Wireshark-users: Re: [Wireshark-users] Help With EPS/ISAKMP
From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Tue, 23 Jun 2009 10:23:35 +1000
Josue, >From your netstat output it looks like you have a windows machine. The netstat output actually shows that the process with PID 476 is listening. (For some reason on Windows, UDP bound processes don't show a LISTENING state). If you run "netstat - abo" you should actually see the name of the process, which probably will IKEEXT. My suggestion is to increase your audit/log level. I am not really all that familiar with Windows hosted VPNs but http://blogs.isaserver.org/pouseele/2007/07/07/basic-troubleshooting-for-ipsec-based-vpns/ seems useful Regards, Martin MartinVisser99@xxxxxxxxx On Tue, Jun 23, 2009 at 3:09 AM, Josue Del Valle<jodelvalle@xxxxxxxxxxxxxxx> wrote: > > Thanks for your reply. > > I do not have any firewall installed on the server. Shouldn't it be able to listen on Port 500? If I do a netstat on the server I get the following: > > Proto Local Address Foreign Addresss State PID > UDP 0.0.0.0:500 *:* 476 > > -----Original Message----- > From: Martin Visser [mailto:martinvisser99@xxxxxxxxx] > Sent: 2009-06-21 10:57 PM > To: Community support list for Wireshark > Cc: Josue Del Valle > Subject: Re: [Wireshark-users] Help With EPS/ISAKMP > > Josue, > > Your capture is showing that your client 192.168.15.3 is trying to > initiate key exchange using ISAKMP at 0, 8 and 24 seconds into the > packet capture. Your capture isn't showing any responses, and the > almost integral second intervals of the requests strongly indicate a > client timeout retrying to a non-response > > You probably need to verify that your server is listening on UDP port > 500 for ISAKMP/IKE traffic. Note that that UDP port 500 is reserved > for non-NATted traffic, UDP 4500 for NAT traversal. > > Unless your server responds there is not much further to say. (Your > server to debug or other logging configured on to see the incoming IKE > attempt) > > Regards, Martin > > MartinVisser99@xxxxxxxxx > > > > On Fri, Jun 19, 2009 at 12:15 AM, Josue Del > Valle<jodelvalle@xxxxxxxxxxxxxxx> wrote: >> This is what's getting logged on the firewall: >> >> 6|Jun 18 2009|05:50:16|302015|WebServer|500|AppServer|500|Built inbound UDP connection 34986 for dmz1:WebServer/500 (WebServer/500) to inside:AppServer/500 (AppServer/500) >> >> 2|Jun 18 2009|05:50:16|106100|WebServer|500|AppServer|500|access-list dmz_access_in permitted udp dmz1/WebServer(500) -> inside/AppServer(500) hit-cnt 1 first hit [0xba28b9ac, 0x0] >> >> -----Original Message----- >> From: Alex Nedelcu [mailto:alexpheno@xxxxxxxxx] >> Sent: 2009-06-18 4:45 AM >> To: Community support list for Wireshark >> Subject: [SPAM] - Re: [Wireshark-users] Help With EPS/ISAKMP - Email found in subject >> >> Can you attach some packet captures and the relevant logs from the servers? >> As Robert said you shoul also first check if there is some sort of >> firewall dropping ESP (ip protocol 50). >> >> On Wed, Jun 17, 2009 at 11:20 PM, Robert D. Scott<robert@xxxxxxx> wrote: >>> Sound like an ACL or firewall between the DMZ and the other network dropping >>> ESP. >>> >>> Robert D. Scott Robert@xxxxxxx >>> Senior Network Engineer 352-273-0113 Phone >>> CNS - Network Services 352-392-2061 CNS Phone Tree >>> University of Florida 352-392-9440 FAX >>> Florida Lambda Rail 352-294-3571 FLR NOC >>> Gainesville, FL 32611 321-663-0421 Cell >>> >>> >>> -----Original Message----- >>> From: wireshark-users-bounces@xxxxxxxxxxxxx >>> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Josue Del Valle >>> Sent: Wednesday, June 17, 2009 4:16 PM >>> To: wireshark-users@xxxxxxxxxxxxx >>> Subject: [Wireshark-users] Help With EPS/ISAKMP >>> >>> Hi, >>> >>> >>> >>> I was hoping someone could help me with this issue. I have configured >>> IPSec on two Windows 2003 servers using certificates as the authentication. >>> If I run wireshark from one of the server while having both servers on the >>> same network, I can see a bunch of ESP which indicate to me that the traffic >>> is encrypted between the two servers. If I move one of the servers to >>> another network (DMZ) and try to communicate with the server located on the >>> trusted network, I can't and instead of getting ESP packets all I see is >>> ISAKMP packets. I have not change anything on the IPsec except the ip for >>> the server that has been moved to the DMZ. The trusted network as a >>> 192.168.10.X subnet and the one on the DMZ is 192.168.20.X. >>> >>> >>> >>> If I remove IPSec I can communicate from the DMZ to the LAN as intended >>> which indicate routing on the firewall is working fine. I know it is kind >>> of confusing, but I'm trying to figure out why WireShark shows ESP packets >>> when the server is on the LAN and ISAKMP packets when the server is moved to >>> the DMZ. >>> >>> >>> >>> Thanks, >>> >>> >>> >>> Josue >>> >>> Please remember coverage cannot be bound, amended or cancelled via the email >>> or voicemail system. You cannot bind, alter, or cancel coverage without >>> speaking to an authorized representative of Braishfield Associates, Inc. >>> Coverage cannot be assumed to be bound without confirmation from an >>> authorized representative of Braishfield Associates, Inc. >>> >>> >>> DISCLAIMER: >>> CONFIDENTIALITY NOTICE: Braishfield Associates, Inc. would like you to know >>> that the information contained in this communication, including attachments >>> is privileged and confidential. It is intended only for the exclusive use of >>> the addressee. If the reader of this message is not the intended recipient, >>> or the employee or agent responsible for delivering it to the intended >>> recipient, you are hereby notified that any dissemination, distribution or >>> copying of this communication is strictly prohibited. Insurance coverage can >>> not be bound, amended or changed via an e-mail message without knowledge or >>> consent from the insuring carrier. If you have received this communication >>> in error please notify us by telephone immediately at (407) 825-9911 or >>> e-mail disclaimer@xxxxxxxxxxxxxxx. Thank you. >>> >>> >>> >>> ___________________________________________________________________________ >>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >>> Archives: http://www.wireshark.org/lists/wireshark-users >>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>> >> ___________________________________________________________________________ >> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >> Archives: http://www.wireshark.org/lists/wireshark-users >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> >> ___________________________________________________________________________ >> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >> Archives: http://www.wireshark.org/lists/wireshark-users >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> >
- References:
- Re: [Wireshark-users] Help With EPS/ISAKMP
- From: Robert D. Scott
- Re: [Wireshark-users] Help With EPS/ISAKMP
- From: Alex Nedelcu
- Re: [Wireshark-users] Help With EPS/ISAKMP
- From: Josue Del Valle
- Re: [Wireshark-users] Help With EPS/ISAKMP
- From: Martin Visser
- Re: [Wireshark-users] Help With EPS/ISAKMP
- From: Josue Del Valle
- Re: [Wireshark-users] Help With EPS/ISAKMP
- Prev by Date: [Wireshark-users] Help in analyzing the snoop/pktt trace file
- Next by Date: [Wireshark-users] Thanks for version 1.2 (and Wireshark in general)
- Previous by thread: Re: [Wireshark-users] Help With EPS/ISAKMP
- Next by thread: [Wireshark-users] dumpcap.exe problem in windows 7
- Index(es):