Wireshark-users: Re: [Wireshark-users] Help With EPS/ISAKMP
From: "Josue Del Valle" <jodelvalle@xxxxxxxxxxxxxxx>
Date: Mon, 22 Jun 2009 13:09:27 -0400
Thanks for your reply. I do not have any firewall installed on the server. Shouldn't it be able to listen on Port 500? If I do a netstat on the server I get the following: Proto Local Address Foreign Addresss State PID UDP 0.0.0.0:500 *:* 476 -----Original Message----- From: Martin Visser [mailto:martinvisser99@xxxxxxxxx] Sent: 2009-06-21 10:57 PM To: Community support list for Wireshark Cc: Josue Del Valle Subject: Re: [Wireshark-users] Help With EPS/ISAKMP Josue, Your capture is showing that your client 192.168.15.3 is trying to initiate key exchange using ISAKMP at 0, 8 and 24 seconds into the packet capture. Your capture isn't showing any responses, and the almost integral second intervals of the requests strongly indicate a client timeout retrying to a non-response You probably need to verify that your server is listening on UDP port 500 for ISAKMP/IKE traffic. Note that that UDP port 500 is reserved for non-NATted traffic, UDP 4500 for NAT traversal. Unless your server responds there is not much further to say. (Your server to debug or other logging configured on to see the incoming IKE attempt) Regards, Martin MartinVisser99@xxxxxxxxx On Fri, Jun 19, 2009 at 12:15 AM, Josue Del Valle<jodelvalle@xxxxxxxxxxxxxxx> wrote: > This is what's getting logged on the firewall: > > 6|Jun 18 2009|05:50:16|302015|WebServer|500|AppServer|500|Built inbound UDP connection 34986 for dmz1:WebServer/500 (WebServer/500) to inside:AppServer/500 (AppServer/500) > > 2|Jun 18 2009|05:50:16|106100|WebServer|500|AppServer|500|access-list dmz_access_in permitted udp dmz1/WebServer(500) -> inside/AppServer(500) hit-cnt 1 first hit [0xba28b9ac, 0x0] > > -----Original Message----- > From: Alex Nedelcu [mailto:alexpheno@xxxxxxxxx] > Sent: 2009-06-18 4:45 AM > To: Community support list for Wireshark > Subject: [SPAM] - Re: [Wireshark-users] Help With EPS/ISAKMP - Email found in subject > > Can you attach some packet captures and the relevant logs from the servers? > As Robert said you shoul also first check if there is some sort of > firewall dropping ESP (ip protocol 50). > > On Wed, Jun 17, 2009 at 11:20 PM, Robert D. Scott<robert@xxxxxxx> wrote: >> Sound like an ACL or firewall between the DMZ and the other network dropping >> ESP. >> >> Robert D. Scott Robert@xxxxxxx >> Senior Network Engineer 352-273-0113 Phone >> CNS - Network Services 352-392-2061 CNS Phone Tree >> University of Florida 352-392-9440 FAX >> Florida Lambda Rail 352-294-3571 FLR NOC >> Gainesville, FL 32611 321-663-0421 Cell >> >> >> -----Original Message----- >> From: wireshark-users-bounces@xxxxxxxxxxxxx >> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Josue Del Valle >> Sent: Wednesday, June 17, 2009 4:16 PM >> To: wireshark-users@xxxxxxxxxxxxx >> Subject: [Wireshark-users] Help With EPS/ISAKMP >> >> Hi, >> >> >> >> I was hoping someone could help me with this issue. I have configured >> IPSec on two Windows 2003 servers using certificates as the authentication. >> If I run wireshark from one of the server while having both servers on the >> same network, I can see a bunch of ESP which indicate to me that the traffic >> is encrypted between the two servers. If I move one of the servers to >> another network (DMZ) and try to communicate with the server located on the >> trusted network, I can't and instead of getting ESP packets all I see is >> ISAKMP packets. I have not change anything on the IPsec except the ip for >> the server that has been moved to the DMZ. The trusted network as a >> 192.168.10.X subnet and the one on the DMZ is 192.168.20.X. >> >> >> >> If I remove IPSec I can communicate from the DMZ to the LAN as intended >> which indicate routing on the firewall is working fine. I know it is kind >> of confusing, but I'm trying to figure out why WireShark shows ESP packets >> when the server is on the LAN and ISAKMP packets when the server is moved to >> the DMZ. >> >> >> >> Thanks, >> >> >> >> Josue >> >> Please remember coverage cannot be bound, amended or cancelled via the email >> or voicemail system. You cannot bind, alter, or cancel coverage without >> speaking to an authorized representative of Braishfield Associates, Inc. >> Coverage cannot be assumed to be bound without confirmation from an >> authorized representative of Braishfield Associates, Inc. >> >> >> DISCLAIMER: >> CONFIDENTIALITY NOTICE: Braishfield Associates, Inc. would like you to know >> that the information contained in this communication, including attachments >> is privileged and confidential. It is intended only for the exclusive use of >> the addressee. If the reader of this message is not the intended recipient, >> or the employee or agent responsible for delivering it to the intended >> recipient, you are hereby notified that any dissemination, distribution or >> copying of this communication is strictly prohibited. Insurance coverage can >> not be bound, amended or changed via an e-mail message without knowledge or >> consent from the insuring carrier. If you have received this communication >> in error please notify us by telephone immediately at (407) 825-9911 or >> e-mail disclaimer@xxxxxxxxxxxxxxx. Thank you. >> >> >> >> ___________________________________________________________________________ >> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >> Archives: http://www.wireshark.org/lists/wireshark-users >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >
- Follow-Ups:
- Re: [Wireshark-users] Help With EPS/ISAKMP
- From: Martin Visser
- Re: [Wireshark-users] Help With EPS/ISAKMP
- References:
- Re: [Wireshark-users] Help With EPS/ISAKMP
- From: Robert D. Scott
- Re: [Wireshark-users] Help With EPS/ISAKMP
- From: Alex Nedelcu
- Re: [Wireshark-users] Help With EPS/ISAKMP
- From: Josue Del Valle
- Re: [Wireshark-users] Help With EPS/ISAKMP
- From: Martin Visser
- Re: [Wireshark-users] Help With EPS/ISAKMP
- Prev by Date: [Wireshark-users] Dissector legal question
- Next by Date: Re: [Wireshark-users] Dissector legal question
- Previous by thread: Re: [Wireshark-users] Help With EPS/ISAKMP
- Next by thread: Re: [Wireshark-users] Help With EPS/ISAKMP
- Index(es):