Archived from groups: alt.internet.wireless (
More info?)
On 27 Jul 2004 16:03:27 -0700, b_russ@yahoo.com (Bryan Russell) wrote:
>I VPN to work w/ remote desktop connection
>
>My new netgear WGR614 router is supposed to handle VPN pass-through
>just fine, and it does for five minutes, then it drops my remote
>desktop connection at the same time the VPN client logs these errors:
>
>*An incoming ISAKMP packet from XX.XX.XXX was ignored.
>*Received an unencrypted packet but encryption keys have already been
>established.
>*Failed to decrypt buffer.
>
>These errors do not happen if I bypass the router.
Yep. It would be nice if I knew what IPSec server and client software
you were using. A few guesses:
1. Smells like IPSec ESP mode (encapsulate security payload). That's
where the VPN encrypts the entire packet including the header. If the
router touches anything in the header (such as NAT translation), your
packet gets declared corrupted by the your IPSec software. The only
flavour of VPN that will work with NAT is AH (authentication header)
mode.
2. You have a "dialback" type of IPSec authentication mechanism
running. No way should you *RECEIVE* an incoming ISAKNP (Internet Key
Exchange) packet from the destination router. That's what you get
when it a VPN client tries to connect to a VPN server. My guess(tm)
is that the destination VPN firewall is either setup to dialback, or
is setup as a symmetrical system, where either end of a VPN tunnel can
initiate the connection. I do this all the time between Sonicwall
routers and it works just fine. However, it's totally wasted unless
you have a VPN router at your end.
3. The 3 error messages may not be related or originate from the same
source. If I wanted to hijack a connection, I would spoof the
originating IP of your VPN server, attempt to guess sequence numbers,
and possibly replay some of the servers packets. The fact that you
were able to connect for 5 minutes indicates that you have
successfully authenticated and connected, so it's not a configuration
issue. Many routers, all VPN servers, and some VPN clients are setup
to detect such attacks and include "replay protection" or some such
security buzzword. My guess(tm) is that you're being attacked,
scanned, or you have an overly sensitive firewall.
4. Some routers only seem to be able to handle one VPN tunnel at a
time. Actually, they pretend to handle more than one, but I find lots
of weird error messages when attempting to open a 2nd tunnel.
Sometimes it works, usually it doesn't. A good clue is that the
release notes for many router firmware version include such comments
as "added support for more than one tunnel" and such. No clue if your
Netgear router fits in that category. If you're on a distributed VPN
system (multiple servers at multiple locations) or are running "single
sign on", it's highly likely that you have more than one tunnel
running.
Just a guess(tm).
--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D
http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558
Facebook
Twitter
Instagram