If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Setting up IPSec
[Sorry for the huge cross-post. It's a rather technical question, and I'm usure on where
to post so as to find ipsec experts.] Hello I'm trying to set up an IPSec tunnel between a personal computer running WinXP Pro SP1 (with latest updates) and a remote server in an Unix-only network (this server is running Linux 2.4.20 plus Freeswan, precisely, but I don't think the problem is due to interoperability issues). The Oakley log shows that connections starts going awry at the end of the IKE negociation, just before the exchange of identities, and fails with a time out. Running tcpdump on the server completes this information: the server send its first encrypted IKE packet, but the client doesn't seem to notice it, and thus keeps resending its last message. I haven't been able to find out why WinXP ignores the encrypted packet: the is no error message about it, and it seems to be what is described by the IKE protocol. The only two distinguishing features I can see are that it is encrypted and that it is fragmented. Any idea? Thanks in advance! -- Lionel Fourquaux |
Ads |
#2
|
|||
|
|||
Setting up IPSec
is there a NAT involved ? I think I read somewhere about some issues with
IPsec and NAT ... if there is a NAT, do some googling on this. -- Louis Solomon www.SteelBytes.com "Lionel Fourquaux" wrote in message ... [Sorry for the huge cross-post. It's a rather technical question, and I'm usure on where to post so as to find ipsec experts.] Hello I'm trying to set up an IPSec tunnel between a personal computer running WinXP Pro SP1 (with latest updates) and a remote server in an Unix-only network (this server is running Linux 2.4.20 plus Freeswan, precisely, but I don't think the problem is due to interoperability issues). The Oakley log shows that connections starts going awry at the end of the IKE negociation, just before the exchange of identities, and fails with a time out. Running tcpdump on the server completes this information: the server send its first encrypted IKE packet, but the client doesn't seem to notice it, and thus keeps resending its last message. I haven't been able to find out why WinXP ignores the encrypted packet: the is no error message about it, and it seems to be what is described by the IKE protocol. The only two distinguishing features I can see are that it is encrypted and that it is fragmented. Any idea? Thanks in advance! -- Lionel Fourquaux |
#3
|
|||
|
|||
Setting up IPSec
"Louis Solomon [SteelBytes]" a écrit dans le message de ...
is there a NAT involved ? I think I read somewhere about some issues with IPsec and NAT ... if there is a NAT, do some googling on this. Thank you for your answer. No, there is no NAT between the two computers (although ICF is running). After some painful experimentation, I found out that it was the fragmentation of IKE packets that caused problems. I don't really understand what was going on, but reducing the certificates' key size (1024 should be enough) suppressed the problem. Now, I'm trying to understand why WinXP doesn't want to initiate the negociation, and why TCP connections do not work while ICMP packets do. I'll post again if I can't figure it out. Thanks again! -- Lionel Fourquaux |
Thread Tools | |
Display Modes | |
|
|