This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BorderManager VPN Client 3.8.12 -> ASG 6.303

I'd appreciate some insight on this from those of you who are actually using the Novell BorderManager client for Win32 clients connecting to either NSM or ASG v6.

I have a RoadWarrior profile configured in the server per the recommendations of http://www.novell.com/coolsolutions/appnote/16889.html. The AppNote itself is in conflict, however. In one place, Gaurav lists the Phase 1 encryption algorithm as MD5, and in the screenshot of the policy configuration page, he shows this as SHA1. Also, if this is a RoadWarrior configuration, on an assumed dynamic link (well, dynamic by nature of the fact that the remote endopoint is never known beforehand), why then is the profile to be configured in Main Mode and not Aggressive?

Anyway, I cannot get this to connect. Here are a couple snippets from the logs (I am using PSK for the time being):

ikelog.txt (server IP address has been replaced with "sss.sss.sss.sss;" client IP has been replaced with "ccc.ccc.ccc.ccc"):

88

11-05-2006 10:28:08 AM Created thread for SendKeepAlivePacketProcess
11-05-2006 10:28:08 AM Start IPSEC SA 00a25618 - Initiator****totSA=1

11-05-2006 10:28:08 AM src from IPsec

11-05-2006 10:28:08 AM 00000000 00000000
11-05-2006 10:28:08 AM dst from IPsec

11-05-2006 10:28:08 AM 00000000 18698d65
11-05-2006 10:28:08 AM Start IKE-SA 00a28730 - Initiator,src=ccc.ccc.ccc.ccc,dst=sss.sss.sss.sss,TotSA=1

11-05-2006 10:28:08 AM AUTH ALG IS 1
11-05-2006 10:28:08 AM Negotiating for an NMAS user sss.sss.sss.sss

11-05-2006 10:28:08 AM ***Send Main Mode message to sss.sss.sss.sss

11-05-2006 10:28:08 AM I-COOKIE=96a597108ce35e5f,R-COOKIE=0000000000000000,MsgID=0,1stPL=SA-PAYLOAD,state=23132932

11-05-2006 10:28:08 AM ERROR [:P]acket length 25600 recieved is too high , probably bogus packet

11-05-2006 10:28:08 AM ERROR :Maximum size of allowed packet is 25600

11-05-2006 10:28:08 AM ***Receive Main Mode message from sss.sss.sss.sss

11-05-2006 10:28:08 AM I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=0,1stPL=SA-PAYLOAD,state=22084308

11-05-2006 10:28:08 AM IKE SA NEGOTIATION:  Peer lifetime = 28800 My lifetime=28800

11-05-2006 10:28:08 AM ****DH private exponent size is 1016****
11-05-2006 10:28:08 AM Recieved Supported Vendor id draft-ietf-ipsec-nat-t-ike-03  from sss.sss.sss.sss
11-05-2006 10:28:08 AM ***Send Main Mode message to sss.sss.sss.sss

11-05-2006 10:28:08 AM I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=0,1stPL=KEY-PAYLOAD,state=22084208

11-05-2006 10:28:08 AM ERROR [:P]acket length 25600 recieved is too high , probably bogus packet

11-05-2006 10:28:08 AM ERROR :Maximum size of allowed packet is 25600

11-05-2006 10:28:08 AM ***Receive Main Mode message from sss.sss.sss.sss

11-05-2006 10:28:08 AM I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=0,1stPL=KEY-PAYLOAD,state=22084308

11-05-2006 10:28:08 AM There is NAT in between server and client

11-05-2006 10:28:08 AM ****SKEYID***secret***

11-05-2006 10:28:08 AM 73686162 617a7a74 75626d61 6e202020

11-05-2006 10:28:08 AM *Sending MM id payload IPSEC_ID_IPV4_ADDR   ccc.ccc.ccc.ccc

