Re: Issue with point to point VPNs behind NAT and asymmetric traffic

[Grant Taylor via NANOG]

On 6/12/19 3:44 PM, Anurag Bhatia wrote:

Hello everyone,


Hi,

I am running two site to site VPNs (wireguard now, OpenVPN earlier) 
between my home and a remote server over two different WAN links. Both 
WAN links are just consumer connections - one with public IP and one 
with CGNATed IP.


Okay.

Is there any filtering of the traffic that flows through the VPNs?  Or 
do things have full connectivity through them?


What OS is on each of the VPN endpoints?

The redundancy here is taken care of by the OSPF running via FRR on both 
ends.


Okay.

The unexpected behaviour I get is that if I set OSPF cost to prefer say 
link1 between home -> server and prefer link 2 between server -> home 
then connectivity completely breaks between the routed pools.


O.o

The point to point IPs stay reachable (which is over expected links i.e 
symmetric via both ends).


Please clarify if those IPs are inside the VPN or outside the VPN?


As long as both ends prefer link1 or link2, it works fine.


Okay.

At first, I thought it had to do something with NAT but still can't 
understand how. Since VPN tunnels have a keep-alive timer (for 10 
seconds), the tunnel is always up.


Is NAT or SPI being applied to the traffic flowing through the VPN?


Any idea why asymmetric packets are being dropped here?


Not enough data to speculate yet.

This exact behaviour was in case of earlier OpenVPN + bird + iBGP and is 
still the same when I moved everything to Wireguard for VPN + FRR for 
routing + OSPF.


Can I ask why the change of the VPN technology, routing daemon, and 
protocol all at the same time?  Or was that a diagnostic step?




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

RE: Issue with point to point VPNs behind NAT and asymmetric traffic

[Jerry Cloe]

Linux by default (regardless of firewall rules) will not accept a packet on an 
interface when the source of that packet "should" be on another interface 
according to the current route table (in other words, you're doing asymetric 
routing).

 
Easy fix:

 
# Controls source route verification
net.ipv4.conf.default.rp_filter = 0
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 1

 
-Original message-
From:Anurag Bhatia 
Sent:Wed 06-12-2019 04:45 pm
Subject:Issue with point to point VPNs behind NAT and asymmetric traffic
To:NANOG Mailing List ; 
 
Hello everyone, 
 Trying to get my head around a certain unexpected behaviour. 
  I am running two site to site VPNs (wireguard now, OpenVPN earlier) between 
my home and a remote server over two different WAN links. Both WAN links are 
just consumer connections - one with public IP and one with CGNATed IP. 
The redundancy here is taken care of by the OSPF running via FRR on both ends. 
  The unexpected behaviour I get is that if I set OSPF cost to prefer say link1 
between home -> server and prefer link 2 between server -> home then 
connectivity completely breaks between the routed pools. The point to point IPs 
stay reachable (which is over expected links i.e symmetric via both ends). As 
long as both ends prefer link1 or link2, it works fine. At first, I thought it 
had to do something with NAT but still can't understand how. Since VPN tunnels 
have a keep-alive timer (for 10 seconds), the tunnel is always up. Any idea why 
asymmetric packets are being dropped here? 
This exact behaviour was in case of earlier OpenVPN + bird + iBGP and is still 
the same when I moved everything to Wireguard for VPN + FRR for routing + OSPF. 
Thanks. 

 -- 

 Anurag Bhatia
 anuragbhatia.com  
 

Re: Issue with point to point VPNs behind NAT and asymmetric traffic

[Ross Tajvar]

My guess is something is doing stateful filtering. If you send a SYN down
one link and the SYN-ACK comes back a different link, the receiving
firewall will discard it as bogus. You should be able to test this by doing
pcaps to confirm the traffic is arriving (though I'm not familiar with
WireGuard so maybe not), and you should be able to disable this by setting
a rule or unchecking a box in your firewall.

