Re: [vpn-help] Asymmetric routing on Ubuntu 11.04 connecting to Juniper SSG 550

Thu, 05 Jan 2012 19:26:54 -0800 

On 12/21/2011 03:44 PM, Robin Polak wrote:

Hello,

I'm getting an established connection to my Juniper SSG 550, however the
traffic is egressing through the tap0 interface and than ingressing through
eth0.  You can see this behavior in the packet capture below.  The debug
log shows no errors.  My configuration is as follows:


...

15:21:04.712747 IP 192.168.1.2.4500>  74.120.51.132.4500:
isakmp-nat-keep-alive
15:21:04.723654 IP 192.168.1.2.4500>  74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I inf[E]
15:21:04.726302 IP 74.120.51.132.4500>  192.168.1.2.4500: NONESP-encap:
isakmp: phase 2/others R inf[E]
15:21:04.935739 IP 192.168.1.2.4500>  74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I inf[E]
15:21:04.937389 IP 192.168.1.2.4500>  74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I inf[E]
15:21:07.174577 IP 74.120.51.132.4500>  192.168.1.2.10954:
isakmp-nat-keep-alive
15:21:07.174659 IP 192.168.1.2>  74.120.51.132: ICMP 192.168.1.2 udp port
10954 unreachable, length 37


...

11/12/21 15:20:34 ii : nat discovery - local address is translated
11/12/21 15:20:34 ii : switching to src nat-t udp port 4500
11/12/21 15:20:34 ii : switching to dst nat-t udp port 4500
11/12/21 15:20:34>= : cookies :
11/12/21 15:20:34>= : message
11/12/21 15:20:34 ii : phase1 sa established
11/12/21 15:20:34 ii : 74.120.51.132:4500<->  192.168.1.2:4500

...

11/12/21 15:20:52 ii : phase2 ids accepted
11/12/21 15:20:52 ii : - loc ANY:10.22.22.24:* ->  ANY:10.0.0.0/8:*
11/12/21 15:20:52 ii : - rmt ANY:10.0.0.0/8:* ->  ANY:10.22.22.24:*
11/12/21 15:20:52 ii : phase2 sa established


Hi Robin,
I'm not sure I see it. I do see the odd packet in the capture destined for the local host on port 10954 which seems wrong, but I'm not sure what that means.
About the only thing that comes to mind is related to the rogue port 10954 traffic. Is it possible that the SSG 550 is somehow thinking that the local host 10.22.22.24 is NATted behind 192.168.1.2 rather than being at the end of a tunnel? So when outbound traffic for 10.22.22.24 is received at the SSG's ingress, instead of putting it into the tunnel, it NATs it and sends it out it's Internet interface? 
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help

Reply via email to