Hi
i'm not able to make a VPN connection with my company machine through Wingate to my company server. The MS VPN connection is set up with smart card authentication. I've put on debug logging and have part of the log shown below.
12/01/03 22:31:40 Debug: NAT error message code FFE0B40B, context 1415 OutICMP=0, InICMP=0, OutUDP=792, InUDP=0, OutTCP=20164, InTcp=130635
12/01/03 22:31:40 Debug: NAT error message code FFE0B40B, context 1423 OutICMP=11, InICMP=2824, OutUDP=0, InUDP=0, OutTCP=0, InTcp=0
12/01/03 22:31:40 Debug: NAT error message code FFE0B40D, context 1429 Total locked memory in use is 190372
12/01/03 22:31:40 Debug: NAT error message code FFE0B40E, context 1436 Unknown Frames = 0, Status Queue Size = 128
12/01/03 22:31:45 Debug: NAT error message code FFE0B40B, context 1415 OutICMP=0, InICMP=0, OutUDP=792, InUDP=0, OutTCP=20164, InTcp=130635
12/01/03 22:31:45 Debug: NAT error message code FFE0B40B, context 1423 OutICMP=13, InICMP=2826, OutUDP=0, InUDP=0, OutTCP=0, InTcp=0
12/01/03 22:31:45 Debug: NAT error message code FFE0B40D, context 1429 Total locked memory in use is 190372
12/01/03 22:31:45 Debug: NAT error message code FFE0B40E, context 1436 Unknown Frames = 0, Status Queue Size = 128
12/01/03 22:31:46 192.168.0.2 0000000000 Created:
12/01/03 22:31:46 192.168.0.2 Guest 0000885812 Requested: NAT: TCP Connection to 134.146.64.65:1723
12/01/03 22:31:50 Debug: NAT error message code FFE0B40B, context 1415 OutICMP=0, InICMP=0, OutUDP=792, InUDP=0, OutTCP=20784, InTcp=131055
12/01/03 22:31:50 Debug: NAT error message code FFE0B40B, context 1423 OutICMP=14, InICMP=2827, OutUDP=0, InUDP=0, OutTCP=0, InTcp=0
12/01/03 22:31:50 Debug: NAT error message code FFE0B40D, context 1429 Total locked memory in use is 190372
12/01/03 22:31:50 Debug: NAT error message code FFE0B40E, context 1436 Unknown Frames = 0, Status Queue Size = 128
As you can see there are a number of NAT error message codes reported. The log repeats the last 4 error messages another 28 times before terminating the connection with an error 42. The connection appears to try to connect for 2 minutes before giving up.
Any one have any idea what any of this means?
Tom
MS VPN not working with 5.2
Moderator: Qbik Staff
5 posts
• Page 1 of 1
MS VPN not working with 5.2
by tjgulman » Dec 02 03 10:47 am
- tjgulman
- Posts: 7
- Joined: Nov 26 03 8:21 am
by adrien » Dec 03 03 5:41 pm
OK, all those error messages are actually just debug tracing of the statistics for the driver... so they aren't actually errors, although they use the same method of logging as an error, which is why the words "error code" are used.
As for terminating with error code 42, that is the standard termination code for a NAT session.
So, basically for all that, there is not much to be gleaned for that.
Do you know whether the VPN smartcard authentication uses end-to-end authentication? I am wondering whether it is transmitting a local IP address inside the protocol, since we have had no other problems with any other VPN authentication methods for PPTP.
Actually is your MS VPN even using PPTP? Or is it using L2TP?
Adrien
As for terminating with error code 42, that is the standard termination code for a NAT session.
So, basically for all that, there is not much to be gleaned for that.
Do you know whether the VPN smartcard authentication uses end-to-end authentication? I am wondering whether it is transmitting a local IP address inside the protocol, since we have had no other problems with any other VPN authentication methods for PPTP.
Actually is your MS VPN even using PPTP? Or is it using L2TP?