On Wed, Jun 12, 2019, 5:47 PM Anurag Bhatia  wrote:

> Hello everyone,
>
> Trying to get my head around a certain unexpected behaviour.
>
>
> I am running two site to site VPNs (wireguard now, OpenVPN earlier)
> between my home and a remote server over two different WAN links. Both WAN
> links are just consumer connections - one with public IP and one with
> CGNATed IP.
> The redundancy here is taken care of by the OSPF running via FRR on both
> ends.
>
>
> The unexpected behaviour I get is that if I set OSPF cost to prefer say
> link1 between home -> server and prefer link 2 between server -> home then
> connectivity completely breaks between the routed pools. The point to point
> IPs stay reachable (which is over expected links i.e symmetric via both
> ends). As long as both ends prefer link1 or link2, it works fine. At first,
> I thought it had to do something with NAT but still can't understand how.
> Since VPN tunnels have a keep-alive timer (for 10 seconds), the tunnel is
> always up. Any idea why asymmetric packets are being dropped here?
> This exact behaviour was in case of earlier OpenVPN + bird + iBGP and is
> still the same when I moved everything to Wireguard for VPN + FRR for
> routing + OSPF.
>
>
>
>
> Thanks.
>
>
> --
>
>
> Anurag Bhatia
> anuragbhatia.com
>

Re: Issue with point to point VPNs behind NAT and asymmetric traffic

[blakangel]

Could it be as simple as a stateful firewall?

Anurag Bhatia wrote on 6/12/2019 14:44:


Hello everyone,

Trying to get my head around a certain unexpected behaviour.


I am running two site to site VPNs (wireguard now, OpenVPN earlier) 
between my home and a remote server over two different WAN links. Both 
WAN links are just consumer connections - one with public IP and one 
with CGNATed IP.
The redundancy here is taken care of by the OSPF running via FRR on 
both ends.



The unexpected behaviour I get is that if I set OSPF cost to prefer 
say link1 between home -> server and prefer link 2 between server -> 
home then connectivity completely breaks between the routed pools. The 
point to point IPs stay reachable (which is over expected links i.e 
symmetric via both ends). As long as both ends prefer link1 or link2, 
it works fine. At first, I thought it had to do something with NAT but 
still can't understand how. Since VPN tunnels have a keep-alive timer 
(for 10 seconds), the tunnel is always up. Any idea why asymmetric 
packets are being dropped here?
This exact behaviour was in case of earlier OpenVPN + bird + iBGP and 
is still the same when I moved everything to Wireguard for VPN + FRR 
for routing + OSPF.





Thanks.


--


Anurag Bhatia
anuragbhatia.com 

Issue with point to point VPNs behind NAT and asymmetric traffic

[Anurag Bhatia]

Hello everyone,

Trying to get my head around a certain unexpected behaviour.


I am running two site to site VPNs (wireguard now, OpenVPN earlier) between
my home and a remote server over two different WAN links. Both WAN links
are just consumer connections - one with public IP and one with CGNATed IP.
The redundancy here is taken care of by the OSPF running via FRR on both
ends.


The unexpected behaviour I get is that if I set OSPF cost to prefer say
link1 between home -> server and prefer link 2 between server -> home then
connectivity completely breaks between the routed pools. The point to point
IPs stay reachable (which is over expected links i.e symmetric via both
ends). As long as both ends prefer link1 or link2, it works fine. At first,
I thought it had to do something with NAT but still can't understand how.
Since VPN tunnels have a keep-alive timer (for 10 seconds), the tunnel is
always up. Any idea why asymmetric packets are being dropped here?
This exact behaviour was in case of earlier OpenVPN + bird + iBGP and is
still the same when I moved everything to Wireguard for VPN + FRR for
routing + OSPF.




Thanks.


-- 


Anurag Bhatia
anuragbhatia.com

Re: someone is using my AS number

[Carlos Friaças via NANOG]

AS15001 ?
(IT Convergence Inc.)

MSP in India: did they have any slightest idea about the issue? :-)

Cheers,
Carlos


On Wed, 12 Jun 2019, Philip Lavine via NANOG wrote:


I talked to the upstream provider on AS 1500. I called the telephone number on 
the abuse record on ARIN and it went to a MSP in India.

On Wednesday, June 12, 2019, 11:06:13 AM PDT, Töma Gavrichenkov 
 wrote:


Our records show this happened yesterday and lasted before 2019-06-11
20:24:00, for 2.5 hours total. Maybe that was just by accident.

I'm sort of confused why you're speaking of some ISPs in India. The
incident was more or less local to Finland, wasn't it?

