[Openswan Users] Connection against a Lucent FW success!!!! - LVC under windows trace

Rolando J. Zappacosta zappacor at yahoo.com.ar
Wed Sep 10 03:16:42 EDT 2008 

Hi Paul,

this is a brief dump of what a LVC and a LVG exchange:
No. Time Source Destination Protocol Info

7 17.177861 192.168.1.236 AAA.SGW.SGW.SGW ISAKMP Aggressive

8 17.269798 AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Aggressive

9 17.273487 192.168.1.236 AAA.SGW.SGW.SGW ISAKMP Aggressive

10 17.368693 AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Informational

11 17.368956 192.168.1.236 AAA.SGW.SGW.SGW ISAKMP Informational

13 20.669004 AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Informational

15 20.682181 192.168.1.236 AAA.SGW.SGW.SGW ISAKMP Quick Mode

16 20.873717 AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Quick Mode

17 20.874288 192.168.1.236 AAA.SGW.SGW.SGW ISAKMP Quick Mode

18 20.975815 AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Informational

21 21.535865 Intel_b1:d7:95 Broadcast ARP Gratuitous ARP for AAA.PC.PC.PC 
(Request)

28 22.420799 Intel_b1:d7:95 Broadcast ARP Gratuitous ARP for AAA.PC.PC.PC 
(Request)

31 23.420795 Intel_b1:d7:95 Broadcast ARP Gratuitous ARP for AAA.PC.PC.PC 
(Request)

37 27.431043 Intel_b1:d7:95 Broadcast ARP Who has AAA.SRV.SRV.SRV? Tell 
192.168.1.236

38 27.431083 Comtrend_f6:b7:3d Intel_b1:d7:95 ARP AAA.SRV.SRV.SRV is at 
00:30:da:f6:b7:3d

39 27.431095 AAA.PC.PC.PC AAA.SRV.SRV.SRV ICMP Echo (ping) request

42 27.939265 AAA.SRV.SRV.SRV AAA.PC.PC.PC ICMP Echo (ping) reply

43 28.436479 AAA.PC.PC.PC AAA.SRV.SRV.SRV ICMP Echo (ping) request

44 28.860815 AAA.SRV.SRV.SRV AAA.PC.PC.PC ICMP Echo (ping) reply



Note I send a ping from my PC (AAA.PC.PC.PC) to a server on the Intranet I 
connect to (AAA.SRV.SRV.SRV) and that as per the Windows client log, it's:

09/05/08 19:28:58 IKE/IKE Started Enable Secure Access to TEP: 
MyIntranetConnection (AAA.SGW.SGW.SGW) for user <MyUserName>

19:28:59 IKE/IKE Source IP Address, Port for IKE : 192.168.1.236, 1659

19:28:59 IKE/IKE Contacted VPN gateway (AAA.SGW.SGW.SGW)

19:29:02 IKE/IKE User Authentication Successful.

19:29:02 IKE/IKE Tunnel Parameters received from gateway are:

Encryption : TRIPLE DES Authentication : SHA1

Tunnel transport method: UDP-Encapsulated on Port 501

Authentication Timeout: 1440 Minutes

Heartbeat Interval: 60 Seconds

Internal IP for local presence :AAA.PC.PC.PC

Pri. DNS :<DNS 1 IP addr> Sec. DNS :<DNS 2 IP addr>

Pri. WINS :<WINS 1 IP addr> Sec. WINS :<WINS 2 IP addr>

HostList: *

Tunnel administrator does not allow you to save password

Orig Pri. WINS :0.0.0.0 Orig Sec. WINS :0.0.0.0

Firewall Policy: Block All Clear Text Traffic

09/05/08 19:29:03 IKE/IKE IPSec SA SPIs: Inbound: 0x 91bd, Outbound: 0x 
2fd7e2ff

09/05/08 19:29:03 IKE/IKE Successfully established VPN Tunnel to TEP 
AAA.SGW.SGW.SGW for User <MyUserName>


 Note:
1) there are some "Gratuitous ARP" the LVC sent by the PC anouncing its own 
Intranet IP as assigned by the LVG. I can't imagine why actually but is 
there a way to mimic this behaviour?
2) there is no ModeConfig exchange on it, may be because they do it on a 
propietary way by means of these:
    10 17.368693 AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Informational

    11 17.368956 192.168.1.236 AAA.SGW.SGW.SGW ISAKMP Informational

    13 20.669004 AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Informational

but I'm not so sure because when the password is wrong I only get these six 
messages:

    192.168.1.236 AAA.SGW.SGW.SGW ISAKMP Aggressive

    AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Aggressive

    192.168.1.236 AAA.SGW.SGW.SGW ISAKMP Aggressive

    AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Informational

    192.168.1.236 AAA.SGW.SGW.SGW ISAKMP Informational

    AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Informational

and I think I saw the LVC stating something like "configuring tunnel 
parameters" when it hung and it was after those six too. May be the conf 
exchange is done with this one?:

    18 20.975815 AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Informational

3) Yet another interesting point is their client sends 4 transforms 
proposals instead of just one

4) Sometimes Wireshark (ethereal) shows things as on these traces sometimes 
show the traffic between my PC and the LVG as ESP packets, I think it 
depends on how the option to capture on promiscuos mode is set or not for my 
WiFi board but didn't check it.



Regards,

Rolando.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: LVC-LVG.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20080910/e876f004/attachment.txt

More information about the Users mailing list