I think the well known ports page would help everyone here: http://www.iana.org/assignments/port-numbers
But for the record proto number 47 (GRE) is generic routing encapsulation usews tcp and udp port numer 47. It is very important part of MS-VPN (especially if pptp)implementation. I also think it is a good idea to read up on esp eha and isakmp. Peace, --- Max Leonard <[EMAIL PROTECTED]> wrote: > I had a similar problem with getting some OSX > clients tunneling from behind > nat/fw to an outside VPN. > The only solution I could come up with was > redirecting the GRE packets > (proto 47) from the outside to a static IP inside > the LAN. My very-limited > understanding of GRE is that it always uses port 0, > which makes true NAT > very difficult due to the fact that you can't get > unique ports to map, or > TCP sessions to hold onto. Although, if anyone has > any working solutions for > mapping multiple VPN tunnels through ipfilter/ipnat, > I would love to know > about them. > > > -Max > > > > > > > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, October 30, 2002 10:39 AM > Subject: could someone help me with tcpdump? > > > > > > Hello all > > > > I am trying to get a couple of win2k vpn boxen to > work across a firewall. > Here is a dump, my comments are in between each dump > line. I want to see if > I understand what I am looking at. > > > > 12:17:12.246870 156.98.222.175.1064 > > 156.98.190.111.1723: S > 3085367584:3085367584(0) win 16384 <mss > 1460,nop,nop,sackOK> (DF) > > > > 222.175 makes the initial contact to 19.11 with a > "S" syn packet? The > workstation port is 1064 and the server port is 1723 > which is the vpn port. > The two numbers (#:#) are the tcp sequence numbers? > What is "win" and the > stuff after that? > > > > 12:17:12.247288 156.98.190.111.1723 > > 156.98.222.175.1064: S > 3369974062:3369974062(0) ack 3085367585 win 64240 > <mss 1460,nop,nop,sackOK> > (DF) > > > > 190.111 port 1723 replies to 222.175. I see the > "ack" later on, so was I > wrong about the "S" being syn above because it is > still here. Why is the > number after the ack one larger than the above? > > > > 12:17:12.247570 156.98.222.175.1064 > > 156.98.190.111.1723: . ack 1 win > 17520 (DF) > > > > 222.175 syn acks. > > > > What is this stuff below? > > > > 12:17:12.247800 156.98.222.175.1064 > > 156.98.190.111.1723: P 1:157(156) > ack 1 win 17520 (DF) > > 12:17:12.248204 156.98.190.111.1723 > > 156.98.222.175.1064: P 1:157(156) > ack 157 win 64084 (DF) > > 12:17:15.479988 156.98.190.111.1723 > > 156.98.222.175.1064: P 1:157(156) > ack 157 win 64084 (DF) > > 12:17:15.480651 156.98.222.175.1064 > > 156.98.190.111.1723: P 157:325(168) > ack 157 win 17364 (DF) > > 12:17:15.481998 156.98.190.111.1723 > > 156.98.222.175.1064: P 157:189(32) > ack 325 win 63916 (DF) > > 12:17:15.484913 156.98.222.175.1064 > > 156.98.190.111.1723: P 325:349(24) > ack 189 win 17332 (DF) > > 12:17:15.698650 156.98.190.111.1723 > > 156.98.222.175.1064: . ack 349 win > 63892 (DF) > > > > Nothing happens, the workstation can't seem to get > authenticated. I think > I am not yet transfering protocol 47 though and I am > looking into that now. > I just want to understand tcpdump better. I almost > feel like I had > something lower level that showed me this stuff a > little more raw. --of > course I don't even understand what I have now! :-) > > > > --ja > > -- > > > ===== SRR __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/
