Win98SE <-> NAT-T <-> Win2k3 failure


K

kroesjnov

I know this is not officially a Windows 2003 newsgroup, but I have failed to
found such a newsgroup thusfar. Since my search has failed to turn up any
usefull information up to this point, I hope somebody in this newsgroup can
shed some light on this issue.

I have recently setup a Windows 2003 Server as a VPN server. The VPN server
uses the certificate server included with Win2k3 and only accepts L2TP
connections.On my LAN everything works fine, WinXP, Win2k2 and Win98SE
machines can connect without any problems.

This changes however when I am trying to connect to connect from the outside
world. With the appropriate patch[1] applied WinXP connected without any
hassle, the Win98 computer however failes to connect.
The Windows 98 (second edition) computer has the following software packages
installed.
* Windows 98 SE DUN v1.4[2]
* Windows 98 (Active) Directory Service client[3]
* Windows 98 L2TP/IPSec client v1.0[4]
I (try to) connect to the VPN server via the same dail-up connection (to
work around my firewall from my home location) when using WinXP and Win98SE,
so it cannot be something ISP related.
The Win98SE computer does not run any form of firewall.

I have read about some timeout issues with UDP and IKE relating to IPtables
(the firewall I use to seperate my LAN from the internet. I doubt however
this would be the problem, if this where the case I'd say the WinXP would be
affected as well.
There dont seem to be any timeout settings on the client and server side as
far as I can tell so far either.

Can anybody shed some light in this issue for me? I am quite lost on this
issue, and was unable to find any related material on this problem via
groups.googe and google.

TIA for your time.

[1] The NAT-T patch for XP, since the outside world needs to travel through
a firewall with a public IP, to the VPN server with a LAN IP. ref:
http://support.microsoft.com/default.aspx?scid=kb;en-us;818043
[2]
http://www.microsoft.com/downloads/...familyid=be625dbb-5afe-426a-bc0a-71aac2000ae8
[3]
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextension.asp
[4]
http://www.microsoft.com/downloads/...familyid=6a1086dc-3bd0-4d65-9b82-20cbe650f974

I will also attach a part of my isakmp.log from the Win98SE computer,
perhaps somebody knows how to read this information, I fail to derive
usefull information from this log so far.

