VPN errors w/ router

I VPN to work w/ remote desktop connection

My new netgear WGR614 router is supposed to handle VPN pass-through
just fine, and it does for five minutes, then it drops my remote
desktop connection at the same time the VPN client logs these errors:

*An incoming ISAKMP packet from XX.XX.XXX was ignored.
*Received an unencrypted packet but encryption keys have already been
established.
*Failed to decrypt buffer.

These errors do not happen if I bypass the router.

Any ideas?

Thanks,

(E-Mail Removed) (Bryan Russell) wrote in
news:(E-Mail Removed) om:

> I VPN to work w/ remote desktop connection
>
> My new netgear WGR614 router is supposed to handle VPN pass-through
> just fine, and it does for five minutes, then it drops my remote
> desktop connection at the same time the VPN client logs these errors:
>
> *An incoming ISAKMP packet from XX.XX.XXX was ignored.
> *Received an unencrypted packet but encryption keys have already been
> established.
> *Failed to decrypt buffer.
>
> These errors do not happen if I bypass the router.
>
> Any ideas?

Well, either you're doing a router to router VPN connection or you're
using a software to software VPN connection and the router using VPN is
not needed. Which one is it?

Duane

"Duane Arnold" <(E-Mail Removed)> wrote in message
news:Xns9533CF50D72CDnotmenotmecom@204.127.204.17. ..
> (E-Mail Removed) (Bryan Russell) wrote in
> news:(E-Mail Removed) om:
>
> > I VPN to work w/ remote desktop connection
> >
> > My new netgear WGR614 router is supposed to handle VPN pass-through
> > just fine, and it does for five minutes, then it drops my remote
> > desktop connection at the same time the VPN client logs these errors:
> >
> > *An incoming ISAKMP packet from XX.XX.XXX was ignored.
> > *Received an unencrypted packet but encryption keys have already been
> > established.
> > *Failed to decrypt buffer.
> >
> > These errors do not happen if I bypass the router.
> >
> > Any ideas?
>
> Well, either you're doing a router to router VPN connection or you're
> using a software to software VPN connection and the router using VPN is
> not needed. Which one is it?
>
> Duane

The OP said that the router is providing VPN-passthrough, not that the
router is a tunnel endpoint.

The manual for this device says "certain communications functions like VPN
may require turning off the SPI feature." I couldn't find anything more
specific than that.

Ron Bandes, CCNP, CTT+, etc.

for what it is worth I set my wife's machine up for wireless vpn
using a dlink 624 router no problems so far but she will get booted
from her headend after two hours for security reasons.
the real setup was with the security software she uses
to connect to the main frame and that was a pain in the butt.
As far as any issues with the router I have none.
"Bryan Russell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I VPN to work w/ remote desktop connection
>
> My new netgear WGR614 router is supposed to handle VPN pass-through
> just fine, and it does for five minutes, then it drops my remote
> desktop connection at the same time the VPN client logs these errors:
>
> *An incoming ISAKMP packet from XX.XX.XXX was ignored.
> *Received an unencrypted packet but encryption keys have already been
> established.
> *Failed to decrypt buffer.
>
> These errors do not happen if I bypass the router.
>
> Any ideas?
>
> Thanks,

"BigJim" <(E-Mail Removed)> wrote in message
news:wfINc.200902$Oq2.35278@attbi_s52...
> for what it is worth I set my wife's machine up for wireless vpn
> using a dlink 624 router no problems so far but she will get booted
> from her headend after two hours for security reasons.
> the real setup was with the security software she uses
> to connect to the main frame and that was a pain in the butt.
> As far as any issues with the router I have none.

BigJim, do you have the SPI Firewall enabled or disabled?

Ron Bandes, CCNP, CTT+, etc.

Its vpn client software, yes I do need a router for wireless purposes.

This was the solution: configure port forwarding in the router
settings w/ 2 specific ports per tech supt, works great.



Duane Arnold <(E-Mail Removed)> wrote in message news:<Xns9533CF50D72CDnotmenotmecom@204.127.204.17 >...
> (E-Mail Removed) (Bryan Russell) wrote in
> news:(E-Mail Removed) om:
>
> > I VPN to work w/ remote desktop connection
> >
> > My new netgear WGR614 router is supposed to handle VPN pass-through
> > just fine, and it does for five minutes, then it drops my remote
> > desktop connection at the same time the VPN client logs these errors:
> >
> > *An incoming ISAKMP packet from XX.XX.XXX was ignored.
> > *Received an unencrypted packet but encryption keys have already been
> > established.
> > *Failed to decrypt buffer.
> >
> > These errors do not happen if I bypass the router.
> >
> > Any ideas?
>
> Well, either you're doing a router to router VPN connection or you're
> using a software to software VPN connection and the router using VPN is
> not needed. Which one is it?
>
> Duane

"Bryan Russell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Its vpn client software, yes I do need a router for wireless purposes.
>
> This was the solution: configure port forwarding in the router
> settings w/ 2 specific ports per tech supt, works great.
>

You port forward those ports on the router to an IP/machine; the machine
should have host based firewall on the machine because the protection of the
router is out of the picture for the forwarded ports. Just because you're
using VPN, which only encrypts the data and prevents eavesdropping on the
connection, doesn't mean that the machine cannot be hacked.



