IPSec fallback to cleartext *fails* for second connection on Win2k

• Previous message: Gino: "Re: What is a local logon?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 26 Mar 2004 14:16:31 -0800

I have been researching IPSec for use on a corporate intranet. For
now, I would like to only secure FTP (TCP ports 20 and 21) and TELNET
(TCP port 23), to avoid any potential application performance
problems. Additionally, I am enabling the following two options for
compatibility with pre-IPSec computers:
1. Accept unsecured communication, but always respond using IPSec
2. Allow unsecured communication with non IPSec-aware computer

I am using a pre-shared key for primary authentication, and the whole
design seems to work quite smoothly. Connections between IPSec-aware
computers are negotiated in a split second, and legacy system can
still connect, albeit with a 3-second delay.

However, I have noticed a repeatable bug involving the fallback to
unsecured feature. After "negotiating" to an unsecured connection
between an IPSec-aware host and a NON-IPsec-aware host, any new
connections attempted within the next minute or so will fail!

This is most noticable when using FTP. Using Microsoft's command-line
FTP client, I can establish a connection from an IPSec-aware Windows
2000 server to a non-IPSec-aware FTP Server (e.g. NT4.0, UNIX). After
the 3-second delay, an unsecured "soft association" will be used. I
can successfully log in at this point. When I run "dir", a data
connection on port 20 will be attempted. This will *fail* unless I
wait at least ~60 seconds before running "dir".

There is an associated error in the event log with this situation.
The error is "IKE security association negotiation failed" with
failure reason: "IKE SA deleted before establishment completed".

Does anyone have experience with this problem? AFAIK, Microsoft has
not published this as a known issue.

Thanks,
David

• Previous message: Gino: "Re: What is a local logon?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Telnet/ftp problems SBS2000 ... Please make sure your client computers are configured as both Firewall ... will find two options "Enable folder view for FTP sites" and "Use Passive ... that the control connection has been successfully established, ... (other than port 21) ... (microsoft.public.windows.server.sbs) Re: IPSwitch, Inc. WS_FTP Server ... > bounce attack as well as PASV connection hijacking. ... > The FTP bounce vulnerability allows a remote attacker to cause the ... > anonymously along with any internal addresses that the FTP server has ... That means it's got to handle a PORT ... (Bugtraq) RE: FTP Window of opportunity? ... target on the line when in reality it was just a firewall lying to them. ... The connection connects and then immediately ... Subject: FTP Window of opportunity? ... the FTP port shows up. ... (Pen-Test) Re: Does OpenSSH use RCP? ... TCP connection can be tuned for optimal performance. ... FTP command ... And then ssh comes along and crams interactive logins, ... straightjacket, but it's a really comfy and warm straightjacket, and the world ... (comp.security.unix) Re: Does OpenSSH use RCP? ... It's not "if I want to", it's rtfrfc: show me separate protocol ... I didn't say FTP was ugly, I said lack of another layer between ... >> One connection - one application model doesn't work, ... Same as FTP: multiple connections per session. ... (comp.security.unix)