<isakmp.log>
11-05: 14:41:58.180 Interface added: 194.109.188.237/255.255.255.0 on MODEM
"Modem of Xircom CreditCard 100+56".
11-05: 14:42:15.320
11-05: 14:42:15.320 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE Phase 1
(IP ADDR=195.64.93.150)
11-05: 14:42:15.320 Microsoft IPsec VPN\L2TP/IPsec - Generic entry match
with remote address 195.64.93.150.
11-05: 14:42:15.320 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM (SA, VID, VID, VID)
11-05: 14:42:15.540 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
MM (SA, VID, VID, VID)
11-05: 14:42:15.590 Microsoft IPsec VPN\L2TP/IPsec - Peer is IKE
fragmentation capable
11-05: 14:42:15.590 Microsoft IPsec VPN\L2TP/IPsec - IKE fragmentation
enabled
11-05: 14:42:15.590 Microsoft IPsec VPN\L2TP/IPsec - Peer is NAT-T draft-02
capable
11-05: 14:42:15.590 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM (KE, NON, NAT-D, NAT-D, VID, VID, VID, VID)
11-05: 14:42:15.980 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
MM (KE, NON, CERT_REQ, NAT-D, NAT-D)
11-05: 14:42:16.750 Microsoft IPsec VPN\L2TP/IPsec - NAT is detected for
Peer
11-05: 14:42:16.750 Microsoft IPsec VPN\L2TP/IPsec - Floating to IKE non-500
port
11-05: 14:42:16.800 Microsoft IPsec VPN\L2TP/IPsec - Using auto-selected
machine certificate "Users + (username)'s CN=x-server, DC=home, DC=local
ID".
11-05: 14:42:16.860 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT)
11-05: 14:42:16.860 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
MM (Retransmission)
11-05: 14:42:16.860 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM *(Retransmission)
11-05: 14:42:18.500 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
MM (Retransmission)
11-05: 14:42:18.500 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM *(Retransmission)
11-05: 14:42:21.960 Microsoft IPsec VPN\L2TP/IPsec - message not received!
Retransmitting using fragmentation!
11-05: 14:42:21.960 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM (FRAG)
11-05: 14:42:21.960 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM (FRAG)
11-05: 14:42:21.960 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM (FRAG)
11-05: 14:42:21.960 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM (FRAG)
11-05: 14:42:21.960 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM (FRAG)
11-05: 14:42:22.510 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
MM (Retransmission)
11-05: 14:42:22.510 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
MM *(Retransmission)
11-05: 14:42:23.230 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
MM *(ID, CERT, SIG)
11-05: 14:42:23.340 Microsoft IPsec VPN\L2TP/IPsec - Established IKE SA
11-05: 14:42:23.340 MY COOKIE f1 41 8 92 d3 fb 53 46
11-05: 14:42:23.340 HIS COOKIE a2 b7 ac 9e e1 cc dd b5
11-05: 14:42:23.340 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE Phase 2
with Client IDs (message id: 481644B3)
11-05: 14:42:23.340 Initiator = IP ADDR=194.109.188.237, prot = 17 port =
1701
11-05: 14:42:23.340 Responder = IP ADDR=195.64.93.150, prot = 17 port =
1701
11-05: 14:42:23.340 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
QM *(HASH, SA, NON, ID, ID)
11-05: 14:42:23.940 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
MM *(Retransmission)
11-05: 14:42:23.940 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
QM *(HASH, SA, NON, ID, ID, NAT-OA)
11-05: 14:42:23.940 Microsoft IPsec VPN\L2TP/IPsec - Phase 2 Local ID
Received from NAT Peer: IP ADDR=194.109.188.237 (prot = 17, port = 1701)
11-05: 14:42:23.940 Microsoft IPsec VPN\L2TP/IPsec - Phase 2 Remote ID
Received from NAT Peer: DOMAIN=x-server.home.local (prot = 17, port = 1701)
11-05: 14:42:23.940 Microsoft IPsec VPN\L2TP/IPsec - Indeterminate remote
internal address.
11-05: 14:42:23.940 Microsoft IPsec VPN\L2TP/IPsec - Error validating Proxy
IDs.
11-05: 14:42:24.490 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
QM *(HASH, )
11-05: 14:42:24.490 Microsoft IPsec VPN\L2TP/IPsec - Received malformed
message or negotiation no longer active (message id: 481644B3)
11-05: 14:42:26.470 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
QM *(HASH, )
11-05: 14:42:26.470 Microsoft IPsec VPN\L2TP/IPsec - Received malformed
message or negotiation no longer active (message id: 481644B3)
11-05: 14:42:30.480 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
QM *(HASH, )
11-05: 14:42:30.480 Microsoft IPsec VPN\L2TP/IPsec - Received malformed
message or negotiation no longer active (message id: 481644B3)
11-05: 14:42:38.500 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
QM *(HASH, )
11-05: 14:42:38.500 Microsoft IPsec VPN\L2TP/IPsec - Received malformed
message or negotiation no longer active (message id: 481644B3)
11-05: 14:42:40.250
11-05: 14:42:40.250 Microsoft IPsec VPN\L2TP/IPsec - Generic entry match
with remote address 195.64.93.150.
11-05: 14:42:40.970 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE Phase 2
with Client IDs (message id: 32BE939)
11-05: 14:42:40.970 Initiator = IP ADDR=194.109.188.237, prot = 17 port =
1701
11-05: 14:42:40.970 Responder = IP ADDR=195.64.93.150, prot = 17 port =
1701
11-05: 14:42:40.970 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
QM *(HASH, SA, NON, ID, ID)
11-05: 14:42:42.560 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
QM *(HASH, SA, NON, ID, ID, NAT-OA)
11-05: 14:42:42.560 Microsoft IPsec VPN\L2TP/IPsec - Phase 2 Local ID
Received from NAT Peer: IP ADDR=194.109.188.237 (prot = 17, port = 1701)
11-05: 14:42:42.560 Microsoft IPsec VPN\L2TP/IPsec - Phase 2 Remote ID
Received from NAT Peer: DOMAIN=x-server.home.local (prot = 17, port = 1701)
11-05: 14:42:42.560 Microsoft IPsec VPN\L2TP/IPsec - Indeterminate remote
internal address.
11-05: 14:42:42.560 Microsoft IPsec VPN\L2TP/IPsec - Error validating Proxy
IDs.
11-05: 14:42:42.620 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
QM *(HASH, )
11-05: 14:42:42.620 Microsoft IPsec VPN\L2TP/IPsec - Received malformed
message or negotiation no longer active (message id: 32BE939)
11-05: 14:42:44.480 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
QM *(HASH, )
11-05: 14:42:44.480 Microsoft IPsec VPN\L2TP/IPsec - Received malformed
message or negotiation no longer active (message id: 32BE939)
11-05: 14:42:48.490 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
QM *(HASH, )
11-05: 14:42:48.490 Microsoft IPsec VPN\L2TP/IPsec - Received malformed
message or negotiation no longer active (message id: 32BE939)
11-05: 14:42:54.530 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
QM *(HASH, )
11-05: 14:42:54.530 Microsoft IPsec VPN\L2TP/IPsec - Received malformed
message or negotiation no longer active (message id: 481644B3)
11-05: 14:42:56.510 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED<<< ISAKMP OAK
QM *(HASH, )
11-05: 14:42:56.510 Microsoft IPsec VPN\L2TP/IPsec - Received malformed
message or negotiation no longer active (message id: 32BE939)
11-05: 14:42:58.870 Interface lost: 194.109.188.237
11-05: 14:42:59.590 Microsoft IPsec VPN\L2TP/IPsec - Deleting IKE SA (IP
ADDR=195.64.93.150)
11-05: 14:42:59.590 MY COOKIE f1 41 8 92 d3 fb 53 46
11-05: 14:42:59.590 HIS COOKIE a2 b7 ac 9e e1 cc dd b5
11-05: 14:42:59.590 Microsoft IPsec VPN\L2TP/IPsec - SENDING>>>> ISAKMP OAK
INFO *(HASH, DEL)
</isakmp.log>

