IPsec from Behind NAT debug info

[Robert Hanlon]

Thanks to all that posted.

Here is some more information.
Perhaps I'm not supplying a tunnel endpoint and I should be?
I'm not trying to VPN from behind the NAT. Although I get the same result.
The attempt at a VPN connection results with the client message that the
server did not respond. However the ipsecmon shows positive activity on
both client and server.

Also, I have applied the microsoft update to L2TP/IPsec to both machines
prior to testing.

I had previously removed all auth. methods save:

ESP DES/CFB HMAC MD5

on both machines. In order to simplify the connection troubleshooting.
Some of the output I am getting from ipsecmon on both machines follows:

Active Associations: 2
Confidential Bytes Sent: (steadily increasing number as I attempt to
connect, ping, etc)
Confidential Bytes Received: (same)
Authenticated Bytes Sent: (same)
Authenticated Bytes Received: (same)

Oakley Main Mode and Quick Mode numbers increase as well. No soft
associations and no failures.

I've run netdiag /test:ipsec /debug and > the output to a file. Here's the
trimmed output. The test above the below starting point all indicate
passed:

IP Security test . . . . . . . . . : Passed
Local IPSec Policy Active: 'Partner Test'
IP Security Policy Path:
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{E765648B-
F8E6-4CCD-8AEF-D65EBD285C48}

There are 4 filters
From B to A
Filter Id: {8AC186A5-B01B-4B1F-A99F-97A6629A354E}
Policy Id: {011C7329-E0A7-4526-A2AF-35E7C63775BA}
IPSEC_POLICY PolicyId = {011C7329-E0A7-4526-A2AF-35E7C63775BA}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 132.236.247.198 Src Mask : 255.255.255.255
Dest Addr : 192.168.1.2 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: No
Flags : Outbound
From A to B
Filter Id: {42C434DE-2294-44DC-B1D5-56EF1E3DE935}
Policy Id: {88046FF1-FF58-4493-B104-6254450041F5}
IPSEC_POLICY PolicyId = {88046FF1-FF58-4493-B104-6254450041F5}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 192.168.1.2 Src Mask : 255.255.255.255
Dest Addr : 132.236.247.198 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: No
Flags : Inbound
ICMP
Filter Id: {DEA4949B-4FAF-4D07-9BA2-C9498ADCB7AE}
Policy Id: {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
IPSEC_POLICY PolicyId = {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 132.236.247.198 Src Mask : 255.255.255.255
Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 1 TunnelFilter: No
Flags : Outbound
ICMP - Mirror
Filter Id: {DEA4949B-4FAF-4D07-9BA2-C9498ADCB7AE}
Policy Id: {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
IPSEC_POLICY PolicyId = {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 0.0.0.0 Src Mask : 0.0.0.0
Dest Addr : 132.236.247.198 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 1 TunnelFilter: No
Flags : Inbound

 

[Steven L Umbach]

I can't really see what the problem is from your netdiag text. I have some
experience with tunnel mode. I use a W2K server at work behind a D-Link nat
device and at home I use a Netgear FVS318 router/ipsec endpoint, using a
preshared key for machine authentication. I was able to get ipsec working in
tunnel mode which you may want to try since you are trying to set up ipsec
between two different networks. In tunnel mode you do not mirror the rules,
but create separate rules. It is also possible that your nat device does not
support "ipsec passthrough" or you need to review the ports you are
forwarding to through the nat device for ipsec. The link the Keith left to
his web page in the last thread should help you out with that. --- Steve

Thanks to all that posted.

Here is some more information.
Perhaps I'm not supplying a tunnel endpoint and I should be?
I'm not trying to VPN from behind the NAT. Although I get the same result.
The attempt at a VPN connection results with the client message that the
server did not respond. However the ipsecmon shows positive activity on
both client and server.

Also, I have applied the microsoft update to L2TP/IPsec to both machines
prior to testing.

I had previously removed all auth. methods save:

ESP DES/CFB HMAC MD5

on both machines. In order to simplify the connection troubleshooting.
Some of the output I am getting from ipsecmon on both machines follows:

Active Associations: 2
Confidential Bytes Sent: (steadily increasing number as I attempt to
connect, ping, etc)
Confidential Bytes Received: (same)
Authenticated Bytes Sent: (same)
Authenticated Bytes Received: (same)

Oakley Main Mode and Quick Mode numbers increase as well. No soft
associations and no failures.

