, I bet. Google doesn't help at this time.
>
>
>
> Thanks
>
> Igor
>

You need the NAT-T update for Windows XP (pre-SP2) to work though a NAT.

See http://support.microsoft.com/default...b;en-us;818043

-- Chris


"Miha Pihler" <miha-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> What are you using for authentication? Kerberos, certificate, pre-shared
> key? Is this WinXP client part of same domain as Win2K3?
>
> Mike
>
> "Igor Dombrovan" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Hi guys
>>
>> Anybody managed to configure an IPSec client (WinXP) to access a Win2K3
> from
>> behind a NAT ? I always get 547 event ID saying :
>> IKE security association negotiation failed.
>>
>> ...
>>
>> Failure Point:
>>
>> Me
>>
>> Failure Reason:
>>
>> No policy
>>
>> The policy is there, I bet. Google doesn't help at this time.
>>
>>
>>
>> Thanks
>>
>> Igor
>>
>
>

Hi

Thanks, Chris. That worked. Google also advised me to do that yesterday but
I didn't find the update right away and posted the question to the group.
Anyway the IPSec is established now but the application protocol (I tried
RDP on a different than 3389 port and telnet on its own port) doesn't.
Here's more detail in case anybode will be interested.
There's a W2K3 machine somewhere in the internet, no AD, using ICF to allow
incoming UDP 4500,500 TCP 3389,23.
There's a policy on that machine to require IPSec for ANY:ANY <-> ME:23,
auth being a shared key.
Now my machine, a WinXP behind FreeBSD NAT and firewall, with a private IP
address and IPSec policy for ME:ANY <-> SERVER:23 to require IPSec, auth the
same key.
When I try to connect, the SERVER effectively blocks reply packets. Here's a
part of pfirewall.log for one connection attempt :

2004-07-23 12:52:54 DROP TCP <server ip> <nat ext ip> 23 3313 40 A 813323069
3885696872 17520 - - -
2004-07-23 12:53:00 DROP TCP <server ip> <nat ext ip> 23 3313 40 A 813323069
3885696872 17520 - - -

When I disable the firewall, there are no log entries, of course. But the
connection still doesn't get through.

Here's FreeBSD tcpdump when attempting connection :

bash# tcpdump -pn host <my private ip address> and host <server public
address>
tcpdump: listening on fxp0
13:16:28.525297 <my private ip address>.4500 > <server public address>.4500:
udp 60 (DF)
13:16:28.534428 <server public address>.4500 > <my private ip address>.4500:
udp 60 (DF)
13:16:29.465958 <my private ip address>.4500 > <server public address>.4500:
udp 1
13:16:31.390521 <server public address>.4500 > <my private ip address>.4500:
udp 60 (DF)
13:16:31.434674 <my private ip address>.4500 > <server public address>.4500:
udp 60 (DF)
13:16:37.408232 <server public address>.4500 > <my private ip address>.4500:
udp 60 (DF)
13:16:37.450384 <my private ip address>.4500 > <server public address>.4500:
udp 60 (DF)
13:16:49.466204 <my private ip address>.4500 > <server public address>.4500:
udp 1
^C
2292 packets received by filter
0 packets dropped by kernel
bash#

I tried TCPView from www.sysinternals.com on the SERVER and it shows a
SYN_RCVD to the proper TCP port which is never replied.

I'm basically stuck. Any more ideas on how to debug this issue ?

Thanks,
Igor


"Christopher Black [MSFT]" <christb-(E-Mail Removed)> ÓÏÏÂÝÉÌ/ÓÏÏÂÝÉÌÁ ×
ÎÏ×ÏÓÔÑÈ ÓÌÅÄÕÀÝÅÅ: news:%(E-Mail Removed)...
> You need the NAT-T update for Windows XP (pre-SP2) to work though a NAT.
>
> See http://support.microsoft.com/default...b;en-us;818043
>
> -- Chris
>
>
> "Miha Pihler" <miha-(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > What are you using for authentication? Kerberos, certificate, pre-shared
> > key? Is this WinXP client part of same domain as Win2K3?
> >
> > Mike
> >
> > "Igor Dombrovan" <(E-Mail Removed)> wrote in message
> > news:%(E-Mail Removed)...
> >> Hi guys
> >>
> >> Anybody managed to configure an IPSec client (WinXP) to access a Win2K3
> > from
> >> behind a NAT ? I always get 547 event ID saying :
> >> IKE security association negotiation failed.
> >>
> >> ...
> >>
> >> Failure Point:
> >>
> >> Me
> >>
> >> Failure Reason:
> >>
> >> No policy
> >>
> >> The policy is there, I bet. Google doesn't help at this time.
> >>
> >>
> >>
> >> Thanks
> >>
> >> Igor
> >>
> >
> >
>
>

The IPsec rules are mirrored right?


Is your policy the following?