--
Töma

Re: someone is using my AS number

[Valdis Klētnieks]

On Wed, 12 Jun 2019 16:10:00 -, David Guo via NANOG said:

> Get Outlook for iOS

Does it work better on XE or XR versions?

/ducks ;)



pgpCxfGZJGXxT.pgp
Description: PGP signature

Re: someone is using my AS number

[Arturo Servin]

Proper filtering from the upstream providers.

.as

On Wed, Jun 12, 2019 at 9:25 PM Alejandro Acosta <
alejandroacostaal...@gmail.com> wrote:

> Unfortunately RPKI is not useful in this case.
>
> Question: What else could be done to prevent this?
>
>
> Alejandro,
>
>
>
> On 6/12/19 12:05 PM, Philip Lavine via NANOG wrote:
>
> What is the procedure to have another party to cease and desist in using
> my AS number?
>
> Thx
>
>

Re: someone is using my AS number

[Scott Weeks]

>On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG

>What is the procedure to have another party to cease and desist
>in using my AS number?



On 12 June 2019 7:57:52 pm GMT+02:00, Philip Lavine  wrote:
> Here is what I got from BGPMon- MY AS is 15053
>
>Detected new prefix: 134.37.2.0/23
>ASpath: 394256 174 702 25213 25213 25213 15001 15053 



--- f...@fhrnet.eu wrote:
From: Filip Hruska 

Seems the issue was on AS25213 side. They don't provide transit 
to AS15001 at all. 
---



Here's how I see it:

134.37.2.0/23  -   702 25213 25213

So, Verizon or Telia should be able to help stop Cargotec or DNA 
in Helsinki, Finland from announcing the prefix to the world.

https://bgp.he.net/AS25213#_graph4
https://bgp.he.net/AS16086#_graph4


scott

Re: someone is using my AS number

[Alejandro Acosta]

Unfortunately RPKI is not useful in this case.

Question: What else could be done to prevent this?


Alejandro,



On 6/12/19 12:05 PM, Philip Lavine via NANOG wrote:
> What is the procedure to have another party to cease and desist in
> using my AS number?
>
> Thx


pEpkey.asc
Description: application/pgp-keys

Re: someone is using my AS number

[Filip Hruska]

Seems the issue was on AS25213 side. They don't provide transit to AS15001 at 
all. 

Regards,
Filip

On 12 June 2019 7:57:52 pm GMT+02:00, Philip Lavine  
wrote:
> Here is what I got from BGPMon- MY AS is 15053
>
>Detected new prefix: 134.37.2.0/23
>Update time: 2019-06-11 17:58 (UTC)
>Detected by #peers: 70
>Announced by: AS15053 (ROLL-GLOBAL-LLC - Roll Global LLC, US)
>Upstream AS: AS15001 (ITCONVERGENCE-COM - IT Convergence Inc., US)
>ASpath: 394256 174 702 25213 25213 25213 15001 15053 
>
>I tried contacting the upstream provider and they were no help :Contact
>- IT Convergence
>
>| 
>| 
>| 
>|  |  |
>
> |
>
> |
>| 
>|  | 
>Contact - IT Convergence
>
>Contact us today to learn more about how your business can benefit by
>partnering with IT Convergence.
> |
>
> |
>
> |
>
>
>
>
>
>On Wednesday, June 12, 2019, 9:34:16 AM PDT, Job Snijders 
>wrote:  
> 
>Can you share more details? Perhaps we can put the human social network
>to good use.
>Other than that this is annoying - are right now operationally
>impacted?
>Kind regards,
>Job
>On Wed, Jun 12, 2019 at 12:24 Filip Hruska  wrote:
>
>I would contact upstreams of the upstream then. This is quite a serious
>offence and they should help you. 
>
>Regards,
>Filip
>
>On 12 June 2019 6:20:42 pm GMT+02:00, Philip Lavine
> wrote:
> yeah I did they are some MSP in India. No help.
>
>On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska
> wrote:  
> 
> Contact the offending upstreams.
>
>Filip
>
>On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG
> wrote:
>What is the procedure to have another party to cease and desist in
>using my AS number?
>Thx
>
>
>
>-- 
>Sent from my Android device with K-9 Mail. Please excuse my brevity.
>  

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

[Philip Lavine via NANOG]

 I talked to the upstream provider on AS 1500. I called the telephone number on 
the abuse record on ARIN and it went to a MSP in India. 

