[Vpn-help] Wrong IKE port?

David Santinoli marauder at tiscali.it
Thu Feb 7 08:38:17 CST 2008 

Hallo,
  it appears that, under some circumstances, the Windows client tries to
talk ISAKMP on the wrong port.  When I click the "Connect" button in the
connection window, the log states that the client attempts to contact
the peer on port 500, as in the following excerpt:

>> : vendor id payload
ii : local is CHECKPOINT compatible
-> : send IKE packet 10.1.10.50:500 -> mangled:500 ( 3828 bytes )
ii : fragmented packet to 1514 bytes ( MTU 1500 bytes )
ii : fragmented packet to 1514 bytes ( MTU 1500 bytes )
ii : fragmented packet to 882 bytes ( MTU 1500 bytes )
ii : resending 1 phase1 exchange packet(s)
ii : fragmented packet to 1514 bytes ( MTU 1500 bytes )
ii : fragmented packet to 1514 bytes ( MTU 1500 bytes )
ii : fragmented packet to 882 bytes ( MTU 1500 bytes )
ii : resending 1 phase1 exchange packet(s)
ii : fragmented packet to 1514 bytes ( MTU 1500 bytes )
ii : fragmented packet to 1514 bytes ( MTU 1500 bytes )
ii : fragmented packet to 882 bytes ( MTU 1500 bytes )
ii : phase1 packet resend limit exceeded
DB : phase1 deleted before expire time ( phase1 count = 0 )
DB : policy not found
DB : policy not found
ii : removed IPSEC policy route for 10.30.0.0/24
ii : adapter ROOT\VNET\0000 already disabled
ii : adapter ROOT\VNET\0000 already disabled
DB : removing all tunnel refrences
DB : tunnel deleted ( tunnel count = 0 )
DB : peer deleted ( peer count = 0 )
ii : admin process thread exit ...

However, a packet dump on the gateway's side shows packets hitting port
4500, not 500:

14:05:36.946355 IP mangled.35567 > 192.168.1.1.4500: UDP-encap: ESP(spi=0xf16059c7,seq=0x38cd2f07), length 1472
14:05:41.948938 IP mangled.35567 > 192.168.1.1.4500: UDP-encap: ESP(spi=0xf16059c7,seq=0x38cd2f07), length 1472
14:05:46.954899 IP mangled.35567 > 192.168.1.1.4500: UDP-encap: ESP(spi=0xf16059c7,seq=0x38cd2f07), length 1472

Needless to say, the connection fails to be established.

Regarding the circumstances under which this behaviour is displayed, I
haven't come to a definite conclusion yet, but it looks like it's more
likely to happen immediately after a failed connection attempt (this
makes me think of iked incorrectly retaining a previous NAT-T detection
result).

My setup: 2.1.0a6 on Windows 2000/VMWare (client), StrongSwan 4.1.4
(gateway).

Thanks,
 David
-- 
 David Santinoli
 Tieffe Sistemi S.r.l.                      viale Piceno 21, Milano
 www.tieffesistemi.com                         tel. +39 02 76115215

More information about the vpn-help mailing list