Server
Me->Any, src-port=any, dst-port=23, protocol=TCP; mirrored; psk="asdf"
Me->Any, src-port=any, dst-port=3389, protocol=TCP; mirrored; psk="asdf"

Client
Me->Server, src-port=any, dst-port=23, protocol=TCP; mirrored; psk="asdf"
Me->Server, src-port=any, dst-port=3389, protocol=TCP; mirrored;
psk="asdf"


-- Chris


"Igor Dombrovan" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi
>
> Thanks, Chris. That worked. Google also advised me to do that yesterday
> but
> I didn't find the update right away and posted the question to the group.
> Anyway the IPSec is established now but the application protocol (I tried
> RDP on a different than 3389 port and telnet on its own port) doesn't.
> Here's more detail in case anybode will be interested.
> There's a W2K3 machine somewhere in the internet, no AD, using ICF to
> allow
> incoming UDP 4500,500 TCP 3389,23.
> There's a policy on that machine to require IPSec for ANY:ANY <-> ME:23,
> auth being a shared key.
> Now my machine, a WinXP behind FreeBSD NAT and firewall, with a private IP
> address and IPSec policy for ME:ANY <-> SERVER:23 to require IPSec, auth
> the
> same key.
> When I try to connect, the SERVER effectively blocks reply packets. Here's
> a
> part of pfirewall.log for one connection attempt :
>
> 2004-07-23 12:52:54 DROP TCP <server ip> <nat ext ip> 23 3313 40 A
> 813323069
> 3885696872 17520 - - -
> 2004-07-23 12:53:00 DROP TCP <server ip> <nat ext ip> 23 3313 40 A
> 813323069
> 3885696872 17520 - - -
>
> When I disable the firewall, there are no log entries, of course. But the
> connection still doesn't get through.
>
> Here's FreeBSD tcpdump when attempting connection :
>
> bash# tcpdump -pn host <my private ip address> and host <server public
> address>
> tcpdump: listening on fxp0
> 13:16:28.525297 <my private ip address>.4500 > <server public
> address>.4500:
> udp 60 (DF)
> 13:16:28.534428 <server public address>.4500 > <my private ip
> address>.4500:
> udp 60 (DF)
> 13:16:29.465958 <my private ip address>.4500 > <server public
> address>.4500:
> udp 1
> 13:16:31.390521 <server public address>.4500 > <my private ip
> address>.4500:
> udp 60 (DF)
> 13:16:31.434674 <my private ip address>.4500 > <server public
> address>.4500:
> udp 60 (DF)
> 13:16:37.408232 <server public address>.4500 > <my private ip
> address>.4500:
> udp 60 (DF)
> 13:16:37.450384 <my private ip address>.4500 > <server public
> address>.4500:
> udp 60 (DF)
> 13:16:49.466204 <my private ip address>.4500 > <server public
> address>.4500:
> udp 1
> ^C
> 2292 packets received by filter
> 0 packets dropped by kernel
> bash#
>
> I tried TCPView from www.sysinternals.com on the SERVER and it shows a
> SYN_RCVD to the proper TCP port which is never replied.
>
> I'm basically stuck. Any more ideas on how to debug this issue ?
>
> Thanks,
> Igor
>
>
> "Christopher Black [MSFT]" <christb-(E-Mail Removed)> ÓÏÏÂÝÉÌ/ÓÏÏÂÝÉÌÁ
> ×
> ÎÏ×ÏÓÔÑÈ ÓÌÅÄÕÀÝÅÅ: news:%(E-Mail Removed)...
>> You need the NAT-T update for Windows XP (pre-SP2) to work though a NAT.
>>
>> See http://support.microsoft.com/default...b;en-us;818043
>>
>> -- Chris
>>
>>
>> "Miha Pihler" <miha-(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > What are you using for authentication? Kerberos, certificate,
>> > pre-shared
>> > key? Is this WinXP client part of same domain as Win2K3?
>> >
>> > Mike
>> >
>> > "Igor Dombrovan" <(E-Mail Removed)> wrote in message
>> > news:%(E-Mail Removed)...
>> >> Hi guys
>> >>
>> >> Anybody managed to configure an IPSec client (WinXP) to access a
>> >> Win2K3
>> > from
>> >> behind a NAT ? I always get 547 event ID saying :
>> >> IKE security association negotiation failed.
>> >>
>> >> ...
>> >>
>> >> Failure Point:
>> >>
>> >> Me
>> >>
>> >> Failure Reason:
>> >>
>> >> No policy
>> >>
>> >> The policy is there, I bet. Google doesn't help at this time.
>> >>
>> >>
>> >>
>> >> Thanks
>> >>
>> >> Igor
>> >>
>> >
>> >
>>
>>
>

Absolutely (just Server: Me(src-port=23)->Any(dst-port=ANY)), mirrored,
shared key the same. Anyway, Security logs shows that IPSec is established
OK.
When the firewall is enabled, it blocks replies from port 23. When I disable
the firewall, the replies still don't get through but I don't know how to
find out what blocks them.
The IPSec is established in either case.
Everything works without IPSec.