On Wednesday, June 12, 2019, 11:06:13 AM PDT, Töma Gavrichenkov 
 wrote:  
 
 Our records show this happened yesterday and lasted before 2019-06-11
20:24:00, for 2.5 hours total. Maybe that was just by accident.

I'm sort of confused why you're speaking of some ISPs in India. The
incident was more or less local to Finland, wasn't it?

--
Töma  

Re: someone is using my AS number

[Job Snijders]

Indeed, I do not see this in the our current version of the
Default-Free Zone, so there may not be a problem for us to solve at
this moment.

I think your reaching out to NANOG or other operator forums is the
correct action. Someone is bound to know someone who knows someone who
can help.

Kind regards,

Job

On Wed, Jun 12, 2019 at 6:06 PM Töma Gavrichenkov  wrote:
>
> Our records show this happened yesterday and lasted before 2019-06-11
> 20:24:00, for 2.5 hours total. Maybe that was just by accident.
>
> I'm sort of confused why you're speaking of some ISPs in India. The
> incident was more or less local to Finland, wasn't it?
>
> --
> Töma

Re: someone is using my AS number

[Töma Gavrichenkov]

Our records show this happened yesterday and lasted before 2019-06-11
20:24:00, for 2.5 hours total. Maybe that was just by accident.

I'm sort of confused why you're speaking of some ISPs in India. The
incident was more or less local to Finland, wasn't it?

--
Töma

Re: someone is using my AS number

[Philip Lavine via NANOG]

 Here is what I got from BGPMon- MY AS is 15053

Detected new prefix: 134.37.2.0/23
Update time: 2019-06-11 17:58 (UTC)
Detected by #peers: 70
Announced by: AS15053 (ROLL-GLOBAL-LLC - Roll Global LLC, US)
Upstream AS: AS15001 (ITCONVERGENCE-COM - IT Convergence Inc., US)
ASpath: 394256 174 702 25213 25213 25213 15001 15053 

I tried contacting the upstream provider and they were no help :Contact - IT 
Convergence

| 
| 
| 
|  |  |

 |

 |
| 
|  | 
Contact - IT Convergence

Contact us today to learn more about how your business can benefit by 
partnering with IT Convergence.
 |

 |

 |





On Wednesday, June 12, 2019, 9:34:16 AM PDT, Job Snijders  
wrote:  
 
 Can you share more details? Perhaps we can put the human social network to 
good use.
Other than that this is annoying - are right now operationally impacted?
Kind regards,
Job
On Wed, Jun 12, 2019 at 12:24 Filip Hruska  wrote:

I would contact upstreams of the upstream then. This is quite a serious offence 
and they should help you. 

Regards,
Filip

On 12 June 2019 6:20:42 pm GMT+02:00, Philip Lavine  
wrote:
 yeah I did they are some MSP in India. No help.

On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska  
wrote:  
 
 Contact the offending upstreams.

Filip

On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG  
wrote:
What is the procedure to have another party to cease and desist in using my AS 
number?
Thx



-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
  

contacts for two abuse cases - cloudstar.is and heficed.com

[JORDI PALET MARTINEZ via NANOG]

We are getting since several weeks ago, intrusion attempts via SIP (among 
others) from:

1) cloudstar.is - They are not responding at all.

2) heficed.com - The people responding is "unable" to resolve it.

In both cases the attacks come from different IP addresses.

So, anyone has a "realiable" contact or each case that may be useful to resolve 
the problems?

Thanks in advance!
 
Regards,
Jordi
@jordipalet
 
 



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: someone is using my AS number

[Mehmet Akcin]

What is your ASN?

On Wed, Jun 12, 2019 at 12:08 PM Philip Lavine via NANOG 
wrote:

> What is the procedure to have another party to cease and desist in using
> my AS number?
>
> Thx
>

Re: someone is using my AS number

[Matt Harris]

On Wed, Jun 12, 2019 at 11:46 AM Carsten Bormann  wrote:

> On Jun 12, 2019, at 18:10, David Guo via NANOG  wrote:
> >
> > Send abuse complaint to the upstreams
> >
> > Get Outlook for iOS
>
> Yes, but which of these is more effective?
>

With some upstreams, I wonder if getting Outlook for iOS might not be just
as effective as contacting them...

