R: R: R: [VPN] vpn problem cisco & watchguard

Filippo Carzaniga filippo.carzaniga at query.it
Thu Jan 22 10:35:06 EST 2004


this is the command:

no crypto ipsec nat-transparency udp-encaps


http://www.cisco.com/en/US/products/hw/routers/ps380/prod_bulletin09186a008015d020.html

-----Messaggio originale-----
Da: Jean-Francois Dive [mailto:jef at linuxbe.org]
Inviato: giovedì 22 gennaio 2004 16.23
A: Filippo Carzaniga
Cc: Jean-Francois Dive; Navratil Pavel; vpn at lists.shmoo.com
Oggetto: Re: R: R: [VPN] vpn problem cisco & watchguard


Well, again, i dont think this is true: TCP based nat traversal not only
beeing wrong to do, is not a standard; nat-t / udp is, well somehow.
Some vendors did implemented TCP as a transport protocol (Cisco for
exemple in it's vpn 3000 concentrators for exmpl), but i really dont thing IOS
(routers) do support this; as of watchguard, i would not have a clue.

If both side do not agree to use nat traversal, they will go over
classic ESP/AH and it will most lickly fail to go trough nat (nated esp
/ ike packet handling is very lickly to break but may work with some
implementations depending on the settings (ID types for exmpl).

J.

On Thu, Jan 22, 2004 at 02:38:07PM +0100, Filippo Carzaniga wrote:
> I think that this is the solution.
> The Firewall Watchguard use NAT-t default, while in the router 837 you can turn off the NAT-t.
> If this is not equal in the both, the tunnel will be over TCP payload.
> 
> -----Messaggio originale-----
> Da: Jean-Francois Dive [mailto:jef at linuxbe.org]
> Inviato: gioved? 22 gennaio 2004 14.31
> A: Filippo Carzaniga
> Cc: Jean-Francois Dive; Navratil Pavel; vpn at lists.shmoo.com
> Oggetto: Re: R: [VPN] vpn problem cisco & watchguard
> 
> 
> i dont believe IOS support TCP based nat traversal and this is a good
> thing as TCP in TCP is definitively not a way to go.
> (more info, http://sites.inka.de/sites/bigred/devel/tcp-tcp.html) 
> 
> On Thu, Jan 22, 2004 at 02:10:03PM +0100, Filippo Carzaniga wrote:
> > I had the same problem.
> > It's very strange. You can to trasfert the ipsec tunnell over TCP. diseable the NAT-T over the devices.
> > 
> > 
> > -----Messaggio originale-----
> > Da: Jean-Francois Dive [mailto:jef at linuxbe.org]
> > Inviato: mercoled? 21 gennaio 2004 9.24
> > A: Navratil Pavel
> > Cc: vpn at lists.shmoo.com
> > Oggetto: Re: [VPN] vpn problem cisco & watchguard
> > 
> > 
> > The key point is to know if what the cisco dump is true or not. Can you
> > pinpoint the traffic/condition that trigger this problem ? If you do, a
> > sniffer trace would be very usefull as well as full enabled debug on the
> > cisco side.
> > 
> > J.
> > 
> > On Mon, Jan 19, 2004 at 12:25:32PM +0100, Navratil Pavel wrote:
> > > You posted this question in VPN mail list:
> > > --------------------------------------
> > > > I have a problem with a cisco router ed Watchguard firewall.
> > > > Sometime the tunnel ipsec dropped.
> > > > the logs on the router is that:
> > > > %CRYPTO-4-IKMP_PKT_OVERFLOW : ISAKMP message from [IP_address] larger
> > > ([dec]) than the UDP packet length ([dec]) 
> > > > Explanation ISAKMP messages are carried in UDP packets and have their
> > > own message length field. The message length field of this message was
> > > greater than the length of the UDP packet. This situation could indicate
> > > a denial-of-service attack.
> > > > Recommended Action Contact the remote peer and the administrator of
> > > the remote peer.
> > > > 
> > > > the remote watchguard 700/III release 7.0 sp1 seem not have a problem.
> > > > the cisco si that:
> > > > System image file is "flash:c837-k9o3y6-mz.122-13.ZH2.bin"
> > > > CISCO C837 (MPC857DSL) processor (revision 0x400) with 29492K/3276K
> > > bytes of memory.
> > > > 
> > > >  Please let me
> > > > know this as soon as possible.
> > > ----------------------------------------------
> > > 
> > > I am just starting to resolve similar problem on my VPN with IPsec
> > > connection between CISCO VPN Client and CISCO Router (IOS version
> > > 12.2.15T10) with the same error message.
> > > Did you have any response for your answer or any advice/hint how to
> > > resolve this problem?
> > > 
> > > Thank you
> > > 
> > > -------------------------------------------------------
> > > Pavel Navratil
> > > Cisco Certified Security Professional         
> > > NEXTRA Czech Republic s.r.o.  - http://www.nextra.cz
> > > V Celnici 10 / CZ - 117 21 Praha 1 / Czech Republic
> > > Tel: +420/2/96 355 111
> > > E-mail: pavel.navratil at nextra.cz
> > > 
> > > Contact address:
> > > Wolkerova 1331 / CZ - 565 01 Chocen / Czech Republic
> > > Tel.: +420/603/279069
> > > See Disclaimer: http://www.nextra.cz/disclaimer/
> > > -------------------------------------------------------
> > >  
> > > _______________________________________________
> > > VPN mailing list
> > > VPN at lists.shmoo.com
> > > http://lists.shmoo.com/mailman/listinfo/vpn
> > 
> > -- 
> > 
> > -> Jean-Francois Dive
> > --> jef at linuxbe.org
> > 
> >   I think that God in creating Man somewhat overestimated his ability.
> >   -- Oscar Wilde
> > _______________________________________________
> > VPN mailing list
> > VPN at lists.shmoo.com
> > http://lists.shmoo.com/mailman/listinfo/vpn
> > _______________________________________________
> > VPN mailing list
> > VPN at lists.shmoo.com
> > http://lists.shmoo.com/mailman/listinfo/vpn
> 
> -- 
> 
> -> Jean-Francois Dive
> --> jef at linuxbe.org
> 
>   I think that God in creating Man somewhat overestimated his ability.
>   -- Oscar Wilde
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn

-- 

-> Jean-Francois Dive
--> jef at linuxbe.org

  I think that God in creating Man somewhat overestimated his ability.
  -- Oscar Wilde



More information about the VPN mailing list