• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

L2TP/IPSec behind NAT

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> L2TP/IPSec behind NAT Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
L2TP/IPSec behind NAT - 15.May2007 1:28:27 PM   
isa_user

 

Posts: 11
Joined: 15.May2007
Status: offline 		Hello everybody,

my vpn constelation:


multible PCs (Windows XP SP2; Microsoft L2TP-IPSec-VPN Client)
--->same NAT Router --->
---> Internet --->
--> same VPN Server (official IP; Microsoft ISA 2004 on Windows 2003 Server SP1)

the connection from the first client works fine.

But, the second client can't etablish the IPSec connection correctly
 
The messeage on isa-eventlog when second client fails:

Event ID 4290
The IPSec driver has dropped the following inbound packet:
Source IP Address: *.*.13.11
Destination IP Address: *.*.0.71
Protocol: 17
Source Port:  4500
Destination Port: 4500
Offset for IPSec status code:                  0x14
Offset for Offload status code:                0x10
Offset for Offload flags(0=no offload):        0x20
Offset for packet start:                       0x28

thanks to everybody for help!
Post #: 1
RE: L2TP/IPSec behind NAT - 16.May2007 7:48:02 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi isa_user,
your source of problems seems to be that router.
if you take a look at that error you will notice that the source port of the packet dropped is 4500.
it is quite impossible that this to be true.
normally, as the first client connects from UDP(500,500) once this packet is hitting the router probably it will look like(X,500) and like so it will come to ISA if there is no other NAT device along the path. If this is the first client the NAT device might not change the source port from 500 to X.
in the second exchange of Main Mode(messages 3&4) the peers will send NAT-D payloads to detect the presence of any NAT devices along the way. If there is any NAT device the initiator starting from the third exchange of Main Mode(packet 5) will switch to UDP port 4500, so the packet will look like UDP(4500,4500). when this packet will enter the NAT device probably on the way out it will look like UDP(Y,4500).
So in your case if the first client connects it might do so with the NAT device keeping UDP ports 500 and 4500.
but for the second client things have to change to be successfuly. can you take some wireshark traces on ISA's external interface and look at what I have explained to see if it happens so and maybe to post them (of course if you can do this).

(in reply to isa_user)
Post #: 2
RE: L2TP/IPSec behind NAT - 16.May2007 10:34:51 AM   
isa_user

 

Posts: 11
Joined: 15.May2007
Status: offline 		hi justmee,
thank you very much for your reply!

maybe the isa-eventlog i posted is not exemplarily - it seem so when i read your post.
in isa-eventlog are many error like this, some with other source ports (eg: 32767:4500)

i'll try to post the important packages:
generally:
Client is behind NAT device (NAT=*.*.0.73)
ISA is direct = *.*.0.71

i filtered these packages between NAT and ISA

No.   Source  Destination  Protocol
1  *.*.0.73  *.*.0.71   ISAKMP Identity Protection (Main Mode)
2  *.*.0.71  *.*.0.73   ISAKMP Identity Protection (Main Mode)
3  *.*.0.73  *.*.0.71   ISAKMP Identity Protection (Main Mode)
4  *.*.0.71  *.*.0.73   ISAKMP Identity Protection (Main Mode)
5  *.*.0.73  *.*.0.71   IP Fragmented IP protocol (proto=UDP 0x11, off=0)6  *.*.0.73  *.*.0.71   IP Fragmented IP protocol (proto=UDP 0x11, off=1480) 7  *.*.0.73  *.*.0.71   ISAKMP Identity Protection (Main Mode)
8  *.*.0.71  *.*.0.73   IP Fragmented IP protocol (proto=UDP 0x11, off=0)9  *.*.0.71  *.*.0.73   IP Fragmented IP protocol (proto=UDP 0x11, off=1480) 10   *.*.0.71 *.*.0.73  ISAKMP Identity Protection (Main Mode)
11   *.*.0.73  *.*.0.71   ISAKMP Quick Mode
12   *.*.0.71  *.*.0.73   ISAKMP Quick Mode
13   *.*.0.73  *.*.0.71   ISAKMP Quick Mode
14   *.*.0.71  *.*.0.73   ISAKMP Quick Mode
15   *.*.0.73  *.*.0.71   ESP ESP (SPI=0x5fbb5f57)  <--- (this is the point where isa don't answer i think)
16   *.*.0.73  *.*.0.71   UDPENCAP
17   *.*.0.73  *.*.0.71   ESP ESP (SPI=0x5fbb5f57)
18   *.*.0.73  *.*.0.71   ESP ESP (SPI=0x5fbb5f57)
19   *.*.0.73  *.*.0.71   ESP ESP (SPI=0x5fbb5f57)
20   *.*.0.73  *.*.0.71   UDPENCAP
21   *.*.0.73  *.*.0.71   ESP ESP (SPI=0x5fbb5f57)

and here some details for these packages:

Frame 1
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol

Frame 2
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol

Frame 3
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol

Frame 4
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol

Frame 5
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
Data (1480 bytes)

Frame 6
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
Data (1480 bytes)

Frame 7
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32767 (32767), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets
Internet Security Association and Key Management Protocol

