P
paul
I have two Windows 2000 SP4 (Hosts A&B) configured identically
to do L2TP/IPSec to a Windows 2003 (Host-C) box.
(Yes, I installed the 128-bit encryption pack and NAT-T patches on both)
Host-A works.
Host-B does not.
Host-B gets stuck on Oakley.
It sends the first Oakley packet successfully, but the
responder (Host-C) does not reply.
Looks like a filter is stopping it.
I have no idea why one host works and another one does not.
I tried Flushing the NAT tables every time.
I tried searching IPSec Policies for any filters.
I tried searching RRAS for any filters.
I ran tcpdump and I'm sure no packets are coming leaving Host-C.
Has anyone seen this behavior?
Diagram:
Host-A & B Host-C
Initiator <---> NAT Box <---> Internet <---> NAT Box <--> Responder
68.227.86.101 192.168.23.132
Here is Oakley.log on the Responder (Host-C, Windows 2003):
This stanza just repeats over and over until the
negotiation times out.
12-30: 21:08:01:859:fcc Receive: (get) SA = 0x00000000
from 68.227.86.101.500
12-30: 21:08:01:859:fcc ISAKMP Header: (V1.0), len = 292
12-30: 21:08:01:859:fcc I-COOKIE e7731123ba0f3a44
12-30: 21:08:01:859:fcc R-COOKIE 0000000000000000
12-30: 21:08:01:859:fcc exchange: Oakley Main Mode
12-30: 21:08:01:859:fcc flags: 0
12-30: 21:08:01:859:fcc next payload: SA
12-30: 21:08:01:859:fcc message ID: 00000000
12-30: 21:08:01:859:fcc Filter to match: Src 68.227.86.101 Dst 192.168.23.132
12-30: 21:08:01:859:fcc MatchMMFilter failed 13013
12-30: 21:08:01:859:fcc Responding with new SA 0
12-30: 21:08:01:859:fcc HandleFirstPacketResponder failed 3601.
to do L2TP/IPSec to a Windows 2003 (Host-C) box.
(Yes, I installed the 128-bit encryption pack and NAT-T patches on both)
Host-A works.
Host-B does not.
Host-B gets stuck on Oakley.
It sends the first Oakley packet successfully, but the
responder (Host-C) does not reply.
Looks like a filter is stopping it.
I have no idea why one host works and another one does not.
I tried Flushing the NAT tables every time.
I tried searching IPSec Policies for any filters.
I tried searching RRAS for any filters.
I ran tcpdump and I'm sure no packets are coming leaving Host-C.
Has anyone seen this behavior?
Diagram:
Host-A & B Host-C
Initiator <---> NAT Box <---> Internet <---> NAT Box <--> Responder
68.227.86.101 192.168.23.132
Here is Oakley.log on the Responder (Host-C, Windows 2003):
This stanza just repeats over and over until the
negotiation times out.
12-30: 21:08:01:859:fcc Receive: (get) SA = 0x00000000
from 68.227.86.101.500
12-30: 21:08:01:859:fcc ISAKMP Header: (V1.0), len = 292
12-30: 21:08:01:859:fcc I-COOKIE e7731123ba0f3a44
12-30: 21:08:01:859:fcc R-COOKIE 0000000000000000
12-30: 21:08:01:859:fcc exchange: Oakley Main Mode
12-30: 21:08:01:859:fcc flags: 0
12-30: 21:08:01:859:fcc next payload: SA
12-30: 21:08:01:859:fcc message ID: 00000000
12-30: 21:08:01:859:fcc Filter to match: Src 68.227.86.101 Dst 192.168.23.132
12-30: 21:08:01:859:fcc MatchMMFilter failed 13013
12-30: 21:08:01:859:fcc Responding with new SA 0
12-30: 21:08:01:859:fcc HandleFirstPacketResponder failed 3601.