--
"Wisdom lies not in obtaining knowledge, but in using it in the right way"
- kroesjnov

http://www.securitydatabase.net
http://www.mostly-harmless.nl
http://www.outerbrains.nl
email: (e-mail address removed) (remove inter to reply)
UIN: 85685870
MSN: (e-mail address removed)
 
Ad

Advertisements

M

Michael Johnston [MSFT]

Do the remote machines trust your internal CA? If not, you will need to add a Trusted CA certificate to the client machines
otherwise the cert on the server has no meaning to them.

Thank you,
Mike Johnston
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the
terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from
which they originated.
 
K

kroesjnov

Michael Johnston said:
Do the remote machines trust your internal CA? If not, you will need to
add a Trusted CA certificate to the client machines
otherwise the cert on the server has no meaning to them.

Yes they do, since the machines connect fine on the LAN[1].
This cannot be accomplished without a valid user certificate and a trusted
root certificate.

The problem starts to occur when I try to access the VPN server over the
internet with the Win98SE machine.
In fact, the symptoms are very much alike to the sympthons I witnessed when
I tried to connect the WinXP machine over the internet without applying the
NAT-T patch. I do however not have the means to try and reproduce this (I
only have one WinXP computer in my network) and I do not have any logs from
the time the WinXP machine failed to connect.

But clearly, the problem is not certificate related.
My guess is that this is related to NAT-T on the Win98 machine, but the
L2TP/IPSec VPN client[2] is supposed to support NAT-T.

Thank you for your time and reply.

[1] Server and client are setup to locked settings, and not server/client
chooses. This ensures that L2TP is always used and not PPTP.
[2]
http://www.microsoft.com/downloads/...familyid=6a1086dc-3bd0-4d65-9b82-20cbe650f974


--
"Wisdom lies not in obtaining knowledge, but in using it in the right way"
- kroesjnov

http://www.securitydatabase.net
http://www.mostly-harmless.nl
http://www.outerbrains.nl
email: (e-mail address removed) (remove inter to reply)
UIN: 85685870
MSN: (e-mail address removed)
 
Ad

Advertisements

K

kroesjnov


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top