Frame 8
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
Data (1480 bytes)

Frame 9
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
Data (1480 bytes)

Frame 10
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 32767 (32767)
UDP Encapsulation of IPsec Packets
Internet Security Association and Key Management Protocol

Frame 11
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32767 (32767), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets
Internet Security Association and Key Management Protocol

Frame 12
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 32767 (32767)
UDP Encapsulation of IPsec Packets
Internet Security Association and Key Management Protocol

Frame 13
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32767 (32767), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets
Internet Security Association and Key Management Protocol

Frame 14
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 32767 (32767)
UDP Encapsulation of IPsec Packets
Internet Security Association and Key Management Protocol

Frame 15
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32767 (32767), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload

Frame 16
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32767 (32767), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets

Frame 17
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32767 (32767), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload

Frame 18
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32767 (32767), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload

Frame 19
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32767 (32767), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload

Frame 20
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets

Frame 21
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32767 (32767), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload

i'm not an expert but i think they chose port 32767 instead of 4500 so that is what you mean ?
 
if you want i could send the capture-file per mail.
 
waiting for reply, sorry for my bad english :o)
thanks & greetz
isa_user



(in reply to justmee)
Post #: 3
RE: L2TP/IPSec behind NAT - 17.May2007 5:27:41 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		hi isa_user,
looking at your packets I'm wondering if this trace was taken when the other client was connected because I can see that your NAT router does not change the IKE UDP source port 500 as if the second client was trying to connect as described in RFC3947.
anyway it appears that IKE Phase I and II goes "well".
normally that first packet that your ISA is dropping should be a L2TP control message SCCRQ(Start-Control-Connection-Request).
we can't see this because IPSec is protecting L2TP.
my guess here is that NAT router is not able to map correctly the ports used with NAT(although from your post it seems so, see my quotes).
does it have some IPsec helper or something like that?
quote:

16   *.*.0.73  *.*.0.71   UDPENCAP
Frame 16
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32767 (32767), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets
20   *.*.0.73  *.*.0.71   UDPENCAP
Frame 20
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets

This should be a NAT-T keepalive packet used for(RFC3948):
quote:

A peer MAY send a NAT-keepalive packet if one or more phase I or
phase II SAs exist between the peers, or if such an SA has existed at
most N minutes earlier.  N is a locally configurable parameter with a
default value of 5 minutes.

can you take some wireshark traces and see if for the two connections are assigned different ports by the NAT device after frame 4(this should be done Main Mode last exchange packets 5&6, you have fragmentation there because probably you are authenticated with certificates or the pre-shared key is very long).
also start ISA's logs and see if you have any error code(why the packet was dropped).
normaly this should be shown by ISA's logs for a successful connection:
Protocols "initiated": IKE Client, IPsec NAT-T client, L2TP Client.
In your case of the second client the third protocol does not get initiated.
on the client side what error is giving the vpn client?
have you tried to connect with multiple computers to see if they give the same error?
can you try and replace that router?

< Message edited by justmee -- 17.May2007 5:31:27 AM >

(in reply to isa_user)
Post #: 4
RE: L2TP/IPSec behind NAT - 18.May2007 3:16:44 AM   
isa_user

 

Posts: 11
Joined: 15.May2007
Status: offline 		hi justmee,
i'm very happy that you spend time on answering my problems :o)

first some generaly things:
-router i've tested with: some bintec's / some artem / and siemens router
-now at this time it is a netgear FWG114P (netgear say's there are 4 vpn passtrough clients at one time possible, see: http://kbserver.netgear.com/kb_web_files/n101222.asp)
-(i tried it with AND without the vpn-pathrough option enabled in the netgear router-same thing)
however things are making me crazy..
because sometimes the second connection is WORKING !?
this would be a long post :o) ....

first i have some trace about the 2 clients (first is OK, second FAILS):

No.     Time        Source                Destination           Protocol Info
     1 0.000000    *.*.0.73            *.*.0.71            ISAKMP   Identity Protection (Main Mode)
Frame 1
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
   Source port: isakmp (500)
   Destination port: isakmp (500)
   Length: 320
   Checksum: 0x5073 [correct]
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
     2 0.002296    *.*.0.71            *.*.0.73            ISAKMP   Identity Protection (Main Mode)
Frame 2
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
   Source port: isakmp (500)
   Destination port: isakmp (500)
   Length: 156
   Checksum: 0x6c59 [correct]
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
     3 0.032866    *.*.0.73            *.*.0.71            ISAKMP   Identity Protection (Main Mode)
Frame 3
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
   Source port: isakmp (500)
   Destination port: isakmp (500)
   Length: 240
   Checksum: 0x572e [correct]
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
     4 0.078146    *.*.0.71            *.*.0.73            ISAKMP   Identity Protection (Main Mode)
Frame 4
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
   Source port: isakmp (500)
   Destination port: isakmp (500)
   Length: 343
   Checksum: 0xaa9b [correct]
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
     5 0.096661    *.*.0.73            *.*.0.71            IP       Fragmented IP protocol (proto=UDP 0x11, off=0) [Reassembled in #7]
Frame 5
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
Data (1480 bytes)


