Re: PIX IPSec to Win2K L2TP preshared key and NAT-T

babbott · ‎08-21-2003

I cannot get this to work. The TAC advised to remove the

"30 match address l2tp"

on the dynamic map, but still doesn't work.

The Win2K config contains a single filter:

source myip/anyport dest any/port 1701

As you can see, the phase 1 completes fine,

and so does phase 2 after the "30 match address al"

is removed, and phase 1 completes either way.

Pix Config is:

access-list al permit udp host outIP eq 1701 any eq 1701

ip local pool pool2 192.168.200.1-192.168.200.254

sysopt connection permit-ipsec

sysopt connection permit-l2tp

crypto ipsec transform-set espl2tp esp-des esp-md5-hmac

crypto ipsec transform-set espl2tp mode transport

crypto dynamic-map tr 30 match address al

crypto dynamic-map tr 30 set pfs group2

crypto dynamic-map tr 30 set transform-set espl2tp

crypto map to 30 ipsec-isakmp dynamic tr

crypto map to interface outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local pool2 outside

isakmp nat-traversal 20

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption des

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 3600

vpdn group 1 accept dialin l2tp

vpdn group 1 ppp authentication chap

vpdn group 1 client configuration address local pool2

vpdn group 1 client configuration dns bbbb

vpdn group 1 client configuration wins gggg

vpdn enable outside

vpdn group 1 client authentication local

vpdn group 1 l2tp tunnel hello 60

vpdn username **** password *********

After removing the mat"30 match address al"

produced:

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 0

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:203.38.156.63/63799 Total VPN Peers:4

VPN Peer: ISAKMP: Peer ip:203.38.156.63/63799 Ref cnt incremented to:1 Total VPN Peers:4

crypto_isakmp_process_block:src:203.38.156.63, dest:outIP spt:63799 dpt:4500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 3314659496

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x1 0x86 0xa0

ISAKMP: encaps is 61444

ISAKMP: authenticator is HMAC-MD5

ISAKMP: group is 2

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= outIP, src= 203.38.156.63,

dest_proxy= outIP/255.255.255.255/0/0 (type=1),

src_proxy= 203.38.156.63/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x820

ISAKMP (0): processing KE payload. message ID = 3314659496

ISAKMP (0): processing NONCE payload. message ID = 3314659496

ISAKMP (0): processing ID payload. message ID = 3314659496

ISAKMP (0): unknown src id_type 2

return status is IKMP_ERR_RETRANS

crypto_isakmp_process_block:src:203.38.156.63, dest:outIP spt:63799 dpt:4500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

crypto_isakmp_process_block:src:203.38.156.63, dest:outIP spt:63799 dpt:4500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

crypto_isakmp_process_block:src:203.38.156.63, dest:outIP spt:63799 dpt:4500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

crypto_isakmp_process_block:src:203.38.156.63, dest:outIP spt:63799 dpt:4500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

As you can see, it sent a response from the pix, but

it appears it didn't get there, or was ignored.

I have searched everywhere for help on this, but

have been unabvle to find anything that shows what the Win2K filter setup should, and none of hte articles refer to NAT-T.

Any ideas, can anyone help?

umedryk · ‎08-27-2003

Hi ,

you can just add "no-config-mode" and check if it works, not sure though...

babbott · ‎09-01-2003

Thak for the idea, but will not work because of the NAT and DHCP assignment by the ISP.

The no-config-mode overrides the mode config feature, to stop the PIX sending an IP address, DNS etc to the remote PC when this has been configured on the map (ie crypto map client configuration address). I need this as the ISP address is bogus, so

I must send an address to the remote client PC.

I have done some more research, and it appears that when Win2K completes phase 1, and starts phase 2 and after validating the pre-shared key, it is sending an ID packet with an id_type of 2 (id_fqdn). ie, instead of sending the IPV4_Address like it did in phase 1, it is sending a name like "myhost.com.au" instead.

As far as I can tell, it shouldn't be doing this. The same problem has been seen by others including Frees/Wan users. It also appears to be contrary to the RFCs.

So, is there some way to stop Win2K doing this, or to tell the PIX to deal with it? Is the PIX wrong or Win2K wrong (guess what my bet is on).

patrick · ‎10-13-2003

I also experienced problems with WinXP/L2TP/IPsec

<-> PIX 501.

The problems seem to be related to the presence

of NAT. Using identical PIX and WinXP

set ups, the IPsec debugging shows a different

behavior when NAT is present between the WinXP

and the PIX, versus the case when there is no

NAT.

In the case that there is no NAT, I see the following:

ISAKMP (0): Creating IPSec SAs

inbound SA from 192.168.1.141 to 172.16.16.16 (proxy 192.168.1.141 to 172.16.16.16)

has spi 3357438334 and conn_id 1 and flags 0

lifetime of 3600 seconds

lifetime of 250000 kilobytes

outbound SA from 172.16.16.16 to 192.168.1.141 (proxy 172.16.16.16 to 192.168.1.141)

has spi 568500390 and conn_id 2 and flags 0

lifetime of 3600 seconds

lifetime of 250000 kilobytesIPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= 172.16.16.16, src= 192.168.1.141,

dest_proxy= 172.16.16.16/0.0.0.0/17/1701 (type=1),

src_proxy= 192.168.1.141/0.0.0.0/17/1701 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 3600s and 250000kb,

spi= 0xc81e717e(3357438334), conn_id= 1, keysize= 0, flags= 0x0

We observe on the PIX (172.16.16.16) that

a tunnel is set up for L2TP traffic *only*,

from 192.168.1.141 (real IP address of the WinXP laptop).

