FreeBSD <-> Windows XP IPSec Phase 1 Timeout

From: Arcadiy Ivanov (arcivanov_at_mail.ru)
Date: 11/29/05

  • Next message: asko: "natd redirected ports from LAN" 
    To: <freebsd-net@freebsd.org>
Date: Tue, 29 Nov 2005 01:20:44 -0500

    Dear everybody,

    I have a following problem which you might help me solve. I'm running a
    FreeBSD 6.0 box as a gateway with Windows XP road warrior clients VPNing in.
    In order to setup secure access I want to use IPSec for traffic encryption
    with the plain-text PPTP for tunneling. Windows XP IPSec policy is
    configured to ESP everything coming in and out of TCP port 1723 and GRE and
    same stands for FreeBSD box. Now here is a problem. Upon initiating PPTP
    dial-up connection from XP the IPSec negotiations start normally, both
    client and server agree on encryption & hashing standards successfully. But
    as soon as they do agree, all communications timeout. Tcpdump on FreeBSD box
    and Etherpeek on Windows should the IPSec packets being delivered to both
    machines, but both client and server behave as if packets were not delivered
    at all and obviously timeout. I do have PF firewall on the gateway but the
    result is the same for firewall being off or on or even not loaded into
    kernel. I have used racoon, isakmp and ipsec-tools racoon and the results
    are EXACTLY the same up to the corresponding lines in the logs - as soon as
    encryption policies are successfully negotiated and both clients switch to
    secure communication mode they lose sight of each other and both timeout. I
    of course understand that the logs are necessary and I'm ready to provide
    them if anybody is interested to help me solve the problem, but I'm hoping
    that somebody had this problem and knows the solutions off the top of
    his/her head.

    Thanks a lot,
    Arcadiy

    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: asko: "natd redirected ports from LAN"

    Relevant Pages

    • Re: Re: IPSEC in tunnel mode ( possible? )
      ... If I canīt get windows doing it right by itself Iīm already considering ... IPSEC in tunnel mode (possible? ... I, trying to secure a wireless link, want to have my clients using ... To unsubscribe, ...
      (freebsd-isp)
    • Re: Security update pulled back
      ... Recommended Update for Windows XP ... This update to internet Protocol Security Clients IPSec and L2TP/IPSec ... update if they use IPSec and/or L2TP Virtual Private Network ...
      (microsoft.public.security)
    • RE: IPSEC in tunnel mode ( possible? )
      ... But instead of using windows over ... there is a nice article on freebsd diary that covers ... IPSEC in tunnel mode (possible? ... when the traffic is to the internet and not only to the gateway (what ...
      (freebsd-isp)
    • RE: IPSEC in tunnel mode ( possible? )
      ... But instead of using windows over ... there is a nice article on freebsd diary that covers ... IPSEC in tunnel mode (possible? ... when the traffic is to the internet and not only to the gateway (what ...
      (freebsd-isp)
    • RE: IPSEC in tunnel mode ( possible? )
      ... But instead of using windows over ... there is a nice article on freebsd diary that covers ... IPSEC in tunnel mode (possible? ... when the traffic is to the internet and not only to the gateway (what ...
      (freebsd-net)