Issue with initiating VPN connection across GPRS, wireless 802.1x works fine though
Hi all,
I’m having an issue with two recent customers deployments of System Center Mobile Device Manager 2008 SP1 (MDM).
Basically, from all my test Windows Mobile 6.1+ devices, I can connect to the MDM Gateway server across two different wireless 802.1X connections and get a VPN IP address via a VPN tunnel and the solution works 100%.
However, I cannot get the Windows Mobile devices to initiate the VPN tunnel using a GPRS connection. One customer has a Vodafone (UK) connection and we’ve had discussions about using various different APNs without success. The other customer has an O2 connection (UK) and we’ve only just engaged with them. Both customers have their own MDM Gateway servers with two different public DNS names.
Also, another curious issue, is that if you initiate the VPN tunnel across a 802.1X connection, then disable the wireless network – the VPN tunnel then switches to the GPRS connection and continues fine! Also the MDM port infiltration tests work fine across GPRS as well. So it appears the issue is limited to initiating the VPN tunnel only across one of the IPSEC ports.
The MDM VPN testing tool logging, just gives me the following error:
LOG-N:11-20.11:03:44- IPsecVPNPM: Using default connections.
LOG-I:11-20.11:03:47- IPsecVPNPM: STATE: [StateDNSResolve].
LOG-I:11-20.11:03:49- IPsecVPNPM: STATE: [StateTunnelSetup].
LOG-I:11-20.11:03:49- IKE SA Lifetime: 26280 seconds.
LOG-I:11-20.11:03:49- IPSec SA Lifetime: 21600 seconds.
LOG-I:11-20.11:03:49- IPsecVPNPM: commit succeeded.
LOG-I:11-20.11:03:49- IPsecVPNPM: STATE: [StateWaitForTunnel].
LOG-E:11-20.11:04:02- IPsecVPNPM: ActiveSync notification.
LOG-I:11-20.11:04:06- BASE CONNECTION DOWN: Marking tunnel local IPs changed, static IP disappeared
LOG-I:11-20.11:04:19-
LOG-I:11-20.11:04:19- IKEv2 SA [Initiator] negotiation failed:
LOG-I:11-20.11:04:19-
LOG-I:11-20.11:04:19- Local IKE peer x.x.x.x:4500 ID (null)
LOG-I:11-20.11:04:19- Remote IKE peer x.x.x.x:4500 ID (null)
LOG-I:11-20.11:04:19-
LOG-I:11-20.11:04:19- Message: Invalid argument (65538)
LOG-I:11-20.11:04:19- IKE SA negotiations: 4 done, 0 successful, 4 failed
LOG-I:11-20.11:04:19-
LOG-I:11-20.11:04:19- IPsec SA [Initiator] negotiation failed:
LOG-I:11-20.11:04:19-
LOG-I:11-20.11:04:19- Local IKE peer x.x.x.x:4500 ID (null)
LOG-I:11-20.11:04:19- Remote IKE peer x.x.x.x:4500 ID (null)
LOG-I:11-20.11:04:19-
LOG-I:11-20.11:04:19- Message: Invalid argument (65538)
LOG-I:11-20.11:04:19- IPsec SA negotiations: 4 done, 0 successful, 4 failed
LOG-I:11-20.11:04:19- Phase-I negotiation failed
LOG-I:11-20.11:04:19- Message: Invalid argument (65538)
LOG-I:11-20.11:04:19- IPsecVPNPM: Tunnel down: Mobike was not operational
LOG-I:11-20.11:04:19- IPsecVPNPM: STATE: [StatePurgeRules].
LOG-I:11-20.11:04:19- IPsecVPNPM: Deleting the Tunnel
LOG-I:11-20.11:04:19- IPsecVPNPM: commit succeeded.
LOG-I:11-20.11:04:19- IPsecVPNPM: STATE: [StateDefaultPolicy].
LOG-I:11-20.11:04:19- IPsecVPNPM: STATE: [StateDefaultRun].
LOG-I:11-20.11:04:19- IPSEC VPN TUNNEL RETRY DELAY: 119 seconds.
LOG-I:11-20.11:04:19- IPsecVPNPM: Set the CESetUserNotification
LOG-I:11-20.11:04:19- IPsecVPNPM: out of UnAttended Mode.
A person in the Netherlands seems like he’s had the exact same issue on the Microsoft TechNet forums, however his resolution in dealing with his Telco appeared to resolve the problem:
http://social.technet.microsoft.com/Forums/en/SCMDM/thread/b1936e3f-bf4c-45a3-96ba-0343ef6725b2
We’re currently investigating trialling a dedicated Vodafone tunnel straight through to the router where the MDM gateway server sits, however I don't know if this will solve the issue.
Has anyone seem this problem before and/or could steer me in the right direction? I haven’t been able to use a GPRS enabled SIM with a correct APN setting to test this connection once successfully, so I cannot work out whether it’s device, APN, or something wrong with the MDM Gateway server dealing with GPRS connections.
Cheers if anyone can helpMichaelmpearn@gmail.com
Réponses
The main area to focus on is firewall rules and their direction. UDP traffic does not have a State; therefore you need to have a rule in each directions.
Are you using an ADSL connection? ADSL connections have big headers which cause the traffic to be fragmented. In most cases this is fine, as the packets are re-formed at the destination. The MDM VPN uses IPSEC AH, which does not like the packets being altered in any way. This stops man-in-the-middle attacks.
Cheers Wayne
Airloom- Marqué comme réponseWayne Phillips.MVP, Modérateurjeudi 28 janvier 2010 00:03
Toutes les réponses
The main area to focus on is firewall rules and their direction. UDP traffic does not have a State; therefore you need to have a rule in each directions.
Are you using an ADSL connection? ADSL connections have big headers which cause the traffic to be fragmented. In most cases this is fine, as the packets are re-formed at the destination. The MDM VPN uses IPSEC AH, which does not like the packets being altered in any way. This stops man-in-the-middle attacks.
Cheers Wayne
Airloom- Marqué comme réponseWayne Phillips.MVP, Modérateurjeudi 28 janvier 2010 00:03