11-05-2006 10:28:08 AM *protocol 0 portnum 0 length 8

11-05-2006 10:28:08 AM Sending  INITIAL_CONTACT notify to sss.sss.sss.sss
11-05-2006 10:28:08 AM ***Send Main Mode message to sss.sss.sss.sss

11-05-2006 10:28:08 AM I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=0,1stPL=ID-PAYLOAD,state=22084236

11-05-2006 10:28:08 AM ERROR [:P]acket length 25600 recieved is too high , probably bogus packet

11-05-2006 10:28:08 AM ERROR :Maximum size of allowed packet is 25600

11-05-2006 10:28:08 AM ***Receive Main Mode message from sss.sss.sss.sss

11-05-2006 10:28:08 AM I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=0,1stPL=ID-PAYLOAD,state=22084308

11-05-2006 10:28:08 AM Recieved MM ID payload type 1 protocol 0 portnum 0 length 8

11-05-2006 10:28:08 AM *Received MM ID ID_IPV4_ADDR sss.sss.sss.sss

11-05-2006 10:28:08 AM Final  IKE (phase 1) SA lifetime is 28800 secs
11-05-2006 10:28:08 AM IKE-SA is created. rekey time = 21600 encr=5,hash=2,auth=1,lifesec=28800
11-05-2006 10:28:08 AM dst=sss.sss.sss.sss,time=249281

88

I am at first concerned about the "packet length 25600 recieved is too high" (the spelling error is in the log...sheesh...). I have no idea where this may be adjusted or indeed what packet is oversized. I see nothing on ASG to configure super packets or anything of the sort.

BTW, the above was with Phase 1 auth set to MD5. However, I get similar results with SHA1 (Phase 1 does connect). I have also adjusted the Phase 1 SA lifetime to 28800 from the stated 14400 in the AppNote (same results, either way).

More from ikelog.txt in my follow-up message (this one was too long to post in one shot).

This thread was automatically locked due to age.

Parents

0 LewisRosenthal over 19 years ago

To continue from my initial post...

More from ikelog.txt:

88

11-05-2006 10:28:08 AM ****DH private exponent size is 1016****
11-05-2006 10:28:08 AM Rule id is NULL. So, not constructing the rule id payload

11-05-2006 10:28:08 AM Sending DH params in QM - PFS Configured or Requested by Peer

11-05-2006 10:28:08 AM *Sending proxy ID type 1 ccc.ccc.ccc.ccc

11-05-2006 10:28:08 AM *Sending proxy ID type 4 0.0.0.0/0.0.0.0

11-05-2006 10:28:08 AM ***Send Quick Mode message to sss.sss.sss.sss

11-05-2006 10:28:08 AM I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=e0cc01c2,1stPL=HASH-PAYLOAD,state=22084160

11-05-2006 10:28:08 AM ERROR [[[[[:P]]]]]acket length 25600 recieved is too high , probably bogus packet

11-05-2006 10:28:08 AM ERROR :Maximum size of allowed packet is 25600

11-05-2006 10:28:08 AM ***Receive Unacknowledge Informational message from sss.sss.sss.sss

11-05-2006 10:28:08 AM I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=13580a16,1stPL=HASH-PAYLOAD,state=22084308

11-05-2006 10:28:08 AM Recieved notify message type 18 from sss.sss.sss.sss
11-05-2006 10:28:08 AM Error :Unkown notify message type 18 recieved from server
11-05-2006 10:28:08 AM Notify Recvd [[[[:P]]]]acket could have corrupted on the way ,retransmit to sss.sss.sss.sss

11-05-2006 10:28:13 AM ERROR [[[[[:P]]]]]acket length 25600 recieved is too high , probably bogus packet

11-05-2006 10:28:13 AM ERROR :Maximum size of allowed packet is 25600

11-05-2006 10:28:13 AM ***Receive Unacknowledge Informational message from sss.sss.sss.sss

