Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Problem with UDP Port forwarding under Vista

microsoft.public.windows.vista.security






Speedup My PC
Reply
  #1 (permalink)  
Old 02-01-2008
Philip888
 

Posts: n/a
Problem with UDP Port forwarding under Vista
This problem is related to openswan, VMware and Vista. I asked the question
in the mailing lists of Openswan and VMware but did not receive any response.
In short, UDP port forwarding for ports 500 and 4500 worked under XP but not
under Vista. Under Vista, the firewall and the IKEEXT services were disabled
for testing, and the problem persisted. I was wondering if there is any
"secret" registry key I need to use :-)

The remote openswan server is a Linux box with a public IP
(abc.def.45.22) and ports 500 and 4500 open. It is NOT behind a NAT
router.

The client is a guest Linux virtual machine (192.168.117.128) running
in NAT mode inside VMware under Windows.

Incoming UDP port forwarding was enabled for ports 500 and 4500 for
NAT in VMware. Under Windows, IPSec/IKEEXT services were disabled to
release UDP ports 500 and 4500, Otherwise the VMware NAT service would
not start after port forwarding was set up. I tried both VMware Server
2.0 Beta and VMware Workstation 6.0.2 on Windows XP and Vista.

The host machine was connected to a broadband router or to a cable
modem directly. In both cases, if the host OS is XP, the VPN worked on
the VM.

However, the VPN did not work if the host OS was Vista, no matter the
machine was directly connected to the cable modem or not. Using
Wireshark, I could see the responses from the server were received by
the host machine, The VM even received a few packets from the server
through ports 500 and 4500 at the beginning. But then the packets were
not forwarded to the VM any more.

The capture below shows the initialization process of VPN. Frames
10-12 were three pings from the client, the responses were received by
the Vista host but not forwarded to the VM. When the host was XP,
there was no problem.

No. Time Source Destination Src
Port Dest Port Protocol Info
1 0.000000 192.168.117.128 abc.def.45.22 500
500 ISAKMP Identity Protection (Main Mode)
2 0.032642 abc.def.45.22 192.168.117.128 500
500 ISAKMP Identity Protection (Main Mode)
3 0.040566 192.168.117.128 abc.def.45.22 500
500 ISAKMP Identity Protection (Main Mode)
4 0.086090 abc.def.45.22 192.168.117.128 500
500 ISAKMP Identity Protection (Main Mode)
5 0.127976 192.168.117.128 abc.def.45.22 4500
4500 ISAKMP Identity Protection (Main Mode)
6 0.187260 abc.def.45.22 192.168.117.128 4500
4500 ISAKMP Identity Protection (Main Mode)
7 0.195701 192.168.117.128 abc.def.45.22 4500
4500 ISAKMP Quick Mode
8 0.275112 abc.def.45.22 192.168.117.128 4500
4500 ISAKMP Quick Mode
9 0.312014 192.168.117.128 abc.def.45.22 4500
4500 ISAKMP Quick Mode
10 4.460707 192.168.117.128 abc.def.45.22 4500
4500 ESP ESP (SPI=0x494bd498)
11 5.402257 192.168.117.128 abc.def.45.22 4500
4500 ESP ESP (SPI=0x494bd498)
12 6.414442 192.168.117.128 abc.def.45.22 4500
4500 ESP ESP (SPI=0x494bd498)
13 19.289616 192.168.117.128 abc.def.45.22 4500
4500 UDPENCAP
14 19.289959 192.168.117.128 abc.def.45.22 4500
4500 UDPENCAP


The VPN worked when the VM was in the bridged mode. But I need to make
it work with NAT. The confusing part was that there was no problem
under Windows XP. It seemed Vista blocked the port forwarding.

In summary, under Windows XP, IPSec services were disabled to release ports
500 and 4500. The Windows firewall was not disabled and ports 500 and 4500
were not open as exception. And the VPN was initiated from inside and it
worked.

Under Windows Vista, IKEEXT services were disabled to release ports 500 and
4500. The Windows firewall was disabled. The VPN was initiated from the
client and it did not work. It seemed the Vista host stopped forwarding the
UDP packets to the virtual machine.

I did not have any third-party proxy/firewall programs on Vista. I disabled
the Windows Firewall (It might not be necessary to disable
a stateful firewall but I just wanted to try) and UAC, and the
problem persisted.

Here is ipsec.conf. Any suggestions? Thanks. Philip.

version 2.0

config setup
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
conn testuser
type=tunnel
left=%defaultroute
leftid=@testuser
leftsubnet=10.0.0.12/32
leftrsasigkey= (deleted)
right=abc.def.45.22
rightid=@vpnserver
rightsubnet=10.28.0.254/24
rightrsasigkey= (deleted)
authby=rsasig
auto=start

#Disable Opportunistic
include /etc/ipsec.d/examples/no_oe.conf


Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 02-01-2008
Philip888
 

Posts: n/a
RE: Problem with UDP Port forwarding under Vista
BTW. I also disabled UAC under Vista. The process which handles port
forwarding was vmnet.exe. I tested TCP port forwarding and it worked. Since
UDP ports 500 and 4500 are used by ipsec, I wonder if there is any hidden
rule/policy which does not allow these ports to be forwarded under Vista.

