Re: [vpn-help] Asymmetric routing on Ubuntu 11.04 connecting to Juniper SSG 550

Wed, 11 Jan 2012 18:10:07 -0800 

On 01/06/2012 09:06 AM, Robin Polak wrote:

On Thu, Jan 5, 2012 at 22:25, Kevin VPN<[email protected]>  wrote:


On 12/21/2011 03:44 PM, Robin Polak wrote:


Hello,

I'm getting an established connection to my Juniper SSG 550, however the
traffic is egressing through the tap0 interface and than ingressing
through
eth0.  You can see this behavior in the packet capture below.  The debug
log shows no errors.  My configuration is as follows:

  ...


  15:21:04.712747 IP 192.168.1.2.4500>   74.120.51.132.4500:

isakmp-nat-keep-alive
15:21:04.723654 IP 192.168.1.2.4500>   74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I inf[E]
15:21:04.726302 IP 74.120.51.132.4500>   192.168.1.2.4500: NONESP-encap:
isakmp: phase 2/others R inf[E]
15:21:04.935739 IP 192.168.1.2.4500>   74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I inf[E]
15:21:04.937389 IP 192.168.1.2.4500>   74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I inf[E]
15:21:07.174577 IP 74.120.51.132.4500>   192.168.1.2.10954:
isakmp-nat-keep-alive
15:21:07.174659 IP 192.168.1.2>   74.120.51.132: ICMP 192.168.1.2 udp port
10954 unreachable, length 37

  ...



11/12/21 15:20:34 ii : nat discovery - local address is translated

11/12/21 15:20:34 ii : switching to src nat-t udp port 4500
11/12/21 15:20:34 ii : switching to dst nat-t udp port 4500
11/12/21 15:20:34>= : cookies :
11/12/21 15:20:34>= : message
11/12/21 15:20:34 ii : phase1 sa established
11/12/21 15:20:34 ii : 74.120.51.132:4500<->   192.168.1.2:4500


...

  11/12/21 15:20:52 ii : phase2 ids accepted

11/12/21 15:20:52 ii : - loc ANY:10.22.22.24:* ->   ANY:10.0.0.0/8:*
11/12/21 15:20:52 ii : - rmt ANY:10.0.0.0/8:* ->   ANY:10.22.22.24:*
11/12/21 15:20:52 ii : phase2 sa established



Hi Robin,

I'm not sure I see it.  I do see the odd packet in the capture destined
for the local host on port 10954 which seems wrong, but I'm not sure what
that means.



Hi Kevin,

    Here is an excerpt from the capture showing the packet in question.  If
as you describe the Juniper routes traffic destined for 10.22.22.24 out
it's internet interface it would get null routed at the edge.  RFC1918
addresses are not routed by ISPs.

15:20:54.178124 IP 192.168.1.2.4500>  74.120.51.132.4500: UDP-encap:
ESP(spi=0x9a03b617,seq=0x2), length 116
15:20:54.193481 IP 74.120.51.132.4500>  192.168.1.2.4500: UDP-encap:
ESP(spi=0x0db448a1,seq=0x2), length 116  *- Encap*
15:20:54.193481 IP 10.22.5.100>  10.22.22.24: ICMP echo reply, id 1902, seq
3, length 64 * -Decap (should be on tap0)*



Hi Robin,
Now I see what you're seeing. My apologies for missing it, I forgot dumps would only come from one interface at a time.
This sounds a little like a problem that was discussed on the list before. See if this post helps out: 
http://lists.shrew.net/pipermail/vpn-help/2008-November/000950.html
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help

Reply via email to