No.     Time        Source                Destination           Protocol Info
     6 0.097888    *.*.0.73            *.*.0.71            IP       Fragmented IP protocol (proto=UDP 0x11, off=1480) [Reassembled in #7]
Frame 6
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
Data (1480 bytes)


No.     Time        Source                Destination           Protocol Info
     7 0.098517    *.*.0.73            *.*.0.71            ISAKMP   Identity Protection (Main Mode)
Frame 7
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
   Source port: 4500 (4500)
   Destination port: 4500 (4500)
   Length: 3688 (bogus, should be 728)
   Checksum: 0x54cd [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
     8 0.113545    *.*.0.71            *.*.0.73            IP       Fragmented IP protocol (proto=UDP 0x11, off=0) [Reassembled in #10]
Frame 8
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
Data (1480 bytes)


No.     Time        Source                Destination           Protocol Info
     9 0.114773    *.*.0.71            *.*.0.73            IP       Fragmented IP protocol (proto=UDP 0x11, off=1480) [Reassembled in #10]
Frame 9
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
Data (1480 bytes)


No.     Time        Source                Destination           Protocol Info
    10 0.115318    *.*.0.71            *.*.0.73            ISAKMP   Identity Protection (Main Mode)
Frame 10
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
   Source port: 4500 (4500)
   Destination port: 4500 (4500)
   Length: 3584 (bogus, should be 624)
   Checksum: 0xa3af [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    11 0.120052    *.*.0.73            *.*.0.71            ISAKMP   Quick Mode
Frame 11
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
   Source port: 4500 (4500)
   Destination port: 4500 (4500)
   Length: 328
   Checksum: 0x2ee6 [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    12 0.122585    *.*.0.71            *.*.0.73            ISAKMP   Quick Mode
Frame 12
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
   Source port: 4500 (4500)
   Destination port: 4500 (4500)
   Length: 200
   Checksum: 0x3965 [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    13 0.124878    *.*.0.73            *.*.0.71            ISAKMP   Quick Mode
Frame 13
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
   Source port: 4500 (4500)
   Destination port: 4500 (4500)
   Length: 64
   Checksum: 0xf47f [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    14 0.126100    *.*.0.71            *.*.0.73            ISAKMP   Quick Mode
Frame 14
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
   Source port: 4500 (4500)
   Destination port: 4500 (4500)
   Length: 96
   Checksum: 0xd501 [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    15 0.128921    *.*.0.73            *.*.0.71            ESP      ESP (SPI=0x2664cce3)
Frame 15
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
   Source port: 4500 (4500)
   Destination port: 4500 (4500)
   Length: 164
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload


No.     Time        Source                Destination           Protocol Info
    16 0.129229    *.*.0.71            *.*.0.73            ESP      ESP (SPI=0x97b03f7f)
Frame 16
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
   Source port: 4500 (4500)
   Destination port: 4500 (4500)
   Length: 164
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload


No.     Time        Source                Destination           Protocol Info
    17 0.130976    *.*.0.73            *.*.0.71            ESP      ESP (SPI=0x2664cce3)
Frame 17
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
   Source port: 4500 (4500)
   Destination port: 4500 (4500)
   Length: 68
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload


No.     Time        Source                Destination           Protocol Info
    18 0.131346    *.*.0.73            *.*.0.71            ESP      ESP (SPI=0x2664cce3)
Frame 18
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
   Source port: 4500 (4500)
   Destination port: 4500 (4500)
   Length: 100
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload


No.     Time        Source                Destination           Protocol Info
    19 0.131448    *.*.0.71            *.*.0.73            ESP      ESP (SPI=0x97b03f7f)
Frame 19
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
   Source port: 4500 (4500)
   Destination port: 4500 (4500)
   Length: 60
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload

------------now here comes the second (did not work)---------------------------

No.     Time        Source                Destination           Protocol Info
    20 31.019896   *.*.0.73            *.*.0.71            ISAKMP   Identity Protection (Main Mode)
Frame 20
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32767 (32767), Dst Port: isakmp (500)
   Source port: 32767 (32767)
   Destination port: isakmp (500)
   Length: 320
   Checksum: 0x130d [correct]
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    21 31.022680   *.*.0.71            *.*.0.73            ISAKMP   Identity Protection (Main Mode)
Frame 21
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: 32767 (32767)
   Source port: isakmp (500)
   Destination port: 32767 (32767)
   Length: 156
   Checksum: 0xc200 [correct]
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    22 31.087600   *.*.0.73            *.*.0.71            ISAKMP   Identity Protection (Main Mode)
Frame 22
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32767 (32767), Dst Port: isakmp (500)
   Source port: 32767 (32767)
   Destination port: isakmp (500)
   Length: 240
   Checksum: 0x7102 [correct]
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    23 31.132930   *.*.0.71            *.*.0.73            ISAKMP   Identity Protection (Main Mode)
Frame 23
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: 32767 (32767)
   Source port: isakmp (500)
   Destination port: 32767 (32767)
   Length: 343
   Checksum: 0x74d1 [correct]
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    24 31.209178   *.*.0.73            *.*.0.71            IP       Fragmented IP protocol (proto=UDP 0x11, off=0) [Reassembled in #26]
Frame 24
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
Data (1480 bytes)


