[ previous ] [ next ] [ threads ]
 
 From:  Anders Hagman <anders dot hagman at netplex dot se>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] outlook -> exchange problem
 Date:  Thu, 9 Feb 2006 09:16:57 +0100
Hi 
torsdag 09 februari 2006 08.46 skrev Jeff Buehler:
> Hi all -
>
> My previous email was incorrect about the cause of the Outlook ->
> Exchange failure over the ipsec VPN.  The creation of a new account was
> just a red herring that coincidentally worked.  It seems that the ESP
> Protocol during the Key Exchange was causing the failures.  When I
> changed it to AH, everything started to run as expected.  Has anyone
> seen this behavior?  I don't need strong security - is AH adequate?
>
Normally no.

Some words from Cisco:
"Authentication Header (AH)-This header, when added to an IP datagram, ensures 
the integrity and authenticity of the data, including the invariant fields in 
the outer IP header. It does not provide confidentiality protection."

"Encapsulating Security Payload (ESP)-This header, when added to an IP 
datagram, protects the confidentiality, integrity, and authenticity of the 
data. If ESP is used to validate data integrity, it does not include the 
invariant fields in the IP header."

>
> Jeff Buehler wrote:
> > The problem was a bad user account, as in "Active Directory bug".
> > Once I replaced the account with a new "fresh" account, everything
> > went smoothly.  Why I didn't try that in the first 15 minutes is still
> > a matter of internal debate, but at least I know what (AD) and who
> > (MS) to blame.
> >
> > Thanks for all of your ideas and input!
> > Jeff
> >
> > Bryan K. Brayton wrote:
> >> Well, you can throw a sniffer on there and compare working/nonworking
> >> for any significant differences in the frames/packets.
> >>
> >> Also, there is a tool called RPCping that is designed for testing
> >> exchange RPC connectivity.  I think it is on the Exchange CD, but if not
> >> just google for it.
> >>
> >> -Bryan
> >>
> >>
> >> -----Original Message-----
> >> From: Jeff Buehler [mailto:jeff at buehlertech dot com] Sent: Thursday,
> >> February 02, 2006 5:40 PM
> >> To: Chris Buechler
> >> Cc: m0n0wall at lists dot m0n0 dot ch
> >> Subject: Re: [m0n0wall] outlook -> exchange problem
> >>
> >> Presently the workstations in question get DNS (and DHCP) from the
> >> m0n0wall device (as do the other workstations that are working
> >> properly), which passes the domain server on the network for DNS.
> >> The DNS resolves properly, and immediately, for the Exchange server
> >> across the VPN, so this doesn't seem to be the issue.
> >>
> >> The most likely thing that seems to make any sense is some sort of
> >> MTU issue, in which fragmented packets are getting dropped.  I
> >> enabled "Allow fragmented packets" on the ESP rule for the ipsec vpn,
> >> and I also
> >>
> >> added it to the LAN interface just for local Active Directory resolution
> >>
> >> (which was working anyway so that may be unnecessary).  A ping -f -l
> >> 1472 to the Exchange Server across the VPN does not fragment, so the
> >> default of 1500 should be OK.
> >>
> >> All versions are the most recent: Exchange 2003 latest SP, Outlook
> >> 2003 with any updates.
> >>
> >> The ONLY difference that I can pin down, which I am now exploring, is
> >> the newer Intel pro card on the workstations that are having the
> >> problem.  I am putting an older card (from a machine that works
> >> properly) in one of the problem machines to see if that makes any
> >> difference at all.
> >>
> >> Bizarre problem.  I have been working on it for 6  or so hours now.  Has
> >>
> >> anyone tried to bill Microsoft for this kind of problem?  I hate to bill
> >>
> >> the client...
> >>
> >> Thanks,
> >> Jeff
> >>
> >> Chris Buechler wrote:
> >>> On 2/2/06, Jeff Buehler <jeff at buehlertech dot com> wrote:
> >>>> 1. Network of 20 or so workstations connected like this:  workstation
> >>
> >> ->
> >>
> >>>> switch -> m0n0wall -> internet.
> >>>
> >>> What are these machines using as their DNS server?  Lack of proper DNS
> >>> resolution is the #1 cause of Outlook delays that I've run into at
> >>> least.  They'll need to be using a DNS server that knows how to
> >>> resolve your AD DNS info appropriately.
> >>>
> >>> -Chris
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

MVH
/Anders