R
Robert Hanlon
Thanks to all that posted.
Here is some more information.
Perhaps I'm not supplying a tunnel endpoint and I should be?
I'm not trying to VPN from behind the NAT. Although I get the same result.
The attempt at a VPN connection results with the client message that the
server did not respond. However the ipsecmon shows positive activity on
both client and server.
Also, I have applied the microsoft update to L2TP/IPsec to both machines
prior to testing.
I had previously removed all auth. methods save:
ESP DES/CFB HMAC MD5
on both machines. In order to simplify the connection troubleshooting.
Some of the output I am getting from ipsecmon on both machines follows:
Active Associations: 2
Confidential Bytes Sent: (steadily increasing number as I attempt to
connect, ping, etc)
Confidential Bytes Received: (same)
Authenticated Bytes Sent: (same)
Authenticated Bytes Received: (same)
Oakley Main Mode and Quick Mode numbers increase as well. No soft
associations and no failures.
I've run netdiag /test:ipsec /debug and > the output to a file. Here's the
trimmed output. The test above the below starting point all indicate
passed:
IP Security test . . . . . . . . . : Passed
Local IPSec Policy Active: 'Partner Test'
IP Security Policy Path:
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{E765648B-
F8E6-4CCD-8AEF-D65EBD285C48}
There are 4 filters
From B to A
Filter Id: {8AC186A5-B01B-4B1F-A99F-97A6629A354E}
Policy Id: {011C7329-E0A7-4526-A2AF-35E7C63775BA}
IPSEC_POLICY PolicyId = {011C7329-E0A7-4526-A2AF-35E7C63775BA}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 132.236.247.198 Src Mask : 255.255.255.255
Dest Addr : 192.168.1.2 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: No
Flags : Outbound
From A to B
Filter Id: {42C434DE-2294-44DC-B1D5-56EF1E3DE935}
Policy Id: {88046FF1-FF58-4493-B104-6254450041F5}
IPSEC_POLICY PolicyId = {88046FF1-FF58-4493-B104-6254450041F5}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 192.168.1.2 Src Mask : 255.255.255.255
Dest Addr : 132.236.247.198 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: No
Flags : Inbound
ICMP
Filter Id: {DEA4949B-4FAF-4D07-9BA2-C9498ADCB7AE}
Policy Id: {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
IPSEC_POLICY PolicyId = {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 132.236.247.198 Src Mask : 255.255.255.255
Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 1 TunnelFilter: No
Flags : Outbound
ICMP - Mirror
Filter Id: {DEA4949B-4FAF-4D07-9BA2-C9498ADCB7AE}
Policy Id: {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
IPSEC_POLICY PolicyId = {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 0.0.0.0 Src Mask : 0.0.0.0
Dest Addr : 132.236.247.198 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 1 TunnelFilter: No
Flags : Inbound
Here is some more information.
Perhaps I'm not supplying a tunnel endpoint and I should be?
I'm not trying to VPN from behind the NAT. Although I get the same result.
The attempt at a VPN connection results with the client message that the
server did not respond. However the ipsecmon shows positive activity on
both client and server.
Also, I have applied the microsoft update to L2TP/IPsec to both machines
prior to testing.
I had previously removed all auth. methods save:
ESP DES/CFB HMAC MD5
on both machines. In order to simplify the connection troubleshooting.
Some of the output I am getting from ipsecmon on both machines follows:
Active Associations: 2
Confidential Bytes Sent: (steadily increasing number as I attempt to
connect, ping, etc)
Confidential Bytes Received: (same)
Authenticated Bytes Sent: (same)
Authenticated Bytes Received: (same)
Oakley Main Mode and Quick Mode numbers increase as well. No soft
associations and no failures.
I've run netdiag /test:ipsec /debug and > the output to a file. Here's the
trimmed output. The test above the below starting point all indicate
passed:
IP Security test . . . . . . . . . : Passed
Local IPSec Policy Active: 'Partner Test'
IP Security Policy Path:
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{E765648B-
F8E6-4CCD-8AEF-D65EBD285C48}
There are 4 filters
From B to A
Filter Id: {8AC186A5-B01B-4B1F-A99F-97A6629A354E}
Policy Id: {011C7329-E0A7-4526-A2AF-35E7C63775BA}
IPSEC_POLICY PolicyId = {011C7329-E0A7-4526-A2AF-35E7C63775BA}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 132.236.247.198 Src Mask : 255.255.255.255
Dest Addr : 192.168.1.2 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: No
Flags : Outbound
From A to B
Filter Id: {42C434DE-2294-44DC-B1D5-56EF1E3DE935}
Policy Id: {88046FF1-FF58-4493-B104-6254450041F5}
IPSEC_POLICY PolicyId = {88046FF1-FF58-4493-B104-6254450041F5}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 192.168.1.2 Src Mask : 255.255.255.255
Dest Addr : 132.236.247.198 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 0 TunnelFilter: No
Flags : Inbound
ICMP
Filter Id: {DEA4949B-4FAF-4D07-9BA2-C9498ADCB7AE}
Policy Id: {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
IPSEC_POLICY PolicyId = {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 132.236.247.198 Src Mask : 255.255.255.255
Dest Addr : 0.0.0.0 Dest Mask : 0.0.0.0
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 1 TunnelFilter: No
Flags : Outbound
ICMP - Mirror
Filter Id: {DEA4949B-4FAF-4D07-9BA2-C9498ADCB7AE}
Policy Id: {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
IPSEC_POLICY PolicyId = {8FB80E46-9A1E-4712-A320-4D6DC16C98EE}
Flags: 0x0
Tunnel Addr: 0.0.0.0
PHASE 2 OFFERS Count = 1
Offer #0:
ESP[ DES MD5 HMAC]
Rekey: 3600 seconds / 100000 bytes.
AUTHENTICATION INFO Count = 1
Method = Cert: [email protected], C=US, S=NY, L=Ithaca, O=Cornell
University, OU=Day Hall IT, CN=Day Hall Cert One
Src Addr : 0.0.0.0 Src Mask : 0.0.0.0
Dest Addr : 132.236.247.198 Dest Mask : 255.255.255.255
Tunnel Addr : 0.0.0.0 Src Port : 0 Dest Port : 0
Protocol : 1 TunnelFilter: No
Flags : Inbound