• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN IPSec tunnel, Spoofed IP error

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN IPSec tunnel, Spoofed IP error Page: [1]
Login
Message << Older Topic   Newer Topic >>
VPN IPSec tunnel, Spoofed IP error - 17.Dec.2008 5:36:33 AM   
PMSchildmeijer

 

Posts: 1
Joined: 17.Dec.2008
Status: offline
I've got a working Site-to-Site IPSec Tunnel from our ISA 2004.
This tunnel is used to secure bidirectional mail from a customs application to customs.
But when I turn on logging I see every couple of packets a "denied connection" with status "A packet was dropped because ISA Server determined that the source IP address is spoofed".
Source : Internal (our mail server)
Destination: Customs (mail server)
However mail is passing through both ways. I don't get it.
Why do I get these errors ???

Hope to hear.



_____________________________

Peter
Post #: 1
RE: VPN IPSec tunnel, Spoofed IP error - 17.Dec.2008 7:33:36 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Maybe try this reg key??

http://www.tech-archive.net/Archive/ISA/microsoft.public.isa/2007-02/msg00152.html

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to PMSchildmeijer)
Post #: 2
RE: VPN IPSec tunnel, Spoofed IP error - 17.Dec.2008 9:51:14 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Not quite, I think that is for VPN clients.

Is this the error message you see(my , they make it into the TMG MBE too, already there were plenty of image problems) like so:
http://support.microsoft.com/kb/917025
I think Win SP2 fixes the idle timer issues(at least with ISA 2006). You have installed Win SP2 on your ISA ?
So your traffic is not blocked(you do not experience packet loss, your logs seem to indicate that "some" traffic was dropped) ?

Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jason Jones)
Post #: 3
RE: VPN IPSec tunnel, Spoofed IP error - 17.Dec.2008 11:40:39 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: adimcev

Not quite, I think that is for VPN clients.

Is this the error message you see(my , they make it into the TMG MBE too, already there were plenty of image problems) like so:
http://support.microsoft.com/kb/917025
I think Win SP2 fixes the idle timer issues(at least with ISA 2006). You have installed Win SP2 on your ISA ?
So your traffic is not blocked(you do not experience packet loss, your logs seem to indicate that "some" traffic was dropped) ?

Adrian


Thanks, it was a guess

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to adimcev)
Post #: 4
RE: VPN IPSec tunnel, Spoofed IP error - 17.Dec.2008 3:52:09 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Actually I was kinda guessing too, the KB article is a little confusing(I do not have access to an ISA 2004). They do not mention the Win SP2 to fix the idle timer issues, when the idle timer is applied even when there is traffic, causing "unwanted" IKE QM re-negotiations(only mention that Win 2003 SP1 was installed which means idle timer troubles). From that KB, it appears that they increase the idle timer to max(1 hour), to ensure that the minimum number of IKE QM will take places, and some queued packets will always(or so) be dropped when IKE negotiations take place. So in the end, by modifying that reg value, the IKE QM negotiations will take place only when the IPsec SA expires(if the default lifetime in seconds(3600) is kept), but it appears that it might be possible that some packets to still be dropped as spoofed(due to the firewall engine kernel-mode driver which is not reading the flags correctly). And dropped may not quite be trully equal with lost(for example they not say that the existing TCP connections will be terminated by the firewall engine).

Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jason Jones)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN IPSec tunnel, Spoofed IP error Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts