Chapter 6. Examples of Rules for Specific Services
7.7 Windows 95 IPSec Client
7.7.2 Troubleshooting
7.7.1.1 IBM Firewall 3.1 Configuration
Several changes are required on the firewall before the Windows 95 IPSec Client will work properly. Here are the steps we went through to configure our firewall:
1. First we create a proxy user,
miner
(see Figure 140) and change the Authentication forNonsecure IP
to password.Figure 140. New Proxy User for Tunnelling
2. Next we create a network object referring to
miner
, see Figure 141 on page 162, to associate this user with the tunnel. We specified a short filter lifetime here for testing.Figure 141. New Tunnel User Network Object
3. then we went into Virtual Private Network and created a new tunnel; see Figure 142 on page 163. We generated a Tunnel ID and Target SPI randomly.
For a large number of tunnels define a numbering standard to keep track of your tunnels. We also specified the Nonsecure adapter address and the miner network object.
Figure 142. Creating a New Dynamic Tunnel
4. We then added a new connection to allow SSL from The World to the nonsecure adapter; see Figure 143 on page 164.
Figure 143. Creating the SSL Connection
5. Now we need a keyfile to enable SSL negotiation. We had already done this in 4.3.3.5, “Generate an SSL Key” on page 43. Windows 95 IPSec Client uses SSL to exchange keys before entering IPsec itself.
6. We checked to make sure that the process
/usr/sbin/sslrctd
was running.Without this process the Windows 95 IPSec Client cannot use SSL to negotiate a tunnel. It will automatically start on reboot only if you have generated a set of SSL keys.
7.7.1.2 Windows 95 IPSec Client Installation
We installed the Windows 95 IPSec Client as per the instructions in the IBM Firewall User's Guide. This was quite straight forward as each of the packages are self-installing executables. Configuring them after installation was the tricky part. We installed Windows 95 from scratch on a PC and then installed:
1. Microsoft ISDN Accelerator Pack 1.1 2. Windows 95 IPSec Client
3. IbmIsdn Software Network Adapter
If you are installing Windows 95 IPSec Client from a zip file, uncompress the file in a temporary directory. This will also create the driver sub-directory where the IbmIsdn driver is located.
As we were using the IbmIsdn driver for PPP dialup via a modem, we left the options to configure the ISDN connection blank.
7.7.1.3 Configure Windows 95 IPSec Client
We will show how to configure Windows 95 IPSec Client using the screen captures we used during our installation.
Figure 144. Configure Windows 95 IPSec Client (Part 1 of 2)
Figure 145. Configure Windows 95 IPSec Client (Part 2 of 2)
7.7.1.4 Using Windows 95 IPSec Client
We will show how to start Windows 95 IPSec Client using the screen captures we used in our installation.
Figure 146. Starting Windows 95 IPSec Client (Part 1 of 8)
Figure 147. Starting Windows 95 IPSec Client (Part 2 of 8)
Figure 148. Starting Windows 95 IPSec Client (Part 3 of 8)
Figure 149. Starting Windows 95 IPSec Client (Part 4 of 8)
Figure 150. Starting Windows 95 IPSec Client (Part 5 of 8)
Figure 151. Starting Windows 95 IPSec Client (Part 6 of 8)
Figure 152. Starting Windows 95 IPSec Client (Part 7 of 8)
Figure 153. Starting Windows 95 IPSec Client (Part 8 of 8)
7.7.2 Troubleshooting
This section describes how we resolved the few problems we had installing Windows 95 IPSec Client.
7.7.2.1 Cannot Create Dial-Up Networking Entry
Installing Windows 95 IPSec Client after a failed attempt can sometimes result in a IBM IbmIsdn Software Adapter that is named slightly differently from what pppsec.exe expects. A successful install of pppsec.exe will create a Dial-Up networking connection for you. As it doesn't recognize the slight name difference it will not work and give you an error.
To work around this you can manually create your own IBM IPSec Dial-Up connection using Windows 95 Dial-Up Networking Accessory. When selecting a device you should see:
IbmIsdn-Line01 Software Adapter
The number after
Line
might be slightly different.Note:
If the IbmIsdn entry cannot be seen when you select a device while attempting to make a new connection, then you may have a driver problem.
To correct this we completed the following steps:
1. Removed the TCPIP protocol from the network configuration in Windows 95.
2. Removed the IbmIsdn Software Network Adapter.
3. Reinstalled Microsoft ISDN Accelerator Pack 1.1.
4. Reinstalled the IbmIsdn Software Network Adapter.
When prompted by Windows if we wanted to install drivers, we always kept the latest drivers. The most significant driver seemed to be ndis.vxd 4.1.1010. We accidentally replaced this with an older version and this caused the IbmIsdn Software Network Adapter to vanish.
7.7.2.2 Microsoft Dial-Up Networking 1.2
We tried to install Microsoft Dial-Up Networking 1.2 but it failed.
Despite numerous attempts we could not get the
IBM IbmIsdn Software Adapter
device to become visible to the Create Dial-Up Adapter screen. The driver was visible to the System Devices view but that was it. We removed Microsoft Dial-Up Networking 1.2 and replaced the ndis.vxd and other drivers with older versions during the install of Microsoft ISDN Accelerator Pack 1.1.7.7.2.3 SSL Error: Cannot Initiate Control Session to Firewall
Every attempt to start an IPSec Tunnel resulted in the error:
SSL error
Cannot initiate control session to firewall.
Contact your firewall administrator.
SSL Init error code: 1
This was because the firewall was not running the process
/usr/sbin/sslrctd
. We had forgotten to modify /etc/security/rcsfile.cfg to point to our keyfile.kyr.This caused the sslrctd process to fail after a few minutes. We corrected the sslfile entry in rcsfile.cfg and ran sslrctd manually.
7.7.2.4 Useful Commands
There are a couple of commands that will help you with the dynamic rules set by the firewall:
The first is the dfdump command. It is undocumented but quite useful. On the firewall, typing dfdump in an xterm window will show all dynamic filter rules in the kernel in stanza format.
The dfclr command will remove ALL dynamic filter rules from the kernel.
7.7.2.5 Rule Numbering for Dynamic Filter Rules
The rule numbering for dynamic filter rules are the 6XXX series rules in the local4 log. This is useful for debuging without using the local2 facility. Dynamic filters are checked before static rules, so every packet is passed through them and checked. The debug log on local2 can get huge quickly.