No.     Time        Source                Destination           Protocol Info
    25 31.210406   *.*.0.73            *.*.0.71            IP       Fragmented IP protocol (proto=UDP 0x11, off=1480) [Reassembled in #26]
Frame 25
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
Data (1480 bytes)


No.     Time        Source                Destination           Protocol Info
    26 31.211026   *.*.0.73            *.*.0.71            ISAKMP   Identity Protection (Main Mode)
Frame 26
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 3680 (bogus, should be 720)
   Checksum: 0x5b02 [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    27 31.227118   *.*.0.71            *.*.0.73            IP       Fragmented IP protocol (proto=UDP 0x11, off=0) [Reassembled in #29]
Frame 27
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
Data (1480 bytes)


No.     Time        Source                Destination           Protocol Info
    28 31.228348   *.*.0.71            *.*.0.73            IP       Fragmented IP protocol (proto=UDP 0x11, off=1480) [Reassembled in #29]
Frame 28
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
Data (1480 bytes)


No.     Time        Source                Destination           Protocol Info
    29 31.228891   *.*.0.71            *.*.0.73            ISAKMP   Identity Protection (Main Mode)
Frame 29
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 32768 (32768)
   Source port: 4500 (4500)
   Destination port: 32768 (32768)
   Length: 3584 (bogus, should be 624)
   Checksum: 0x3333 [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    30 31.246417   *.*.0.73            *.*.0.71            ISAKMP   Quick Mode
Frame 30
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 328
   Checksum: 0x08ae [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    31 31.248919   *.*.0.71            *.*.0.73            ISAKMP   Quick Mode
Frame 31
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 32768 (32768)
   Source port: 4500 (4500)
   Destination port: 32768 (32768)
   Length: 200
   Checksum: 0x364e [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    32 31.253539   *.*.0.73            *.*.0.71            ISAKMP   Quick Mode
Frame 32
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 64
   Checksum: 0x5b41 [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    33 31.254671   *.*.0.71            *.*.0.73            ISAKMP   Quick Mode
Frame 33
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 32768 (32768)
   Source port: 4500 (4500)
   Destination port: 32768 (32768)
   Length: 96
   Checksum: 0x748d [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    34 31.267397   *.*.0.73            *.*.0.71            ESP      ESP (SPI=0x91283f52)
Frame 34
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 164
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload


No.     Time        Source                Destination           Protocol Info
    35 32.262500   *.*.0.73            *.*.0.71            ESP      ESP (SPI=0x91283f52)
Frame 35
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 164
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload


No.     Time        Source                Destination           Protocol Info
    36 34.265703   *.*.0.73            *.*.0.71            ESP      ESP (SPI=0x91283f52)
Frame 36
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 164
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload


No.     Time        Source                Destination           Protocol Info
    37 38.272099   *.*.0.73            *.*.0.71            ESP      ESP (SPI=0x91283f52)
Frame 37
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 164
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload


No.     Time        Source                Destination           Protocol Info
    38 46.274810   *.*.0.73            *.*.0.71            ESP      ESP (SPI=0x91283f52)
Frame 38
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 164
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload


No.     Time        Source                Destination           Protocol Info
    39 56.280850   *.*.0.73            *.*.0.71            ESP      ESP (SPI=0x91283f52)
Frame 39
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 164
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload


No.     Time        Source                Destination           Protocol Info
    40 66.298372   *.*.0.73            *.*.0.71            ISAKMP   Informational
Frame 40
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 104
   Checksum: 0x5e31 [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    41 66.299283   *.*.0.71            *.*.0.73            ISAKMP   Informational
Frame 41
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 32768 (32768)
   Source port: 4500 (4500)
   Destination port: 32768 (32768)
   Length: 104
   Checksum: 0x7bc3 [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    42 66.312821   *.*.0.73            *.*.0.71            ISAKMP   Informational
Frame 42
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 120
   Checksum: 0x546c [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    43 66.314134   *.*.0.71            *.*.0.73            ISAKMP   Informational
Frame 43
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 32768 (32768)
   Source port: 4500 (4500)
   Destination port: 32768 (32768)
   Length: 120
   Checksum: 0xa054 [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
    44 71.053954   *.*.0.73            *.*.0.71            UDPENCAP
Frame 44
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 9
   Checksum: 0xf24e [correct]
UDP Encapsulation of IPsec Packets
   NAT-keepalive packet
-------------------------------------------------
and now a trace round about 10 min later, the first client works fine, AND the second too ...
the trace from the second:


