[Vpn-help] Any of you tried to change the 4500 port value?

Ignacio Bravo IBravo at HIRSCHMANN.es
Tue Nov 13 06:47:14 CST 2007


Hi,

Any of you tried to change the 4500 port value? Maybe anyone could give me a hint. Thanks for your time!

I have succesfully used 2.02 windows client to link to Innominate mGuard gateway. Both PSK and Certs worked fine.

Then I tried the NAT-T function. OK!

Then modified ports 500 first (succesfully!) and finally 4500. Here I find problems.

The topology is:

10.10.35.79 (2.02 client) No firewall

I

I

10.10.35.78 (ROUTER/NAT and portforwarding (external 501 to 500 and external 5730 to 4500))

10.10.39.100I

 

I

10.10.39.78  Gateway (Innominate mGuard, web config only)

 

Once both devices have switched to NAT-T 5730 (I realised that the gateway adopts 5730 automatically), the client doesn´t answer to port 5730 (ICMP message is sent) so the process is halted.

I tried different ports (50000, 60000...) with same results. 2.02 only answers if 4500 is configured.

Here I paste the Trace output, Gateway log (10.10.35.79 ICMP message) and a wireshark capture at client side (2.02 receives packets from 5730 to 5730 but are discarded).

 

Thanks again!

 

Ignacio Bravo

HIRSCHMANN Automation and Control

C/. Anabel Segura, 10

Edificio Fiteni IX

28108 MADRID (Spain)

ibravo at hirschmann.es

 

 

!! : 'NCP.p12' load failed, requesting password

<A : file password

<A : local key 'NCP.p12' message

<A : remote resource message

<A : peer tunnel enable message

ii : matched isakmp proposal #1 transform #3

ii : - transform    = ike

ii : - cipher type  = 3des

ii : - key length   = default

ii : - hash type    = md5

ii : - dh group     = modp-1536

ii : - auth type    = sig-rsa

ii : - life seconds = 86400

ii : - life kbytes  = 0

ii : peer supports NAT-T V02

ii : peer supports DPDv1

ii : nat discovery - remote address is translated

ii : switching to NAT-T UDP port 5730

ii : resending 1 exchange packet(s)

ii : resending 1 exchange packet(s)

ii : exchange packet resend limit exceeded

DB : phase1 deleted before expire time ( phase1 count = 0 )

ii : removed IPSEC policy route for 172.20.10.0/24

ii : adapter ROOT\VNET\0000 already disabled

DB : removing all tunnel refrences

ii : admin process thread exit ...

 

 

uptime 0 days 20:55:53.07577 pluto[2312]: "%any"[29] 10.10.35.79 #117: Issuer CA certificate not found

uptime 0 days 20:55:53.07678 pluto[2312]: "%any"[29] 10.10.35.79 #117: X.509 certificate rejected

uptime 0 days 20:55:53.07850 pluto[2312]: "v001_000"[54] 10.10.35.79 #117: deleting connection "%any" instance with peer 10.10.35.79

uptime 0 days 20:55:53.10358 pluto[2312]: "v001_000"[54] 10.10.35.79 #117: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

uptime 0 days 20:55:53.10465 pluto[2312]: | NAT-T: new mapping 10.10.35.79:500/5730)

uptime 0 days 20:55:53.10622 pluto[2312]: "v001_000"[54] 10.10.35.79:5730 #117: sent MR3, ISAKMP SA established

uptime 0 days 20:55:53.10816 pluto[2312]: ERROR: asynchronous network error report on eth0 for message to 10.10.35.79 port 5730, complainant 10.10.35.79: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

uptime 0 days 20:55:58.13524 pluto[2312]: "v001_000"[54] 10.10.35.79:5730 #117: retransmitting in response to duplicate packet; already STATE_MAIN_R3

uptime 0 days 20:55:58.13856 pluto[2312]: ERROR: asynchronous network error report on eth0 for message to 10.10.35.79 port 5730, complainant 10.10.35.79: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

uptime 0 days 20:56:03.16597 pluto[2312]: "v001_000"[54] 10.10.35.79:5730 #117: retransmitting in response to duplicate packet; already STATE_MAIN_R3

uptime 0 days 20:56:03.16933 pluto[2312]: ERROR: asynchronous network error report on eth0 for message to 10.10.35.79 port 5730, complainant 10.10.35.79: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

 

 

No.     Time        Source                Destination           Protocol Info

     29 11.188675   10.10.35.78           10.10.35.79           IP       Fragmented IP protocol (proto=UDP 0x11, off=0) [Reassembled in #30]

 

Frame 29 (1514 bytes on wire, 1514 bytes captured)

Ethernet II, Src: RichardH_46:23:03 (00:80:63:46:23:03), Dst: CompalCo_fc:ec:de (00:16:d4:fc:ec:de)

Internet Protocol, Src: 10.10.35.78 (10.10.35.78), Dst: 10.10.35.79 (10.10.35.79)

Data (1480 bytes)

 

 

No.     Time        Source                Destination           Protocol Info

     30 11.188681   10.10.35.78           10.10.35.79           UDP      Source port: 5730  Destination port: 5730

 

Frame 30 (194 bytes on wire, 194 bytes captured)

Ethernet II, Src: RichardH_46:23:03 (00:80:63:46:23:03), Dst: CompalCo_fc:ec:de (00:16:d4:fc:ec:de)

Internet Protocol, Src: 10.10.35.78 (10.10.35.78), Dst: 10.10.35.79 (10.10.35.79)

User Datagram Protocol, Src Port: 5730 (5730), Dst Port: 5730 (5730)

Data (1632 bytes)

 

 

No.     Time        Source                Destination           Protocol Info

     31 11.188684   10.10.35.79           10.10.35.78           ICMP     Destination unreachable (Port unreachable)

 

Frame 31 (190 bytes on wire, 190 bytes captured)

Ethernet II, Src: CompalCo_fc:ec:de (00:16:d4:fc:ec:de), Dst: RichardH_46:23:03 (00:80:63:46:23:03)

Internet Protocol, Src: 10.10.35.79 (10.10.35.79), Dst: 10.10.35.78 (10.10.35.78)

Internet Control Message Protocol

 

 

No.     Time        Source                Destination           Protocol Info

     37 16.215272   10.10.35.79           10.10.35.78           IP       Fragmented IP protocol (proto=UDP 0x11, off=0) [Reassembled in #38]

 

Frame 37 (1514 bytes on wire, 1514 bytes captured)

Ethernet II, Src: CompalCo_fc:ec:de (00:16:d4:fc:ec:de), Dst: RichardH_46:23:03 (00:80:63:46:23:03)

Internet Protocol, Src: 10.10.35.79 (10.10.35.79), Dst: 10.10.35.78 (10.10.35.78)

Data (1480 bytes)

 

 

No.     Time        Source                Destination           Protocol Info

     38 16.215279   10.10.35.79           10.10.35.78           UDP      Source port: 5730  Destination port: 5730

 

Frame 38 (194 bytes on wire, 194 bytes captured)

Ethernet II, Src: CompalCo_fc:ec:de (00:16:d4:fc:ec:de), Dst: RichardH_46:23:03 (00:80:63:46:23:03)

Internet Protocol, Src: 10.10.35.79 (10.10.35.79), Dst: 10.10.35.78 (10.10.35.78)

User Datagram Protocol, Src Port: 5730 (5730), Dst Port: 5730 (5730)

Data (1632 bytes)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20071113/71625ed8/attachment-0001.html>


More information about the vpn-help mailing list