> -----Original Message----- > From: Arne Bernin [mailto:[EMAIL PROTECTED]
> you might want to use tcpdump for this (well i never used > snort for that, so i don't know if it is easy to use and gets > all traffic). If you save the tcpdump output somewhere you > can use ethereal (on windows or > unix) to take a detailed look what is going on. I can do this fairly easily with Snort. I did see that when looking at the inside interface of the FW while a local client was trying to connect to the VPN but failing, that all the UDP packets arriving to that host from the remote VPN server were all from port 500. This was using the simplest sniffer mode. Snort -v -i eth3 host 192.168.1.120 > > > This seems to me to be some case of Nat-T not working properly, the > > UDP packets being munged in a way that is not working with > the client, > > or other similar issues. The problem is that sometimes it > works for a > > while then it doesn't for a bit. Very inconsistent. > > > > I have one suggestion, that might be the case, i am not sure. > But i have a similar problem on a remote site and after > exploring it a bit, it seems that the masquerading/SNAT code > in the linux kernel has a bug when masquerading UDP packets. > This leads to some packets not properly masqueraded/SNATed > and this - could - be the problem you are experiencing. It > would be interesting to take a look with tcdpump on the > external interface if you run in this problem again. The > packets you will see there, should be already masqueraded, so > take a look at the IP adresses of the nat-t packets and > especially the port numbers. There may be a problem if the > nat-t ipsec packets do not come from port 500 on NetScreen side.... > This udp snat problem is already reported to the netfilter > team (bug id=390), you can take a look at it under > bugzilla.netfilter.org... I'll take a closer look at this issue. Thanks > ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ------------------------------------------------------------------------ leaf-user mailing list: [email protected] https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
