R: [VPN] vpn problem cisco & watchguard
Jean-Francois Dive
jef at linuxbe.org
Thu Jan 22 08:31:23 EST 2004
i dont believe IOS support TCP based nat traversal and this is a good
thing as TCP in TCP is definitively not a way to go.
(more info, http://sites.inka.de/sites/bigred/devel/tcp-tcp.html)
On Thu, Jan 22, 2004 at 02:10:03PM +0100, Filippo Carzaniga wrote:
> I had the same problem.
> It's very strange. You can to trasfert the ipsec tunnell over TCP. diseable the NAT-T over the devices.
>
>
> -----Messaggio originale-----
> Da: Jean-Francois Dive [mailto:jef at linuxbe.org]
> Inviato: mercoled? 21 gennaio 2004 9.24
> A: Navratil Pavel
> Cc: vpn at lists.shmoo.com
> Oggetto: Re: [VPN] vpn problem cisco & watchguard
>
>
> The key point is to know if what the cisco dump is true or not. Can you
> pinpoint the traffic/condition that trigger this problem ? If you do, a
> sniffer trace would be very usefull as well as full enabled debug on the
> cisco side.
>
> J.
>
> On Mon, Jan 19, 2004 at 12:25:32PM +0100, Navratil Pavel wrote:
> > You posted this question in VPN mail list:
> > --------------------------------------
> > > I have a problem with a cisco router ed Watchguard firewall.
> > > Sometime the tunnel ipsec dropped.
> > > the logs on the router is that:
> > > %CRYPTO-4-IKMP_PKT_OVERFLOW : ISAKMP message from [IP_address] larger
> > ([dec]) than the UDP packet length ([dec])
> > > Explanation ISAKMP messages are carried in UDP packets and have their
> > own message length field. The message length field of this message was
> > greater than the length of the UDP packet. This situation could indicate
> > a denial-of-service attack.
> > > Recommended Action Contact the remote peer and the administrator of
> > the remote peer.
> > >
> > > the remote watchguard 700/III release 7.0 sp1 seem not have a problem.
> > > the cisco si that:
> > > System image file is "flash:c837-k9o3y6-mz.122-13.ZH2.bin"
> > > CISCO C837 (MPC857DSL) processor (revision 0x400) with 29492K/3276K
> > bytes of memory.
> > >
> > > Please let me
> > > know this as soon as possible.
> > ----------------------------------------------
> >
> > I am just starting to resolve similar problem on my VPN with IPsec
> > connection between CISCO VPN Client and CISCO Router (IOS version
> > 12.2.15T10) with the same error message.
> > Did you have any response for your answer or any advice/hint how to
> > resolve this problem?
> >
> > Thank you
> >
> > -------------------------------------------------------
> > Pavel Navratil
> > Cisco Certified Security Professional
> > NEXTRA Czech Republic s.r.o. - http://www.nextra.cz
> > V Celnici 10 / CZ - 117 21 Praha 1 / Czech Republic
> > Tel: +420/2/96 355 111
> > E-mail: pavel.navratil at nextra.cz
> >
> > Contact address:
> > Wolkerova 1331 / CZ - 565 01 Chocen / Czech Republic
> > Tel.: +420/603/279069
> > See Disclaimer: http://www.nextra.cz/disclaimer/
> > -------------------------------------------------------
> >
> > _______________________________________________
> > VPN mailing list
> > VPN at lists.shmoo.com
> > http://lists.shmoo.com/mailman/listinfo/vpn
>
> --
>
> -> Jean-Francois Dive
> --> jef at linuxbe.org
>
> I think that God in creating Man somewhat overestimated his ability.
> -- Oscar Wilde
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
--
-> Jean-Francois Dive
--> jef at linuxbe.org
I think that God in creating Man somewhat overestimated his ability.
-- Oscar Wilde
More information about the VPN
mailing list