When I introduce NAT, I get the following:

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90

ISAKMP: encaps is 61444

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 172.16.16.16, src= 62.103.81.153,

dest_proxy= 172.16.16.16/255.255.255.255/0/0 (type=1),

src_proxy= 62.103.81.153/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x800

IPSEC(validate_transform_proposal): proxy identities not supported

Now the WinXP laptop appears as 62.103.81.153

(translated IP address). However, it negotiates

for tunnelling *all* IP traffic between the

laptop and the PIX... why does WinXP behave

like this?

When I remove the the "crypto dynamic-map l2tp-parent 1 match address l2tp-acl" command

(see my config below), I get the behavior as

you reported it.

But why is the WinXP client changing its behavior when NAT has been detected, maybe this is the

real cause of the problem?

Hope somebody found some clues in the meantime...

Patrick

Used config:

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname shiptrade-bis

domain-name shiptrade.gr

clock timezone EET 2

clock summer-time EET-DST recurring last Sun Mar 2:00 last Sun Oct 2:00

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list SHIPTRADE-OUT permit ip any any

access-list nonat permit ip 192.168.9.0 255.255.155.0 192.168.109.0 255.255.255.0

access-list SHIPTRADE-IN permit ip any any

access-list l2tp-acl permit udp host 172.16.16.16 eq 1701 any eq 1701

pager lines 24

logging on

logging console debugging

logging monitor debugging

icmp permit 192.168.1.0 255.255.255.0 outside

icmp permit 62.103.81.144 255.255.255.240 outside

icmp permit 192.168.9.0 255.255.255.0 inside

mtu outside 1500

mtu inside 1500

ip address outside 172.16.16.16 255.255.255.0

ip address inside 192.168.9.240 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool l2tp-pool 192.168.109.1-192.168.109.254

pdm history enable

arp timeout 14400

global (outside) 1 172.16.16.17

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.9.0 255.255.255.0 0 0

static (inside,outside) 192.168.1.13 192.168.9.1 netmask 255.255.255.255 0 0

access-group SHIPTRADE-IN in interface outside

access-group SHIPTRADE-OUT in interface inside

route outside 0.0.0.0 0.0.0.0 172.16.16.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (outside) host 192.168.1.2 mul1tat timeout 5

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-l2tp

crypto ipsec transform-set l2tp esp-3des esp-md5-hmac

crypto ipsec transform-set l2tp mode transport

crypto dynamic-map l2tp-parent 1 match address l2tp-acl

crypto dynamic-map l2tp-parent 1 set transform-set l2tp

crypto map cmapi 50 ipsec-isakmp dynamic l2tp-parent

crypto map cmapi client authentication RADIUS

crypto map cmapi interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

telnet 192.168.1.0 255.255.255.0 outside

telnet 192.168.9.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 outside

ssh 62.103.81.144 255.255.255.240 outside

ssh timeout 5

console timeout 0

vpdn group l2tp_vpn accept dialin l2tp

vpdn group l2tp_vpn ppp authentication chap

vpdn group l2tp_vpn ppp authentication mschap

vpdn group l2tp_vpn client configuration address local l2tp-pool

vpdn group l2tp_vpn client configuration dns 192.168.9.1

vpdn group l2tp_vpn client configuration wins 192.168.9.1

vpdn group l2tp_vpn client authentication aaa RADIUS

vpdn group l2tp_vpn client accounting RADIUS

vpdn group l2tp_vpn l2tp tunnel hello 60

vpdn enable outside

username george password 7NdaQ41sKxwJWvC6 encrypted privilege 2

terminal width 80

koaps · ‎12-05-2003

Hey Guys, I have the same issue. http://forums.cisco.com/eforum/servlet/NetProf;jsessionid=xrs36xz771.SJ2B?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.eea5e0e

I've found that XP has a few things it does in regards to IPsec and definately acts different when behind NAT.

Patrick, I got a question on this:

static (inside,outside) 192.168.1.13 192.168.9.1 netmask 255.255.255.255 0 0

Are you doing the static statement for IPsec traffic?(shouldn't it be on 192.168.109.13?)

If not, have you seen examples where you have static statements for IPsec traffic?

IE. static (inside,outside) 192.168.109.0 192.168.9.0 netmask 255.255.255.0 0 0

It seems to me the address being assigned by L2TP isn't being translated to the inside network. I can authencate my L2TP connection and kick on ISAKMP and IPsec and get what looks like a tunnel built. But I can not ping or access internal hosts.

Few things I found with XP is to use IP Security Policy manager to create an IPsec policy to filter for 1701(L2TP) which kicks on 3des-sha for the AH-ESP and PFS. The VPN settings themselves should have L2TP dialin set(not auto), no encryption set what so ever(important) and do not set the shared key in the VPN connection settings or you will have issues for sure.

I know Cisco's examples for XP show them using the shared key setting in the VPN connection but this will cause the crypto settings to be set differently then the ones you assigned via the ip sec pol man.