Duane

On 27 Jul 2004 16:03:27 -0700, (E-Mail Removed) (Bryan Russell) wrote:

>I VPN to work w/ remote desktop connection
>
>My new netgear WGR614 router is supposed to handle VPN pass-through
>just fine, and it does for five minutes, then it drops my remote
>desktop connection at the same time the VPN client logs these errors:
>
>*An incoming ISAKMP packet from XX.XX.XXX was ignored.
>*Received an unencrypted packet but encryption keys have already been
>established.
>*Failed to decrypt buffer.
>
>These errors do not happen if I bypass the router.

Yep. It would be nice if I knew what IPSec server and client software
you were using. A few guesses:

1. Smells like IPSec ESP mode (encapsulate security payload). That's
where the VPN encrypts the entire packet including the header. If the
router touches anything in the header (such as NAT translation), your
packet gets declared corrupted by the your IPSec software. The only
flavour of VPN that will work with NAT is AH (authentication header)
mode.

2. You have a "dialback" type of IPSec authentication mechanism
running. No way should you *RECEIVE* an incoming ISAKNP (Internet Key
Exchange) packet from the destination router. That's what you get
when it a VPN client tries to connect to a VPN server. My guess(tm)
is that the destination VPN firewall is either setup to dialback, or
is setup as a symmetrical system, where either end of a VPN tunnel can
initiate the connection. I do this all the time between Sonicwall
routers and it works just fine. However, it's totally wasted unless
you have a VPN router at your end.

3. The 3 error messages may not be related or originate from the same
source. If I wanted to hijack a connection, I would spoof the
originating IP of your VPN server, attempt to guess sequence numbers,
and possibly replay some of the servers packets. The fact that you
were able to connect for 5 minutes indicates that you have
successfully authenticated and connected, so it's not a configuration
issue. Many routers, all VPN servers, and some VPN clients are setup
to detect such attacks and include "replay protection" or some such
security buzzword. My guess(tm) is that you're being attacked,
scanned, or you have an overly sensitive firewall.

4. Some routers only seem to be able to handle one VPN tunnel at a
time. Actually, they pretend to handle more than one, but I find lots
of weird error messages when attempting to open a 2nd tunnel.
Sometimes it works, usually it doesn't. A good clue is that the
release notes for many router firmware version include such comments
as "added support for more than one tunnel" and such. No clue if your
Netgear router fits in that category. If you're on a distributed VPN
system (multiple servers at multiple locations) or are running "single
sign on", it's highly likely that you have more than one tunnel
running.

Just a guess(tm).

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

Duane,

I don't think my router was intended to be a firewall, just a wireless
router. I have Zone Alarm firewall software running on my machine. Do
you think I'm safe with those two ports opened up (via router port
forwarding)? I did not change any settings on my firewall software (in
relation to those ports), I only changed from router settings.

Thx,

Russell

"Duane Arnold" <(E-Mail Removed)> wrote in message news:<b31Sc.237668$IQ4.24763@attbi_s02>...
> "Bryan Russell" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > Its vpn client software, yes I do need a router for wireless purposes.
> >
> > This was the solution: configure port forwarding in the router
> > settings w/ 2 specific ports per tech supt, works great.
> >
>
> You port forward those ports on the router to an IP/machine; the machine
> should have host based firewall on the machine because the protection of the
> router is out of the picture for the forwarded ports. Just because you're
> using VPN, which only encrypts the data and prevents eavesdropping on the
> connection, doesn't mean that the machine cannot be hacked.
>
>
>
> Duane

(E-Mail Removed) (Bryan Russell) wrote in
news:(E-Mail Removed) om:

> Duane,
>
> I don't think my router was intended to be a firewall, just a wireless
> router. I have Zone Alarm firewall software running on my machine. Do
> you think I'm safe with those two ports opened up (via router port
> forwarding)? I did not change any settings on my firewall software (in
> relation to those ports), I only changed from router settings.
>
> Thx,
>
> Russell
>
> "Duane Arnold" <(E-Mail Removed)> wrote in message
> news:<b31Sc.237668$IQ4.24763@attbi_s02>...
>> "Bryan Russell" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed) om...
>> > Its vpn client software, yes I do need a router for wireless
>> > purposes.
>> >
>> > This was the solution: configure port forwarding in the router
>> > settings w/ 2 specific ports per tech supt, works great.
>> >
>>
>> You port forward those ports on the router to an IP/machine; the
>> machine should have host based firewall on the machine because the
>> protection of the router is out of the picture for the forwarded
>> ports. Just because you're using VPN, which only encrypts the data
>> and prevents eavesdropping on the connection, doesn't mean that the
>> machine cannot be hacked.
>>
>>
>>
>> Duane
>

You'll be ok since it is the VPN client software on your computer that's
soliciting the traffic from the host VPN software. ZA only allows
solicited traffic back to the computer on the ports. All unsolicited
traffic will be blocked by ZA, unless you have created rules to open
ports with ZA.

Duane