No.     Time        Source                Destination           Protocol Info
   334 23.832558   *.*.0.73            *.*.0.71            ISAKMP   Identity Protection (Main Mode)
Frame 334
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32769 (32769), Dst Port: isakmp (500)
   Source port: 32769 (32769)
   Destination port: isakmp (500)
   Length: 320
   Checksum: 0x50f9 [correct]
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
   335 23.835370   *.*.0.71            *.*.0.73            ISAKMP   Identity Protection (Main Mode)
Frame 335
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: 32769 (32769)
   Source port: isakmp (500)
   Destination port: 32769 (32769)
   Length: 156
   Checksum: 0xf847 [correct]
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
   336 23.889566   *.*.0.73            *.*.0.71            ISAKMP   Identity Protection (Main Mode)
Frame 336
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32769 (32769), Dst Port: isakmp (500)
   Source port: 32769 (32769)
   Destination port: isakmp (500)
   Length: 240
   Checksum: 0xe2ef [correct]
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
   337 23.935096   *.*.0.71            *.*.0.73            ISAKMP   Identity Protection (Main Mode)
Frame 337
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: 32769 (32769)
   Source port: isakmp (500)
   Destination port: 32769 (32769)
   Length: 343
   Checksum: 0x8a30 [correct]
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
   338 23.981642   *.*.0.73            *.*.0.71            IP       Fragmented IP protocol (proto=UDP 0x11, off=0) [Reassembled in #340]
Frame 338
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
Data (1480 bytes)


No.     Time        Source                Destination           Protocol Info
   339 23.982869   *.*.0.73            *.*.0.71            IP       Fragmented IP protocol (proto=UDP 0x11, off=1480) [Reassembled in #340]
Frame 339
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
Data (1480 bytes)


No.     Time        Source                Destination           Protocol Info
   340 23.983490   *.*.0.73            *.*.0.71            ISAKMP   Identity Protection (Main Mode)
Frame 340
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 3680 (bogus, should be 720)
   Checksum: 0x5963 [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
   341 23.999215   *.*.0.71            *.*.0.73            IP       Fragmented IP protocol (proto=UDP 0x11, off=0) [Reassembled in #343]
Frame 341
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
Data (1480 bytes)


No.     Time        Source                Destination           Protocol Info
   342 24.000444   *.*.0.71            *.*.0.73            IP       Fragmented IP protocol (proto=UDP 0x11, off=1480) [Reassembled in #343]
Frame 342
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
Data (1480 bytes)


No.     Time        Source                Destination           Protocol Info
   343 24.000991   *.*.0.71            *.*.0.73            ISAKMP   Identity Protection (Main Mode)
Frame 343
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 32768 (32768)
   Source port: 4500 (4500)
   Destination port: 32768 (32768)
   Length: 3584 (bogus, should be 624)
   Checksum: 0xd28c [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
   344 24.019281   *.*.0.73            *.*.0.71            ISAKMP   Quick Mode
Frame 344
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 328
   Checksum: 0xe123 [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
   345 24.021782   *.*.0.71            *.*.0.73            ISAKMP   Quick Mode
Frame 345
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 32768 (32768)
   Source port: 4500 (4500)
   Destination port: 32768 (32768)
   Length: 200
   Checksum: 0xbafd [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
   346 24.026589   *.*.0.73            *.*.0.71            ISAKMP   Quick Mode
Frame 346
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 64
   Checksum: 0x79e6 [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
   347 24.031828   *.*.0.71            *.*.0.73            ISAKMP   Quick Mode
Frame 347
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 32768 (32768)
   Source port: 4500 (4500)
   Destination port: 32768 (32768)
   Length: 96
   Checksum: 0xd73a [correct]
UDP Encapsulation of IPsec Packets
   Non-ESP Marker
Internet Security Association and Key Management Protocol


No.     Time        Source                Destination           Protocol Info
   348 24.038039   *.*.0.73            *.*.0.71            ESP      ESP (SPI=0xd49be094)
Frame 348
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 164
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload
   SPI: 0xd49be094
   Sequence: 1


No.     Time        Source                Destination           Protocol Info
   349 24.038370   *.*.0.71            *.*.0.73            ESP      ESP (SPI=0xd06530f8)
Frame 349
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 32768 (32768)
   Source port: 4500 (4500)
   Destination port: 32768 (32768)
   Length: 164
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload
   SPI: 0xd06530f8
   Sequence: 1


No.     Time        Source                Destination           Protocol Info
   350 24.043240   *.*.0.73            *.*.0.71            ESP      ESP (SPI=0xd49be094)
Frame 350 (
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 68
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload
   SPI: 0xd49be094
   Sequence: 2


No.     Time        Source                Destination           Protocol Info
   351 24.043510   *.*.0.71            *.*.0.73            ESP      ESP (SPI=0xd06530f8)
Frame 351
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 32768 (32768)
   Source port: 4500 (4500)
   Destination port: 32768 (32768)
   Length: 60
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload
   SPI: 0xd06530f8
   Sequence: 2


No.     Time        Source                Destination           Protocol Info
   352 24.043884   *.*.0.73            *.*.0.71            ESP      ESP (SPI=0xd49be094)
Frame 352
Internet Protocol, Src: *.*.0.73 (*.*.0.73), Dst: *.*.0.71 (*.*.0.71)
User Datagram Protocol, Src Port: 32768 (32768), Dst Port: 4500 (4500)
   Source port: 32768 (32768)
   Destination port: 4500 (4500)
   Length: 100
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload
   SPI: 0xd49be094
   Sequence: 3