"Philip888" wrote:

> This problem is related to openswan, VMware and Vista. I asked the question
> in the mailing lists of Openswan and VMware but did not receive any response.
> In short, UDP port forwarding for ports 500 and 4500 worked under XP but not
> under Vista. Under Vista, the firewall and the IKEEXT services were disabled
> for testing, and the problem persisted. I was wondering if there is any
> "secret" registry key I need to use :-)
>
> The remote openswan server is a Linux box with a public IP
> (abc.def.45.22) and ports 500 and 4500 open. It is NOT behind a NAT
> router.
>
> The client is a guest Linux virtual machine (192.168.117.128) running
> in NAT mode inside VMware under Windows.
>
> Incoming UDP port forwarding was enabled for ports 500 and 4500 for
> NAT in VMware. Under Windows, IPSec/IKEEXT services were disabled to
> release UDP ports 500 and 4500, Otherwise the VMware NAT service would
> not start after port forwarding was set up. I tried both VMware Server
> 2.0 Beta and VMware Workstation 6.0.2 on Windows XP and Vista.
>
> The host machine was connected to a broadband router or to a cable
> modem directly. In both cases, if the host OS is XP, the VPN worked on
> the VM.
>
> However, the VPN did not work if the host OS was Vista, no matter the
> machine was directly connected to the cable modem or not. Using
> Wireshark, I could see the responses from the server were received by
> the host machine, The VM even received a few packets from the server
> through ports 500 and 4500 at the beginning. But then the packets were
> not forwarded to the VM any more.
>
> The capture below shows the initialization process of VPN. Frames
> 10-12 were three pings from the client, the responses were received by
> the Vista host but not forwarded to the VM. When the host was XP,
> there was no problem.
>
> No. Time Source Destination Src
> Port Dest Port Protocol Info
> 1 0.000000 192.168.117.128 abc.def.45.22 500
> 500 ISAKMP Identity Protection (Main Mode)
> 2 0.032642 abc.def.45.22 192.168.117.128 500
> 500 ISAKMP Identity Protection (Main Mode)
> 3 0.040566 192.168.117.128 abc.def.45.22 500
> 500 ISAKMP Identity Protection (Main Mode)
> 4 0.086090 abc.def.45.22 192.168.117.128 500
> 500 ISAKMP Identity Protection (Main Mode)
> 5 0.127976 192.168.117.128 abc.def.45.22 4500
> 4500 ISAKMP Identity Protection (Main Mode)
> 6 0.187260 abc.def.45.22 192.168.117.128 4500
> 4500 ISAKMP Identity Protection (Main Mode)
> 7 0.195701 192.168.117.128 abc.def.45.22 4500
> 4500 ISAKMP Quick Mode
> 8 0.275112 abc.def.45.22 192.168.117.128 4500
> 4500 ISAKMP Quick Mode
> 9 0.312014 192.168.117.128 abc.def.45.22 4500
> 4500 ISAKMP Quick Mode
> 10 4.460707 192.168.117.128 abc.def.45.22 4500
> 4500 ESP ESP (SPI=0x494bd498)
> 11 5.402257 192.168.117.128 abc.def.45.22 4500
> 4500 ESP ESP (SPI=0x494bd498)
> 12 6.414442 192.168.117.128 abc.def.45.22 4500
> 4500 ESP ESP (SPI=0x494bd498)
> 13 19.289616 192.168.117.128 abc.def.45.22 4500
> 4500 UDPENCAP
> 14 19.289959 192.168.117.128 abc.def.45.22 4500
> 4500 UDPENCAP
>
>
> The VPN worked when the VM was in the bridged mode. But I need to make
> it work with NAT. The confusing part was that there was no problem
> under Windows XP. It seemed Vista blocked the port forwarding.
>
> In summary, under Windows XP, IPSec services were disabled to release ports
> 500 and 4500. The Windows firewall was not disabled and ports 500 and 4500
> were not open as exception. And the VPN was initiated from inside and it
> worked.
>
> Under Windows Vista, IKEEXT services were disabled to release ports 500 and
> 4500. The Windows firewall was disabled. The VPN was initiated from the
> client and it did not work. It seemed the Vista host stopped forwarding the
> UDP packets to the virtual machine.
>
> I did not have any third-party proxy/firewall programs on Vista. I disabled
> the Windows Firewall (It might not be necessary to disable
> a stateful firewall but I just wanted to try) and UAC, and the
> problem persisted.
>
> Here is ipsec.conf. Any suggestions? Thanks. Philip.
>
> version 2.0
>
> config setup
> # NAT-TRAVERSAL support, see README.NAT-Traversal
> nat_traversal=yes
> conn testuser
> type=tunnel
> left=%defaultroute
> leftid=@testuser
> leftsubnet=10.0.0.12/32
> leftrsasigkey= (deleted)
> right=abc.def.45.22
> rightid=@vpnserver
> rightsubnet=10.28.0.254/24
> rightrsasigkey= (deleted)
> authby=rsasig
> auto=start
>
> #Disable Opportunistic
> include /etc/ipsec.d/examples/no_oe.conf
>
>

Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Off the wire: SSH port forwarding Steve Security News 0 11-07-2007 01:12
Wireless + Vista + Port Forwarding Matt microsoft.public.windows.vista.networking sharing 0 10-28-2007 11:35
UPnP ÷ffnet Port 55585 UDP wendler microsoft.public.de.windows.vista.netzwerk 0 08-27-2007 12:11
Vista/uTorrent/Port forwarding woes Tristan microsoft.public.windows.vista.networking sharing 0 08-09-2007 11:44
Port Problem with Vista Windows Mail kingpin68 microsoft.public.windows.vista.mail 12 07-03-2007 21:14




All times are GMT +1. The time now is 02:04.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120