Help with Windows VPN setup and Astaro firewall

[Guest]

Archived from groups: comp.security.firewalls,de.comp.security.firewall (More info?)

I am having trouble setting up
a Windows 2000 workstation
to establish a VPN with
a Astaro firewall 5.002

When I attempt to bring up the VPN (IPSec), I get the errors below on
the Windows client.

What am I doing wrong?
Why am I getting these "malformed message" errors?

Note that the Windows workstation has no trouble at all connecting to
another firewall gateway.

Thanks,
--Ulf


154 01:46:35.174 05/02/04 Sev=Warning/2 IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)

155 01:46:35.174 05/02/04 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message
id: 0x00000000)

156 01:46:40.182 05/02/04 Sev=Warning/2 IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)

157 01:46:40.182 05/02/04 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message
id: 0x00000000)

 

[Guest]

Archived from groups: comp.security.firewalls,de.comp.security.firewall (More info?)

"arabub" <arabub@yahoo.com> wrote in message
news:a714a1f2.0405020056.7f6f588f@posting.google.com...
> I am having trouble setting up
> a Windows 2000 workstation
> to establish a VPN with
> a Astaro firewall 5.002
>
> When I attempt to bring up the VPN (IPSec), I get the errors below on
> the Windows client.
>
> What am I doing wrong?
> Why am I getting these "malformed message" errors?
>
> Note that the Windows workstation has no trouble at all connecting to
> another firewall gateway.
>
> Thanks,
> --Ulf
>
>
> 154 01:46:35.174 05/02/04 Sev=Warning/2 IKE/0xE3000099
> Invalid SPI size (PayloadNotify:116)
>
> 155 01:46:35.174 05/02/04 Sev=Warning/3 IKE/0xA3000058
> Received malformed message or negotiation no longer active (message
> id: 0x00000000)
>
> 156 01:46:40.182 05/02/04 Sev=Warning/2 IKE/0xE3000099
> Invalid SPI size (PayloadNotify:116)
>
> 157 01:46:40.182 05/02/04 Sev=Warning/3 IKE/0xA3000058
> Received malformed message or negotiation no longer active (message
> id: 0x00000000)

http://www.securityfocus.com/infocus/1526
http://support.microsoft.com/?kbid=259335

Google and the MS Knowledge Base are you friends.

Duane

 

[Guest]

Archived from groups: comp.security.firewalls,de.comp.security.firewall (More info?)

arabub wrote:

> My guess is that the "malformed message" errors refer to the fact that
> the package checksums are being made invalid by the NATting of my
> local firewall.

Your guess is right. NAT destroys IPSec.

> However, the exact same firewall does not cause any problems for my
> VPN connections to a different remote firewall! So I doubt that it's
> my local firewall.
>
> Summary:
>
> Connection from Connection to Result
> ------------------------------------------------------------------------
> Local Win2k workstation Remote firewall 1 (pix) Success

Due to cisco workarounds.

> Local Win2k workstation remote firewall 2 (Astaro) "malformed
> message"

Normal behaivior according to the IPSec specification.

> I am using a Cisco VPN client on the Win2k workstation, and I verified
> that the VPN client's configuration files for both VPNs are identical,
> with the exception of the remote gateway and the user authentication
> information.
>
> From this I conclude that the problem must be with my Astaro
> firewall's IPSec configuration.

No, pixes just offer some IMHO rather dirty workarounds for the problem.

> However, I tried many combinations of
> settings on the Astaro firewall, but have not found a working
> configuration.
> Any further ideas?

Yes, as always simply stick to the golden rule: "Terminate the VPN on the
gateway, never on a client behind it!"

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel

 

[Guest]

Archived from groups: comp.security.firewalls,de.comp.security.firewall (More info?)

Wolfgang Kueter <wolfgang@shconnect.de> wrote in message news:<c73op1$1m4$1@news.shlink.de>...
>
> > However, I tried many combinations of
> > settings on the Astaro firewall, but have not found a working
> > configuration.
> > Any further ideas?
>
> Yes, as always simply stick to the golden rule: "Terminate the VPN on the
> gateway, never on a client behind it!"

Please give me some ideas on how to solve the following problem: I
have a bunch of consultants and other collaborators who work from
home, remote offices etc. They all need access to our "core
infrastructure" in order to mount Windows or SMB file shares.
Therefore I need to give them some form of VPN access that will work
for them. The solution has to work with nowadays constraints, i.e.
most folks have a NATting firewall at home, their office etc.

Do I need to buy a Cisco Concentrator in order to make this work for
everybody?
Or is there a way to use the Astaro firewall for this? If yes, how?

Thanks,
--Ulf

 

[Guest]

Archived from groups: comp.security.firewalls,de.comp.security.firewall (More info?)

arabub wrote:


> Please give me some ideas on how to solve the following problem: I
> have a bunch of consultants and other collaborators who work from
> home, remote offices etc. They all need access to our "core
> infrastructure" in order to mount Windows or SMB file shares.

Difficult, heterogenous VPN infrastructures are always a pain in the a**

If you can, try to stick only to one platform.

> Therefore I need to give them some form of VPN access that will work
> for them. The solution has to work with nowadays constraints, i.e.
> most folks have a NATting firewall at home, their office etc.
>
> Do I need to buy a Cisco Concentrator in order to make this work for
> everybody?
> Or is there a way to use the Astaro firewall for this? If yes, how?

Depends on how many simulaneous tunnels you have. If the number gets very
high, a concentrator might make sense. Neverthelss throwing hardware on the
Astaro (CPU, RAM) will probably be much cheaper than the VPN concentrator.

But that was not my point: My point was, that the gateway (NAT Router)
should build up the tunnel, not the client behind it. So you need routers
(NAT devices) for the road warriors with VPN capabilities.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel