[Vpn-help] Any of you tried to change the 4500 port value?
Ignacio Bravo
IBravo at HIRSCHMANN.es
Tue Nov 13 06:47:14 CST 2007
Hi,
Any of you tried to change the 4500 port value? Maybe anyone could give me a hint. Thanks for your time!
I have succesfully used 2.02 windows client to link to Innominate mGuard gateway. Both PSK and Certs worked fine.
Then I tried the NAT-T function. OK!
Then modified ports 500 first (succesfully!) and finally 4500. Here I find problems.
The topology is:
10.10.35.79 (2.02 client) No firewall
I
I
10.10.35.78 (ROUTER/NAT and portforwarding (external 501 to 500 and external 5730 to 4500))
10.10.39.100I
I
10.10.39.78 Gateway (Innominate mGuard, web config only)
Once both devices have switched to NAT-T 5730 (I realised that the gateway adopts 5730 automatically), the client doesn´t answer to port 5730 (ICMP message is sent) so the process is halted.
I tried different ports (50000, 60000...) with same results. 2.02 only answers if 4500 is configured.
Here I paste the Trace output, Gateway log (10.10.35.79 ICMP message) and a wireshark capture at client side (2.02 receives packets from 5730 to 5730 but are discarded).
Thanks again!
Ignacio Bravo
HIRSCHMANN Automation and Control
C/. Anabel Segura, 10
Edificio Fiteni IX
28108 MADRID (Spain)
ibravo at hirschmann.es
!! : 'NCP.p12' load failed, requesting password
<A : file password
<A : local key 'NCP.p12' message
<A : remote resource message
<A : peer tunnel enable message
ii : matched isakmp proposal #1 transform #3
ii : - transform = ike
ii : - cipher type = 3des
ii : - key length = default
ii : - hash type = md5
ii : - dh group = modp-1536
ii : - auth type = sig-rsa
ii : - life seconds = 86400
ii : - life kbytes = 0
ii : peer supports NAT-T V02
ii : peer supports DPDv1
ii : nat discovery - remote address is translated
ii : switching to NAT-T UDP port 5730
ii : resending 1 exchange packet(s)
ii : resending 1 exchange packet(s)
ii : exchange packet resend limit exceeded
DB : phase1 deleted before expire time ( phase1 count = 0 )
ii : removed IPSEC policy route for 172.20.10.0/24
ii : adapter ROOT\VNET\0000 already disabled
DB : removing all tunnel refrences
ii : admin process thread exit ...
uptime 0 days 20:55:53.07577 pluto[2312]: "%any"[29] 10.10.35.79 #117: Issuer CA certificate not found
uptime 0 days 20:55:53.07678 pluto[2312]: "%any"[29] 10.10.35.79 #117: X.509 certificate rejected
uptime 0 days 20:55:53.07850 pluto[2312]: "v001_000"[54] 10.10.35.79 #117: deleting connection "%any" instance with peer 10.10.35.79
uptime 0 days 20:55:53.10358 pluto[2312]: "v001_000"[54] 10.10.35.79 #117: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
uptime 0 days 20:55:53.10465 pluto[2312]: | NAT-T: new mapping 10.10.35.79:500/5730)
uptime 0 days 20:55:53.10622 pluto[2312]: "v001_000"[54] 10.10.35.79:5730 #117: sent MR3, ISAKMP SA established
uptime 0 days 20:55:53.10816 pluto[2312]: ERROR: asynchronous network error report on eth0 for message to 10.10.35.79 port 5730, complainant 10.10.35.79: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
uptime 0 days 20:55:58.13524 pluto[2312]: "v001_000"[54] 10.10.35.79:5730 #117: retransmitting in response to duplicate packet; already STATE_MAIN_R3
uptime 0 days 20:55:58.13856 pluto[2312]: ERROR: asynchronous network error report on eth0 for message to 10.10.35.79 port 5730, complainant 10.10.35.79: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
uptime 0 days 20:56:03.16597 pluto[2312]: "v001_000"[54] 10.10.35.79:5730 #117: retransmitting in response to duplicate packet; already STATE_MAIN_R3
uptime 0 days 20:56:03.16933 pluto[2312]: ERROR: asynchronous network error report on eth0 for message to 10.10.35.79 port 5730, complainant 10.10.35.79: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
No. Time Source Destination Protocol Info
29 11.188675 10.10.35.78 10.10.35.79 IP Fragmented IP protocol (proto=UDP 0x11, off=0) [Reassembled in #30]
Frame 29 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: RichardH_46:23:03 (00:80:63:46:23:03), Dst: CompalCo_fc:ec:de (00:16:d4:fc:ec:de)
Internet Protocol, Src: 10.10.35.78 (10.10.35.78), Dst: 10.10.35.79 (10.10.35.79)
Data (1480 bytes)
No. Time Source Destination Protocol Info
30 11.188681 10.10.35.78 10.10.35.79 UDP Source port: 5730 Destination port: 5730
Frame 30 (194 bytes on wire, 194 bytes captured)
Ethernet II, Src: RichardH_46:23:03 (00:80:63:46:23:03), Dst: CompalCo_fc:ec:de (00:16:d4:fc:ec:de)
Internet Protocol, Src: 10.10.35.78 (10.10.35.78), Dst: 10.10.35.79 (10.10.35.79)
User Datagram Protocol, Src Port: 5730 (5730), Dst Port: 5730 (5730)
Data (1632 bytes)
No. Time Source Destination Protocol Info
31 11.188684 10.10.35.79 10.10.35.78 ICMP Destination unreachable (Port unreachable)
Frame 31 (190 bytes on wire, 190 bytes captured)
Ethernet II, Src: CompalCo_fc:ec:de (00:16:d4:fc:ec:de), Dst: RichardH_46:23:03 (00:80:63:46:23:03)
Internet Protocol, Src: 10.10.35.79 (10.10.35.79), Dst: 10.10.35.78 (10.10.35.78)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
37 16.215272 10.10.35.79 10.10.35.78 IP Fragmented IP protocol (proto=UDP 0x11, off=0) [Reassembled in #38]
Frame 37 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: CompalCo_fc:ec:de (00:16:d4:fc:ec:de), Dst: RichardH_46:23:03 (00:80:63:46:23:03)
Internet Protocol, Src: 10.10.35.79 (10.10.35.79), Dst: 10.10.35.78 (10.10.35.78)
Data (1480 bytes)
No. Time Source Destination Protocol Info
38 16.215279 10.10.35.79 10.10.35.78 UDP Source port: 5730 Destination port: 5730
Frame 38 (194 bytes on wire, 194 bytes captured)
Ethernet II, Src: CompalCo_fc:ec:de (00:16:d4:fc:ec:de), Dst: RichardH_46:23:03 (00:80:63:46:23:03)
Internet Protocol, Src: 10.10.35.79 (10.10.35.79), Dst: 10.10.35.78 (10.10.35.78)
User Datagram Protocol, Src Port: 5730 (5730), Dst Port: 5730 (5730)
Data (1632 bytes)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20071113/71625ed8/attachment-0001.html>
More information about the vpn-help
mailing list