On Thu, 2005-10-06 at 12:56 -0700, Richard Amerman wrote: > Thanks for the reply Arne, > I help if i can ;-)
> Everything is masqueraded behind the firewall so we are using Nat-T and > the NetScreen client does seem to be using this. > ok. > When things do not go OK some of the symptoms are that the firewall > still recognizes that there is a connection from the client in question > to the remote VPN box so no entry is written in the FW log (we have all > Policies logging for now to help troubleshoot). I have used Snort > (installed on the firewall) to sniff the traffic to the VPN client when > it is trying to connect and it is getting packets from the remote VPN > box but appears to be ignoring them. > you might want to use tcpdump for this (well i never used snort for that, so i don't know if it is easy to use and gets all traffic). If you save the tcpdump output somewhere you can use ethereal (on windows or unix) to take a detailed look what is going on. > This seems to me to be some case of Nat-T not working properly, the UDP > packets being munged in a way that is not working with the client, or > other similar issues. The problem is that sometimes it works for a while > then it doesn't for a bit. Very inconsistent. > I have one suggestion, that might be the case, i am not sure. But i have a similar problem on a remote site and after exploring it a bit, it seems that the masquerading/SNAT code in the linux kernel has a bug when masquerading UDP packets. This leads to some packets not properly masqueraded/SNATed and this - could - be the problem you are experiencing. It would be interesting to take a look with tcdpump on the external interface if you run in this problem again. The packets you will see there, should be already masqueraded, so take a look at the IP adresses of the nat-t packets and especially the port numbers. There may be a problem if the nat-t ipsec packets do not come from port 500 on NetScreen side.... This udp snat problem is already reported to the netfilter team (bug id=390), you can take a look at it under bugzilla.netfilter.org... > Richard > --arne -- Arne Bernin <[EMAIL PROTECTED]> http://www.ucBering.de ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ------------------------------------------------------------------------ leaf-user mailing list: [email protected] https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