No.     Time        Source                Destination           Protocol Info
   353 24.044109   *.*.0.71            *.*.0.73            ESP      ESP (SPI=0xd06530f8)
Frame 353
Internet Protocol, Src: *.*.0.71 (*.*.0.71), Dst: *.*.0.73 (*.*.0.73)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 32768 (32768)
   Source port: 4500 (4500)
   Destination port: 32768 (32768)
   Length: 60
   Checksum: 0x0000 (none)
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload
   SPI: 0xd06530f8
   Sequence: 3

----------------
- in isa log is not much to see, only IKE-Client (disconnected) and IPSec-NAT-T-Client(diconnected) then nothing more

- i've tried combinations with many other clients - every time the same thing

-what i absolutely not understand is, that sometime 2 ore more clients can connect and sometimes only 1 - not logical for a newbie like me :o)

-the only error on the client is the: Error 678 The remote computer did not respond..

i hope you have some more ideas ?

thank you for reading the long traces :o)

greets an nica weekend!
isa_user




(in reply to justmee)
Post #: 5
RE: L2TP/IPSec behind NAT - 18.May2007 5:58:45 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi isa_user,
I do not know what exactly does that VPN passthrough on the Netgear. The purpose of NAT-T was to enable the NAT device to do exactly nothing. NAT devices are breaking ESP traffic but with NAT-T, ESP traffic is encapsulated in UDP packets. So the NAT device will never see it and thus it does not have
to be aware of it. Only the two peers, VPN client and VPN server must be NAT-T enabled which is the case of Microsoft's VPN client and ISA Firewall.
IPSec/VPN passthrough on the other hand makes the NAT device knowledgeble about ESP. In theory the two don't have problems one with each other because with NAT-T the NAT device won't see the ESP traffic.
But there are some NAT boxes with passtrough out there that will break NAT-T.
In your case everything seems to be fined(that Netgear is rather a cheap all-in one solution so maybe the problem is with it). NAT-T does its job but for some reasons ISA does not respond to the first UDP encapsulated ESP packet which should mark the start of the L2TP tunnel.
The only places where you might find any additional information are the IPSec Monitor MMC or the oakley.log which is located in windir\debug\oakley(here is shown in detail what was processed through IKE phases, if those were successful and the SA establised).
www.vpnc.org/InteropProfiles/MS_IPSec_Interop_profile.doc
however I have doubts that you will find any clues there since IKE phases I and II
go fine so this is probably what will show the IPSec Monitor or the oakley.log.
I suspect that not ISA is dropping the packet, rather would be a Windows problem if there is one(the IPSec driver).
But I don't know why.
I'm sorry but at this moment I'm not able to figure out any decent answer to your problem.
The only suggestions I can make if that you are not in a hurry to wait a little bit because on this forums I know that are guys with great knowledge and experience with VPN and maybe some of them will find an answer.
If you are in a rush contact Microsoft PSS and see what's their solution to your problems.
Best regards!

(in reply to isa_user)
Post #: 6
RE: L2TP/IPSec behind NAT - 18.May2007 2:24:56 PM   
spouseele

 

Posts: 12826
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi isa_user,

any chance you can post a link where we can download the oakley logs from the ISA server and the VPN clients?

HTH,
Stefaan

(in reply to justmee)
Post #: 7
RE: L2TP/IPSec behind NAT - 21.May2007 11:29:47 AM   
isa_user

 

Posts: 11
Joined: 15.May2007
Status: offline 		hi justmee, hi spouseele, hi all,

i try to read the oakley log's but i'm a newby in that so it's a little bit confusing for me :o)
here are the links to them (i altered the ip adresses to *.* at the begining)

Oakley Log from ISA-Server:
  when Client1 is successfully connected:
   http://www.dodix.eu/isaserver.org/ISA-oakley_client1-ok.log
  when Client2 is failed:
   http://www.dodix.eu/isaserver.org/ISA-oakley_client2-failed.log
And from Client1 (ok):
   http://www.dodix.eu/isaserver.org/client1-ok-oakley.log
And from Client2 (failed):
   http://www.dodix.eu/isaserver.org/client2-failed-oakley.log

maybe it's the netgear router (justmee thinks about) i also think about it earlyer when i tried the constelation with a bintec(funkwerk) router (same problem) because of that i tried that netgear. also with a siemens-router the problem is the same.
maybe you have an idea of a better router?cisco maybe?

i'm very glad that you assist me!
best regards
isa_user

< Message edited by isa_user -- 22.May2007 12:56:50 PM >

(in reply to spouseele)
Post #: 8
RE: L2TP/IPSec behind NAT - 21.May2007 4:01:11 PM   
spouseele

 

Posts: 12826
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi isa_user,

I've looked at the oakley logs and I have to agree with justmee. The  IKE phase I and II negotiations goes fine. However, after the successful  negotiation (about a 30 seconds later) we see in the oakley log of the client:
quote:

5-21: 16:26:46:709:2f8 QM Deleted. Notify from driver: Src 192.168.0.2 Dest *.*.0.71 InSPI 292075460 OutSpi 1138960171  Tunnel 0 TunnelFilter 0
5-21: 16:26:46:709:2f8 Leaving adjust_peer_list entry 00151698 MMCount 0 QMCount 0

This is followed by the client notifying the remote partner (the ISA server) that the 'IPSec connection' should be terminated. So, it's definitely the client who initiates the closing of the 'IPSec connection'.