11-05-2006 10:28:13 AM I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=23f06da4,1stPL=HASH-PAYLOAD,state=22084308

11-05-2006 10:28:13 AM Recieved notify message type 9 from sss.sss.sss.sss
11-05-2006 10:28:13 AM Error :Unkown notify message type 9 recieved from server
11-05-2006 10:28:13 AM Notify Recvd [[[[:P]]]]acket could have corrupted on the way ,retransmit to sss.sss.sss.sss

11-05-2006 10:28:20 AM ERROR [[[[[:P]]]]]acket length 25600 recieved is too high , probably bogus packet

11-05-2006 10:28:20 AM ERROR :Maximum size of allowed packet is 25600

11-05-2006 10:28:20 AM ***Receive Unacknowledge Informational message from sss.sss.sss.sss

11-05-2006 10:28:20 AM I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=770d3c7d,1stPL=HASH-PAYLOAD,state=22084308

11-05-2006 10:28:20 AM Recieved notify message type 9 from sss.sss.sss.sss
11-05-2006 10:28:20 AM Error :Unkown notify message type 9 recieved from server
11-05-2006 10:28:20 AM Notify Recvd [[[[:P]]]]acket could have corrupted on the way ,retransmit to sss.sss.sss.sss

11-05-2006 10:28:30 AM ERROR [[[[[:P]]]]]acket length 25600 recieved is too high , probably bogus packet

11-05-2006 10:28:30 AM ERROR :Maximum size of allowed packet is 25600

11-05-2006 10:28:30 AM ***Receive Unacknowledge Informational message from sss.sss.sss.sss

11-05-2006 10:28:30 AM I-COOKIE=96a597108ce35e5f,R-COOKIE=e02e9414272ce2be,MsgID=c7ad45d5,1stPL=HASH-PAYLOAD,state=22084308

11-05-2006 10:28:30 AM Recieved notify message type 9 from sss.sss.sss.sss
11-05-2006 10:28:30 AM Error :Unkown notify message type 9 recieved from server
11-05-2006 10:28:30 AM Notify Recvd [[[[:P]]]]acket could have corrupted on the way ,retransmit to sss.sss.sss.sss

11-05-2006 10:28:30 AM IKE-SA is deleted- packet retransmit exceeded the limit, dst=sss.sss.sss.sss

11-05-2006 10:28:32 AM IKE-SA a28730 is Deleted,I-COOKIE=96a59710,R-COOKIE=e02e9414,dst=sss.sss.sss.sss

88

I could post the whole log, but I believe the problems are here at the beginning.

From the server side, I show the following (client side public IP has been replaced with "ppp.ppp.ppp.ppp"):

88

000 "S_NBM38_Client_0": 0.0.0.0/0===sss.sss.sss.sss...%any; unrouted; eroute owner: #0
000 "S_NBM38_Client_0":     srcip=unset; dstip=unset; srcup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log; dstup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log;
000 "S_NBM38_Client_0":   ike_life: 28800s; ipsec_life: 14400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "S_NBM38_Client_0":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 0,32; interface: eth1;
000 "S_NBM38_Client_0":   dpd: action:restart; delay:30; timeout:120;
000 "S_NBM38_Client_0":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "S_NBM38_Client_0":   IKE algorithms wanted: 5_000-1-2, flags=-strict
000 "S_NBM38_Client_0":   IKE algorithms found:  5_192-1_128-2,
000 "S_NBM38_Client_0":   ESP algorithms wanted: 2_000-1, ; pfsgroup=2; flags=-strict
000 "S_NBM38_Client_0":   ESP algorithms loaded: 2_000-1, ; pfsgroup=2; flags=-strict
000 "S_NBM38_Client_0"[2]: 0.0.0.0/0===sss.sss.sss.sss...ppp.ppp.ppp.ppp[ccc.ccc.ccc.ccc]; unrouted; eroute owner: #0
000 "S_NBM38_Client_0"[2]:     srcip=unset; dstip=unset; srcup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log; dstup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log;
000 "S_NBM38_Client_0"[2]:   ike_life: 28800s; ipsec_life: 14400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "S_NBM38_Client_0"[2]:   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 0,32; interface: eth1;
000 "S_NBM38_Client_0"[2]:   dpd: action:restart; delay:30; timeout:120;
000 "S_NBM38_Client_0"[2]:   newest ISAKMP SA: #10; newest IPsec SA: #0;
000 "S_NBM38_Client_0"[2]:   IKE algorithms wanted: 5_000-1-2, flags=-strict
000 "S_NBM38_Client_0"[2]:   IKE algorithms found:  5_192-1_128-2,
000 "S_NBM38_Client_0"[2]:   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "S_NBM38_Client_0"[2]:   ESP algorithms wanted: 2_000-1, ; pfsgroup=2; flags=-strict
000 "S_NBM38_Client_0"[2]:   ESP algorithms loaded: 2_000-1, ; pfsgroup=2; flags=-strict

000 #8: "S_NBM38_Client_0"[2] ppp.ppp.ppp.ppp:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28398s; nodpd
000 #9: "S_NBM38_Client_0"[2] ppp.ppp.ppp.ppp:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28424s; nodpd
000 #10: "S_NBM38_Client_0"[2] ppp.ppp.ppp.ppp:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28449s; newest ISAKMP; nodpd
000 #6: "S_NBM38_Client_0"[2] ppp.ppp.ppp.ppp:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28348s; nodpd
000 #5: "S_NBM38_Client_0"[2] ppp.ppp.ppp.ppp:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28324s; nodpd
000 #7: "S_NBM38_Client_0"[2] ppp.ppp.ppp.ppp:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28373s; nodpd

88

For testing purposes, the client is behind a LinkSys WRT54GL v5 router with LinkSys firmware rev 4.30.7. IPSec passthrough has been enabled. The client is running XP SP2 with post-SP2 fixes applied, and the Windows firewall (such as it is) is turned off.

Any ideas as to what I'm missing?

TIA
Cancel
Vote Up 0 Vote Down

Cancel
0 LewisRosenthal over 19 years ago in reply to LewisRosenthal

Okay, some progress...

Straight through to the DSL bridge (on the client side) I can get the tunnel up. Auto packet filters do not work (not sure why), even though the current packet filter rules have auto-added entries to allow traffic in both directions. ICMP works (both on each LAN and to the outside), but the client cannot access external sites without an explicit packet filter rule set in place (manually) to allow this.

In addition, I can't seem to get NAT traversal to work on the client side, even with the latest DD-WRT firmware (2.3) flashed into a LinkSys WRT54GL v1.1. I have IPSec pass through enabled, and even tried setting the client machine up on the DMZ. Still, I cannot get phase 2 to come up unless I run straight to the broadband connection.

Thoughts as to where to look?
Cancel
Vote Up 0 Vote Down

Cancel
0 LewisRosenthal over 18 years ago in reply to LewisRosenthal

The issue stems from the inability of the BorderManager client to handle virtual IPs (I believe). A virtual IP is a requirement for NAT-T, and without that capability, the BM client is only of possible use from a non-NAT-ed remote location.

The moral of the story is to stick with the Astaro Secure Client. The configuration is a matter of minutes, with ASG doing all the heavy lifting, and I was even able to send the necessary files to clients along with DIY instructions.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LewisRosenthal over 18 years ago in reply to LewisRosenthal

The issue stems from the inability of the BorderManager client to handle virtual IPs (I believe). A virtual IP is a requirement for NAT-T, and without that capability, the BM client is only of possible use from a non-NAT-ed remote location.

The moral of the story is to stick with the Astaro Secure Client. The configuration is a matter of minutes, with ASG doing all the heavy lifting, and I was even able to send the necessary files to clients along with DIY instructions.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data