R: [VPN] vpn problem cisco & watchguard

Jean-Francois Dive jef at linuxbe.org
Thu Jan 22 08:31:23 EST 2004


i dont believe IOS support TCP based nat traversal and this is a good
thing as TCP in TCP is definitively not a way to go.
(more info, http://sites.inka.de/sites/bigred/devel/tcp-tcp.html) 

On Thu, Jan 22, 2004 at 02:10:03PM +0100, Filippo Carzaniga wrote:
> I had the same problem.
> It's very strange. You can to trasfert the ipsec tunnell over TCP. diseable the NAT-T over the devices.
> 
> 
> -----Messaggio originale-----
> Da: Jean-Francois Dive [mailto:jef at linuxbe.org]
> Inviato: mercoled? 21 gennaio 2004 9.24
> A: Navratil Pavel
> Cc: vpn at lists.shmoo.com
> Oggetto: Re: [VPN] vpn problem cisco & watchguard
> 
> 
> The key point is to know if what the cisco dump is true or not. Can you
> pinpoint the traffic/condition that trigger this problem ? If you do, a
> sniffer trace would be very usefull as well as full enabled debug on the
> cisco side.
> 
> J.
> 
> On Mon, Jan 19, 2004 at 12:25:32PM +0100, Navratil Pavel wrote:
> > You posted this question in VPN mail list:
> > --------------------------------------
> > > I have a problem with a cisco router ed Watchguard firewall.
> > > Sometime the tunnel ipsec dropped.
> > > the logs on the router is that:
> > > %CRYPTO-4-IKMP_PKT_OVERFLOW : ISAKMP message from [IP_address] larger
> > ([dec]) than the UDP packet length ([dec]) 
> > > Explanation ISAKMP messages are carried in UDP packets and have their
> > own message length field. The message length field of this message was
> > greater than the length of the UDP packet. This situation could indicate
> > a denial-of-service attack.
> > > Recommended Action Contact the remote peer and the administrator of
> > the remote peer.
> > > 
> > > the remote watchguard 700/III release 7.0 sp1 seem not have a problem.
> > > the cisco si that:
> > > System image file is "flash:c837-k9o3y6-mz.122-13.ZH2.bin"
> > > CISCO C837 (MPC857DSL) processor (revision 0x400) with 29492K/3276K
> > bytes of memory.
> > > 
> > >  Please let me
> > > know this as soon as possible.
> > ----------------------------------------------
> > 
> > I am just starting to resolve similar problem on my VPN with IPsec
> > connection between CISCO VPN Client and CISCO Router (IOS version
> > 12.2.15T10) with the same error message.
> > Did you have any response for your answer or any advice/hint how to
> > resolve this problem?
> > 
> > Thank you
> > 
> > -------------------------------------------------------
> > Pavel Navratil
> > Cisco Certified Security Professional         
> > NEXTRA Czech Republic s.r.o.  - http://www.nextra.cz
> > V Celnici 10 / CZ - 117 21 Praha 1 / Czech Republic
> > Tel: +420/2/96 355 111
> > E-mail: pavel.navratil at nextra.cz
> > 
> > Contact address:
> > Wolkerova 1331 / CZ - 565 01 Chocen / Czech Republic
> > Tel.: +420/603/279069
> > See Disclaimer: http://www.nextra.cz/disclaimer/
> > -------------------------------------------------------
> >  
> > _______________________________________________
> > VPN mailing list
> > VPN at lists.shmoo.com
> > http://lists.shmoo.com/mailman/listinfo/vpn
> 
> -- 
> 
> -> Jean-Francois Dive
> --> jef at linuxbe.org
> 
>   I think that God in creating Man somewhat overestimated his ability.
>   -- Oscar Wilde
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn

-- 

-> Jean-Francois Dive
--> jef at linuxbe.org

  I think that God in creating Man somewhat overestimated his ability.
  -- Oscar Wilde



More information about the VPN mailing list