"Christopher Black [MSFT]" <christb-(E-Mail Removed)> ÓÏÏÂÝÉÌ/ÓÏÏÂÝÉÌÁ ×
ÎÏ×ÏÓÔÑÈ ÓÌÅÄÕÀÝÅÅ: news:(E-Mail Removed)...
> The IPsec rules are mirrored right?
>
>
> Is your policy the following?
>
> Server
> Me->Any, src-port=any, dst-port=23, protocol=TCP; mirrored; psk="asdf"
> Me->Any, src-port=any, dst-port=3389, protocol=TCP; mirrored;
psk="asdf"
>
> Client
> Me->Server, src-port=any, dst-port=23, protocol=TCP; mirrored;
psk="asdf"
> Me->Server, src-port=any, dst-port=3389, protocol=TCP; mirrored;
> psk="asdf"
>
>
> -- Chris
>
>
> "Igor Dombrovan" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > Hi
> >
> > Thanks, Chris. That worked. Google also advised me to do that yesterday
> > but
> > I didn't find the update right away and posted the question to the
group.
> > Anyway the IPSec is established now but the application protocol (I
tried
> > RDP on a different than 3389 port and telnet on its own port) doesn't.
> > Here's more detail in case anybode will be interested.
> > There's a W2K3 machine somewhere in the internet, no AD, using ICF to
> > allow
> > incoming UDP 4500,500 TCP 3389,23.
> > There's a policy on that machine to require IPSec for ANY:ANY <-> ME:23,
> > auth being a shared key.
> > Now my machine, a WinXP behind FreeBSD NAT and firewall, with a private
IP
> > address and IPSec policy for ME:ANY <-> SERVER:23 to require IPSec, auth
> > the
> > same key.
> > When I try to connect, the SERVER effectively blocks reply packets.
Here's
> > a
> > part of pfirewall.log for one connection attempt :
> >
> > 2004-07-23 12:52:54 DROP TCP <server ip> <nat ext ip> 23 3313 40 A
> > 813323069
> > 3885696872 17520 - - -
> > 2004-07-23 12:53:00 DROP TCP <server ip> <nat ext ip> 23 3313 40 A
> > 813323069
> > 3885696872 17520 - - -
> >
> > When I disable the firewall, there are no log entries, of course. But
the
> > connection still doesn't get through.
> >
> > Here's FreeBSD tcpdump when attempting connection :
> >
> > bash# tcpdump -pn host <my private ip address> and host <server public
> > address>
> > tcpdump: listening on fxp0
> > 13:16:28.525297 <my private ip address>.4500 > <server public
> > address>.4500:
> > udp 60 (DF)
> > 13:16:28.534428 <server public address>.4500 > <my private ip
> > address>.4500:
> > udp 60 (DF)
> > 13:16:29.465958 <my private ip address>.4500 > <server public
> > address>.4500:
> > udp 1
> > 13:16:31.390521 <server public address>.4500 > <my private ip
> > address>.4500:
> > udp 60 (DF)
> > 13:16:31.434674 <my private ip address>.4500 > <server public
> > address>.4500:
> > udp 60 (DF)
> > 13:16:37.408232 <server public address>.4500 > <my private ip
> > address>.4500:
> > udp 60 (DF)
> > 13:16:37.450384 <my private ip address>.4500 > <server public
> > address>.4500:
> > udp 60 (DF)
> > 13:16:49.466204 <my private ip address>.4500 > <server public
> > address>.4500:
> > udp 1
> > ^C
> > 2292 packets received by filter
> > 0 packets dropped by kernel
> > bash#
> >
> > I tried TCPView from www.sysinternals.com on the SERVER and it shows a
> > SYN_RCVD to the proper TCP port which is never replied.
> >
> > I'm basically stuck. Any more ideas on how to debug this issue ?
> >
> > Thanks,
> > Igor
> >
> >
> > "Christopher Black [MSFT]" <christb-(E-Mail Removed)>
ÓÏÏÂÝÉÌ/ÓÏÏÂÝÉÌÁ
> > ×
> > ÎÏ×ÏÓÔÑÈ ÓÌÅÄÕÀÝÅÅ: news:%(E-Mail Removed)...
> >> You need the NAT-T update for Windows XP (pre-SP2) to work though a
NAT.
> >>
> >> See http://support.microsoft.com/default...b;en-us;818043
> >>
> >> -- Chris
> >>
> >>
> >> "Miha Pihler" <miha-(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> > What are you using for authentication? Kerberos, certificate,
> >> > pre-shared
> >> > key? Is this WinXP client part of same domain as Win2K3?
> >> >
> >> > Mike
> >> >
> >> > "Igor Dombrovan" <(E-Mail Removed)> wrote in message
> >> > news:%(E-Mail Removed)...
> >> >> Hi guys
> >> >>
> >> >> Anybody managed to configure an IPSec client (WinXP) to access a
> >> >> Win2K3
> >> > from
> >> >> behind a NAT ? I always get 547 event ID saying :
> >> >> IKE security association negotiation failed.
> >> >>
> >> >> ...
> >> >>
> >> >> Failure Point:
> >> >>
> >> >> Me
> >> >>
> >> >> Failure Reason:
> >> >>
> >> >> No policy
> >> >>
> >> >> The policy is there, I bet. Google doesn't help at this time.
> >> >>
> >> >>
> >> >>
> >> >> Thanks
> >> >>
> >> >> Igor
> >> >>
> >> >
> >> >
> >>
> >>
> >
>
>