According to a previous posted excerpt of a netmon trace, we see that the first ESP packet from the client with the start of L2TP negotiation is *not* answered by the ISA server. The obvious question is why? My guess is that there is something wrong with one of the SPI values. If we want to investigate that further, we should have for a good *and* bad session the following info unmodified:
- network trace on the client
- network trace on the ISA external interface
- oakley log on the client
- oakley log on he ISA server

As far as I remember, I have successful tested multiple simultaneous IPSec clients through ISA Servers, RRAS Servers, Cisco routers and Netscreen 5 devices.

HTH,
Stefaan

(in reply to isa_user)
Post #: 9
RE: L2TP/IPSec behind NAT - 22.May2007 4:40:50 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi guys,
isa_user, you should keep disabled that vpn passthrough feature(or how do they call it).
If there is any wrong SPI value as Stefaan suggested you can check this with IPSecMonitor looking at the Statistics. However I think that the SPI numbers are fine.
The only way to solved this is as Stefaan said is to put every little piece of information side by side.

(in reply to spouseele)
Post #: 10
RE: L2TP/IPSec behind NAT - 22.May2007 6:02:40 AM   
isa_user

 

Posts: 11
Joined: 15.May2007
Status: offline 		Hello guys,
thanks a lot!

in the ipsec monitor on isa-server in statistik (both, main and quick mode) there is an entry called "ungültige Sicherheitsparameterindex-Pakete" i think that are "invalid SPI-pakages". both are "0" - i think the spi number seems to be ok.
here 2 screenshots from ipsec-monitor (sorry, it's german)
first main mode statistik:
http://www.dodix.eu/isaserver.org/ipsec-monitor-mainmode.JPG
and quick mode statistik:
http://www.dodix.eu/isaserver.org/ipsec-monitor-quickmode.JPG

and here some information about a further try...
- client 1 (ip=192.168.0.3 behind nat) connected correctly 09:31am(oakley-log-time) and close correcly connection at 09.34am
- client 2 (ip=192.168.0.4) connection failed, 09.32am tryed
- nat ip = *.*.0.73
- isa-server ip = *.*.0.71

following things i do:
logging the traffic at client network (192.168.0.0) in a .cap file:
http://www.dodix.eu/isaserver.org/client-interface-behind-nat.cap
logging the traffic at isa-server interface (*.*.0.73):
http://www.dodix.eu/isaserver.org/isa-interface.cap
and oakley log from isa-server (both clients: first ok, then second failed,then first close connection correctly):
http://www.dodix.eu/isaserver.org/ISA_oakley-client1and2.log
and oakley log from first client (ok):
http://www.dodix.eu/isaserver.org/client1_ok-oakley.log
and oakley log from second client (failed):
http://www.dodix.eu/isaserver.org/client2_failed-oakley.log
i tryed with both, "vpn-passthrough"-feature in the router on and off - seems to do nothing.. maybe it's for clients that can't do nat-t ?

thank you guys very much,
many greets
isa_user

< Message edited by isa_user -- 22.May2007 12:52:55 PM >

(in reply to justmee)
Post #: 11
RE: L2TP/IPSec behind NAT - 22.May2007 9:24:02 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		the SPI numbers seem to be fine:
client failed side log:
quote:

MySpi: 516710297(0x1ECC5F99) PeerSpi: 2548476058(0x97E6A89A)

From ISA interface capture: SPI 97E6A89A(frame 478)
ISA side log:
quote:

MySpi: 2548476058(0x97E6A89A) PeerSpi: 516710297(0x1ECC5F99)

Also IKE phase I and II went well.
quote:

i tryed with both, "vpn-passthrough"-feature in the router on and off - seems to do nothing.. maybe it's for clients that can't do nat-t ?

yes that's right. this is the reason why I have said to turn it off. in some implementations this setting might interfere with NAT-T and break it.

Now the interesting part. I have tried to reconstruct this scenario in my VMware lab
and this is what I have found out:
first I've tried to connect from behind a ISA 2006 standard to a ISA 2006 standard with two clients.
All went fine.
Then I have replaced ISA 2006 with a Vyatta router(the closest we can come with an open source router to a Juniper or a Cisco router).
again all is fined.
but, if I disconnect/connect the clients many times, being behind either ISA or Vyatta guess what?
yep you are right!
the same thing that happens to you comes into action.
However I do not get any errors in my Event Viewer(actually in the Security log I can see the IKE SA established just fine).
This experiment might not reflect the reality since I'm in VMware, but my logs and captures look exactly like yours.
the only difference is that I do not have that error and I can connect many times without any problems.
I would love to see what Stefaan has to say about this.
one thing you can try if you have a free box, is to add to it two nics and go try that Vyatta.(if you can do this to your network design of course).

< Message edited by justmee -- 22.May2007 9:25:33 AM >

(in reply to isa_user)
Post #: 12
RE: L2TP/IPSec behind NAT - 22.May2007 2:08:57 PM   
spouseele

 

Posts: 12826
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hey guys,

as far as I can tell, I don't see anything wrong at all except that the ISA server doesn't respond to the ESP packets for the second IPSec session.

