Sunday, 27 May 2007

SCART connection from DVD player to TV blanks the TV picture

The problem: when my cheap-n-cheerful 14" Philips portable TV was connected to my even-cheaper-n-just-as-cheerful Bush DVD player, the screen on the TV was completely blank when trying to watch ordinary TV. Sound came through OK, but no picture. Disconnecting the SCART cable or plugging out the DVD power cable cured the problem, so it was pretty apparent that the problem was something being sent up the SCART cable from the DVD player to the TV.

SCART pinout SCART pinout (female connector seen from the front). Image is taken from Wikipedia.




After a visit to Wikipedia (source of all wisdom) and a bit of poking around with a multimeter, I found a 2.5v signal from the DVD player to the TV on SCART pin 16, even when the DVD player was turned off. This should tell the TV to expect RGB (rather than composite video) from the DVD player but appears to have a negative side-effect. Snipping pin 16 in the SCART cable has cured the problem.

Friday, 25 May 2007

IPSec problems between Cisco PIX and WatchGuard Firebox

OK...this is my first useful post to this blog.

I have spent the better part of the day trying to diagnose an IPSec connectivity problem between a Cisco PIX (version 6.3.5) and a WatchGuard Firebox of some kind (I have no visibility of it). The problem turns out to be rather subtle, so I thought I would share it here.

The configuration on the PIX is fairly standard (IP addresses have been changed to protect the innocent !):-

crypto ipsec transform-set Esp3DesMD5 esp-3des esp-md5-hmac
:
:
access-list VPNToFirebox permit 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
:
:
crypto map VPN 60 ipsec-isakmp
crypto map VPN 60 match address VPNToFirebox
crypto map VPN 60 set pfs
crypto map VPN 60 set peer 2.2.2.2
crypto map VPN 60 set transform-set Esp3DesMD5
crypto map VPN 60 set security-association lifetime seconds 86400 kilobytes 8192
:
:
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode


The ISAKMP (Phase 1) SA establishes just fine, but the IPSEC (Phase 2) SA never comes up. Watching the debug information on the PIX, here's what happens:-


ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (basic) of 8192
ISAKMP: group is 2
ISAKMP: encaps is 61433
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS


The key is the "encaps is 61433" line. What this should say is "encaps is 61443" which is the (old, pre-RFC3947) encapsulation ID for ESP via NAT Traversal. As it is, the PIX has no idea what "61433" is supposed to be and the SA negotiation fails.

Here's what the debug output looks like when talking to another PIX (which sends the correct ID):-


ISAKMP (0): processing SA payload. message ID = 177759204
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 61443
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (basic) of 8192
ISAKMP: authenticator is HMAC-MD5
ISAKMP: group is 1
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,


Here the encapsulation ID is correct and the tunnel comes up.

The problem only arises when NAT is detected on the path between the Firebox and the PIX...otherwise there is no need to encapsulate the ESP inside UDP.

References

Hello, World

Temptation has got the better of me. I have a blog. This will be a source of some mirth to those who have suffered through my several diatribes about a certain class of self-important, highly-opinionated person who believes that they somehow make the world a richer place by filling it with their random flashes of cerebral diarrohea. Bloggers, in other words.

I have a good excuse. I figure a blog is a viable substitute for a memory and that is how I intend to use it. I have little intention of banging on about Iraq (and the activities of the evil warmongers there), politics (even though yesterday was election day in Ireland), religion (which I am generally in favour of up to the point where it calls upon me to actually be good) or sex (which I am generally in favour of up to the point where it calls upon me to actually be good). That’s not to say that I definitely won’t impose my view about all of those things on the world, but it isn’t the main idea. Rather, the plan is to use this as a way of writing down lots of stuff that I figured out once and will probably need to figure out again at some point long after I have forgotten how I did it the first time.

You can thank/blame (depending on your perspective) John Dunn for inspiring me to actually do this since it was the arrival of his blog (to which I will link if he ever makes it public ;-) ) that finally pushed me over the edge. I feel certain that his comment will be found below before too much longer.

If, in a spirit of benevolence and generosity, you feel compelled to follow me down the path towards being a blogger, I highly recommend WordPress. I found it very easy to set up (it really did take only 10 minutes) and it is real a pleasure to use.