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by tjgulman » Dec 03 03 8:11 pm
Adrien
My advanced security settings in the MS VPN security tab are
Data encryption:
"requires encryption (disconnect if server declines)" pulldown optioon
Logon Security
Use Exensible Authentication Protocol (EAP) radio button
Smart Card or other Certificate (enctyption enabled) pulldown option
For the networking tab, the pulldown for type of VPN server is set to
Point to Point Tunneling Protocol (PPTP)
I don't know whether 2 way authentication is used or not. I know that we need to set a password through a web page before we can use VPN. My understanding was that that was used somehow in the validation with the VPN server, but I don't know the technical details.
I also know that some colleagues have installed a hardware broadband router and they are able to get in with VPN using their smartcard. The router they use is from DRAYTEK.
Hope this helps
My advanced security settings in the MS VPN security tab are
Data encryption:
"requires encryption (disconnect if server declines)" pulldown optioon
Logon Security
Use Exensible Authentication Protocol (EAP) radio button
Smart Card or other Certificate (enctyption enabled) pulldown option
For the networking tab, the pulldown for type of VPN server is set to
Point to Point Tunneling Protocol (PPTP)
I don't know whether 2 way authentication is used or not. I know that we need to set a password through a web page before we can use VPN. My understanding was that that was used somehow in the validation with the VPN server, but I don't know the technical details.
I also know that some colleagues have installed a hardware broadband router and they are able to get in with VPN using their smartcard. The router they use is from DRAYTEK.
Hope this helps
- tjgulman
- Posts: 7
- Joined: Nov 26 03 8:21 am
by adrien » Dec 03 03 8:33 pm
Are you able to access any logs on the VPN server? It is possible that will tell you what is going on.
I am suspicious that the smart card communicates an IP address to the other end which is bounced because the other end thinks the client is on the IP address of the WinGate machine instead because of address translation.
This other broadband router that is working, does that do address translation (NAT) or do your colleagues have their own public addresses each?
Adrien
I am suspicious that the smart card communicates an IP address to the other end which is bounced because the other end thinks the client is on the IP address of the WinGate machine instead because of address translation.
This other broadband router that is working, does that do address translation (NAT) or do your colleagues have their own public addresses each?
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by tjgulman » Dec 04 03 11:06 am
Adrien
I work for a multinational company with a large IT organisation. I don't have any idea where the VPN server is physically located.
Is there any way to capture any of the messages on the way out of the Wingate server?
As for the router, my understanding is that it has NAT installed but it also has other facilities and I'm not sure which is used to establish the VPN connection. I've not seen it in action - just talked to a colleague who says it works like a charm. See the following website from the supplier which describes their capabilities.
http://www.draytek.co.uk/products/draytek_vpn.html
They seem to support a lot of other things including a VPN server in the router which my colleague isn't uisng. I suspect he is using the passthrough option. He uses model 2200E which is now obsolete - I can't find it on the website but I suspect it is similar to the 2200X which is described at the following web page
http://www.draytek.co.uk/products/vigor2200.htm
I need to come to a closure on this or I'm going to start looking at routers.
Tom
I work for a multinational company with a large IT organisation. I don't have any idea where the VPN server is physically located.
Is there any way to capture any of the messages on the way out of the Wingate server?
As for the router, my understanding is that it has NAT installed but it also has other facilities and I'm not sure which is used to establish the VPN connection. I've not seen it in action - just talked to a colleague who says it works like a charm. See the following website from the supplier which describes their capabilities.
http://www.draytek.co.uk/products/draytek_vpn.html
They seem to support a lot of other things including a VPN server in the router which my colleague isn't uisng. I suspect he is using the passthrough option. He uses model 2200E which is now obsolete - I can't find it on the website but I suspect it is similar to the 2200X which is described at the following web page
http://www.draytek.co.uk/products/vigor2200.htm
I need to come to a closure on this or I'm going to start looking at routers.
Tom
- tjgulman
- Posts: 7
- Joined: Nov 26 03 8:21 am
5 posts
• Page 1 of 1
Who is online
Users browsing this forum: Google [Bot] and 1 guest