Re: someone is using my AS number

[Carsten Bormann]

On Jun 12, 2019, at 18:10, David Guo via NANOG  wrote:
> 
> Send abuse complaint to the upstreams
> 
> Get Outlook for iOS

Yes, but which of these is more effective?

SCNR

Grüße, Carsten

Re: someone is using my AS number

[Joe Provo]

On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG wrote:
> Send abuse complaint to the upstreams

...and then name & shame publicly. AS-path forgery "for TE" was 
never a good idea. Sharing the affected prefix[es]/path[s] would 
be good.

-- 
Posted from my personal account - see X-Disclaimer header.
Joe Provo / Gweep / Earthling 

Re: someone is using my AS number

[Job Snijders]

Can you share more details? Perhaps we can put the human social network to
good use.

Other than that this is annoying - are right now operationally impacted?

Kind regards,

Job

On Wed, Jun 12, 2019 at 12:24 Filip Hruska  wrote:

> I would contact upstreams of the upstream then. This is quite a serious
> offence and they should help you.
>
> Regards,
> Filip
>
>
> On 12 June 2019 6:20:42 pm GMT+02:00, Philip Lavine <
> source_ro...@yahoo.com> wrote:
>>
>> yeah I did they are some MSP in India. No help.
>>
>> On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska 
>> wrote:
>>
>>
>> Contact the offending upstreams.
>>
>> Filip
>>
>> On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG <
>> nanog@nanog.org> wrote:
>>
>> What is the procedure to have another party to cease and desist in using
>> my AS number?
>>
>> Thx
>>
>>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>

Re: someone is using my AS number

[Christopher Morrow]

details help here, and perhaps folk who peer with the upstreams can
just reject routes with your as in them... if, you know, we knew what
that was :)

On Wed, Jun 12, 2019 at 9:21 AM Philip Lavine via NANOG  wrote:
>
> yeah I did they are some MSP in India. No help.
>
> On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska  
> wrote:
>
>
> Contact the offending upstreams.
>
> Filip
>
> On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG 
>  wrote:
>
> What is the procedure to have another party to cease and desist in using my 
> AS number?
>
> Thx
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

[Ross Tajvar]

Maybe try contacting the RIR?

On Wed, Jun 12, 2019, 12:23 PM Philip Lavine via NANOG 
wrote:

> yeah I did they are some MSP in India. No help.
>
> On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska 
> wrote:
>
>
> Contact the offending upstreams.
>
> Filip
>
> On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG <
> nanog@nanog.org> wrote:
>
> What is the procedure to have another party to cease and desist in using
> my AS number?
>
> Thx
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>

Re: someone is using my AS number

[Filip Hruska]

I would contact upstreams of the upstream then. This is quite a serious offence 
and they should help you. 

Regards,
Filip

On 12 June 2019 6:20:42 pm GMT+02:00, Philip Lavine  
wrote:
> yeah I did they are some MSP in India. No help.
>
>On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska
> wrote:  
> 
> Contact the offending upstreams.
>
>Filip
>
>On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG
> wrote:
>What is the procedure to have another party to cease and desist in
>using my AS number?
>Thx
>
>
>-- 
>Sent from my Android device with K-9 Mail. Please excuse my brevity.  

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

[Philip Lavine via NANOG]

 yeah I did they are some MSP in India. No help.

On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska  
wrote:  
 
 Contact the offending upstreams.

Filip

On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG  
wrote:
What is the procedure to have another party to cease and desist in using my AS 
number?
Thx


-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.  

Re: someone is using my AS number

[Filip Hruska]

Contact the offending upstreams.

Filip

On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG  
wrote:
>What is the procedure to have another party to cease and desist in
>using my AS number?
>Thx

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

[David Guo via NANOG]

Send abuse complaint to the upstreams

Get Outlook for iOS

From: NANOG  on behalf of Philip Lavine via NANOG 

Sent: Thursday, June 13, 2019 12:05:58 AM
To: NANOG List
Subject: someone is using my AS number

What is the procedure to have another party to cease and desist in using my AS 
number?

Thx

someone is using my AS number

[Philip Lavine via NANOG]

What is the procedure to have another party to cease and desist in using my AS 
number?
Thx