On Monday 24 June 2002 5:48 pm, kayegee wrote: > I have a LINUX firewall protecting my local LAN. I have 2 computers that > use the Nortel VPN client to connect to my office. I can make the VPN > connection, but I can't seem to stay connected for more than 10 to 15 min. > Suddenly the system stops responding. If you look at the VPN icon, only the > top half of the icon blinks. When things are working properly, both the top > and bottom half of the VPN icon flash. While this is happening, other > computers connected to the Internet continue to work without a problem. I > was looking in /proc/net/ip_conntrack file and notice that I seem to lose > my connection every time I get an entry like the following in that file: > > unknown 50 523 src=192.168.XX.X dst=192.128.166.44 src=192.128.166.44 > dst=XX.XXX.XXX.XX use=1 > > I'm not sure why I'm getting an unknown packet. I'm also not sure how > iptables should handle an unknown packet. If anyone can shed some light on > this subject, I'd greatly appreciate it.
'unknown' in this context simply means that the logging system doesn't know what to call protocol 50, which is ESP. Therefore I surmise that the Nortel application is using IPsec. Are you saying that this entry is *not* present in the connection tracking table whilst the VPN connection is operational ? I think it might be interesting to add a logging rule, or use tcpdump / ethereal etc, to look for UDP packets from source port 500 to source port 500, and see if these appear soon before the connection goes downj ? UDP 500 is the Internet Key Exchange (IKE) protocol, and the two end systems might be trying to re-key (although 10-15 minutes is a bit quick), and something might be blocking that ? Just a thought. Antony.