I've run netdiag /test:ipsec /debug and > the output to a file. Here's the
trimmed output. The test above the below starting point all indicate
passed:

IP Security test . . . . . . . . . : Passed
Local IPSec Policy Active: 'Partner Test'
IP Security Policy Path:
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{E765648B-
F8E6-4CCD-8AEF-D65EBD285C48}

There are 4 filters
From B to A
Filter Id: {8AC186A5-B01B-4B1F-A99F-97A6629A354E}
Policy Id: {011C7329-E0A7-4526-A2AF-35E7C63775BA}
IPSEC_POLICY PolicyId = {011C7329-E0A7-4526-A2AF-35E7C63775BA}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 132.236.247.198 Src Mask : 255.255.255.255
Dest Addr : 192.168.1.2 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: No
Flags : Outbound
From A to B
Filter Id: {42C434DE-2294-44DC-B1D5-56EF1E3DE935}
Policy Id: {88046FF1-FF58-4493-B104-6254450041F5}
IPSEC_POLICY PolicyId = {88046FF1-FF58-4493-B104-6254450041F5}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 192.168.1.2 Src Mask : 255.255.255.255
Dest Addr : 132.236.247.198 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: No
Flags : Inbound
ICMP
Filter Id: {DEA4949B-4FAF-4D07-9BA2-C9498ADCB7AE}
Policy Id: {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
IPSEC_POLICY PolicyId = {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 132.236.247.198 Src Mask : 255.255.255.255
Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 1 TunnelFilter: No
Flags : Outbound
ICMP - Mirror
Filter Id: {DEA4949B-4FAF-4D07-9BA2-C9498ADCB7AE}
Policy Id: {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
IPSEC_POLICY PolicyId = {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 0.0.0.0 Src Mask : 0.0.0.0
Dest Addr : 132.236.247.198 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 1 TunnelFilter: No
Flags : Inbound

 

[Steven L Umbach]

This KB may help also. ---Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;252735
http://www.securityfocus.com/infocus/1519

Thanks to all that posted.

Here is some more information.
Perhaps I'm not supplying a tunnel endpoint and I should be?
I'm not trying to VPN from behind the NAT. Although I get the same result.
The attempt at a VPN connection results with the client message that the
server did not respond. However the ipsecmon shows positive activity on
both client and server.

Also, I have applied the microsoft update to L2TP/IPsec to both machines
prior to testing.

I had previously removed all auth. methods save:

ESP DES/CFB HMAC MD5

on both machines. In order to simplify the connection troubleshooting.
Some of the output I am getting from ipsecmon on both machines follows:

Active Associations: 2
Confidential Bytes Sent: (steadily increasing number as I attempt to
connect, ping, etc)
Confidential Bytes Received: (same)
Authenticated Bytes Sent: (same)
Authenticated Bytes Received: (same)

Oakley Main Mode and Quick Mode numbers increase as well. No soft
associations and no failures.

I've run netdiag /test:ipsec /debug and > the output to a file. Here's the
trimmed output. The test above the below starting point all indicate
passed:

IP Security test . . . . . . . . . : Passed
Local IPSec Policy Active: 'Partner Test'
IP Security Policy Path:
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{E765648B-
F8E6-4CCD-8AEF-D65EBD285C48}

There are 4 filters
From B to A
Filter Id: {8AC186A5-B01B-4B1F-A99F-97A6629A354E}
Policy Id: {011C7329-E0A7-4526-A2AF-35E7C63775BA}
IPSEC_POLICY PolicyId = {011C7329-E0A7-4526-A2AF-35E7C63775BA}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 132.236.247.198 Src Mask : 255.255.255.255
Dest Addr : 192.168.1.2 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: No
Flags : Outbound
From A to B
Filter Id: {42C434DE-2294-44DC-B1D5-56EF1E3DE935}
Policy Id: {88046FF1-FF58-4493-B104-6254450041F5}
IPSEC_POLICY PolicyId = {88046FF1-FF58-4493-B104-6254450041F5}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 192.168.1.2 Src Mask : 255.255.255.255
Dest Addr : 132.236.247.198 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: No
Flags : Inbound
ICMP
Filter Id: {DEA4949B-4FAF-4D07-9BA2-C9498ADCB7AE}
Policy Id: {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
IPSEC_POLICY PolicyId = {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 132.236.247.198 Src Mask : 255.255.255.255
Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 1 TunnelFilter: No
Flags : Outbound
ICMP - Mirror
Filter Id: {DEA4949B-4FAF-4D07-9BA2-C9498ADCB7AE}
Policy Id: {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
IPSEC_POLICY PolicyId = {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 0.0.0.0 Src Mask : 0.0.0.0
Dest Addr : 132.236.247.198 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 1 TunnelFilter: No
Flags : Inbound