I remember vaguely I've seen something similar in my VPC lab (http://users.skynet.be/spouseele/VPC-SPLAB.pdf ). If I recall correctly, I did have sporadic failures when using L2TP/IPSec when the workstation was connected to the same segment as the ISA external interface. At that time I used VPC 2004 and ISA 2004 SP1 on W2K3 SP1. Now, I'm running VPC 2007 and ISA 2006 on W2K3 SP2, and I don't see that behavior so far.  

I know, that different IPSec related issues were corrected in W2K3 SP2. Maybe it's worth the effort to update to W2K3 SP2 first and see if it solves the problem. However, check out first ISA Server and Windows Server 2003 Service Pack 2.

HTH,
Stefaan

(in reply to justmee)
Post #: 13
RE: L2TP/IPSec behind NAT - 23.May2007 4:51:47 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi guys,
I have followed Stefaan's suggestion and I've applied Windows SP2 to mys ISA 2006 Standard which was running on a Windwos 2003 R2 Standard.
now everything seems to works flawlessly.
I have successfuly connected with 3 vpn clients behind an ISA 2006 to my ISA 2006 updated server and also with 3 vpn clients connected directly to ISA's external interface(which is bridged in VMware and the computers are from my LAN). all six were connected simultaneosly.
I've connected/disconnected them numerous times. everything worked superbly.
here is how my VMware lab looks like:

                                    DMZ
VPNclient1----                       |
             |      NAT         NAT |
VPNclient2---- ---ISA2006-----ISA2006--Intern
             |            |     VPN
VPNclient3----             |
                          |        
                   RealLan|----------|Internet
                          |           
                          | 
                  ---------------
                  |        |         |
                  |        |         |
                VPN       VPN       VPN
              client4    client5     client6
I have not tested yet with that Vyatta because I need to reconfigure it. If I'm going to test it I'll post the results.

< Message edited by justmee -- 23.May2007 4:54:16 AM >

(in reply to spouseele)
Post #: 14
RE: L2TP/IPSec behind NAT - 23.May2007 5:04:31 AM   
isa_user

 

Posts: 11
Joined: 15.May2007
Status: offline 		hi guys,

you can't know how happy i am!
i've been thinking and trying about that *grr* problem very often and long.
and now it seem to exist a solution!
i'm very proud of you and verry impressed that you spend time with thinking about it and reconstructing it on your labs.

i'll install the sp2 in the afternoon when it is possible to shutdown isa for a while and will post the result then.
additionaly i will try it with vyetta too, but have to configure it because i never used it before.

many greets
isa_user


(in reply to justmee)
Post #: 15
RE: L2TP/IPSec behind NAT - 23.May2007 8:04:34 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Ok.
I have replaced the ISA 2006 with the Vyatta(no firewall, just NAT) and everything is still working fine.
Just continued the game of connecting/disconnecting them many times and all went fine.
by the way, the VPN clients behind the NAT were of three types: Windows XP SP2, Windows 2003 R2 and Windows Vista Business. And all OSs had no problems connecting as VPN clients.
and of course, my ISA(VPN) is joined to the internal domain!
hi isa_user,
I'm looking forward to see the results in your case.
please keep us informed!
Best regards!

< Message edited by justmee -- 23.May2007 8:23:40 AM >

(in reply to isa_user)
Post #: 16
RE: L2TP/IPSec behind NAT - 24.May2007 11:58:51 AM   
spouseele

 

Posts: 12826
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi justmee,

I would say "jabedabedoe!" .... almost. I wonder if that solves isa_user's problem too.

Thanks,
Stefaan

(in reply to justmee)
Post #: 17
RE: L2TP/IPSec behind NAT - 24.May2007 12:44:36 PM   
isa_user

 

Posts: 11
Joined: 15.May2007
Status: offline 		hi spouseele,
sorry, yesterday i havn't time for it.
im' currently doing the backup and after that the installation of sp2.
so only a few hours and we'll know...
greets
isa_user

(in reply to spouseele)
Post #: 18
RE: L2TP/IPSec behind NAT - 24.May2007 1:55:54 PM   
spouseele

 

Posts: 12826
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi justmee,

I've just received the following *very* good news:
quote:


hi stefaan,
service pack 2 for 2003 server is installed..
AND IT ROCKS!!!!!!
everything seems to be wonderfull.
i can connect more than 2 clients and disconnect and connect and so on,
never get this f** error :o)
.. i will backup the server now, install the isa 2004 service pack3 and some other windows updates and after that i will test it shortly and do intensive tests tomorrow in the morning ...
greets from verry verry happy donatus ...   


Kindly,
Stefaan

(in reply to isa_user)
Post #: 19
RE: L2TP/IPSec behind NAT - 24.May2007 3:15:02 PM   
isa_user

 

Posts: 11
Joined: 15.May2007
Status: offline 		hi guys,

it's me, the still happy isa_user :o)
...
after sp2 error solved, after sp3 for isa and some other updates too...
i'll test exactly and will post detailed results tomorrow...

I'M OVER THE MOON!
..and i think my colleagues will be too :o) 

THANKS TO
JUSTMEE & STEFAAN

good night
isa_user

(in reply to spouseele)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> L2TP/IPSec behind NAT Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts