hi,
the issue is that the tcpdump on ipso and splat is reading the packets on
different levels (NIC-driver -> tcpdump -> fw1 -> IP-stack, other order
possible depending on used products like secureXL, floodgate...).
checkpoint offers the "fw monitor" tool for debugging and I always prefer
it to the tcpdump - and I use fw monitor for cross-checking if I don't see
packets in tcpdump.
of course it was great if tcpdump would work on all platforms but there are
different IP-stacks in different operating systems that behave different
and you have to think about that not only with tcpdump. that's a
disadvantage in providing only software for different operating systems
instead of an appliance.
but maybe this is just a little example of things that work better on ipso
than on splat!
cheers
reinhard
At 19:27 04.06.2005, you wrote:
Is it just me who feel this way or perhaps ppl in this list have the same
feeling about this
as I am?
I setup a site-to-site VPN between my Checkpoint SPLAT box and a Nokia.
When I run "tcpdump" on my SPLAT, I am seeing isakmp between my SPLAT
and the Nokia but on the ESP portion (phase II) I only see inbound ESP but
not
outbound ESP. The tunnel is up and running but that's not the point.
Who is the "idiot" Checkpoint Engineer that come up with this? I recall that
I can see both inbound and outbound ESP in NGx SPLAT. Why don't they
fix this in NG with AI R55(w)?
Nokia tcpdump
Nokia-1-P[admin]# tcsh
Nokia-1-P[admin]# tcpdump -i eth-s1p1 -n host 4.2.2.2
tcpdump: listening on eth-s1p1
17:15:01.169472 I 4.2.2.2.500 > 129.174.1.13.500: [|isakmp] (DF)
17:15:03.171857 I 4.2.2.2.500 > 129.174.1.13.500: [|isakmp] (DF)
17:15:03.474717 O 129.174.1.13.500 > 4.2.2.2.500: [|isakmp]
17:15:03.595846 I 4.2.2.2.500 > 129.174.1.13.500: [|isakmp] (DF)
17:15:03.611080 O 129.174.1.13.500 > 4.2.2.2.500: [|isakmp]
17:15:03.671402 I 4.2.2.2.500 > 129.174.1.13.500: [|isakmp] (DF)
17:15:03.692175 O 129.174.1.13.500 > 4.2.2.2.500: [|isakmp]
17:15:03.715420 I 4.2.2.2.500 > 129.174.1.13.500: [|isakmp] (DF)
17:15:03.717377 O 129.174.1.13.500 > 4.2.2.2.500: [|isakmp]
17:15:03.741224 I 4.2.2.2.500 > 129.174.1.13.500: [|isakmp] (DF)
17:15:03.840914 I 4.2.2.2.500 > 129.174.1.13.500: [|isakmp] (DF)
17:15:03.943458 I 4.2.2.2.500 > 129.174.1.13.500: [|isakmp] (DF)
17:15:04.045753 I 4.2.2.2 > 129.174.1.13: ESP(spi=e2ce4415,seq=0x1)
17:15:04.047520 O 129.174.1.13 > 4.2.2.2: ESP(spi=2525ccc9,seq=0x1)
17:15:04.050084 I 4.2.2.2 > 129.174.1.13: ESP(spi=e2ce4415,seq=0x2)
17:15:04.050101 I 4.2.2.2 > 129.174.1.13: ESP(spi=e2ce4415,seq=0x3)
17:15:04.050105 I 4.2.2.2 > 129.174.1.13: ESP(spi=e2ce4415,seq=0x4)
17:15:04.052304 O 129.174.1.13 > 4.2.2.2: ESP(spi=2525ccc9,seq=0x2)
17:15:04.052412 O 129.174.1.13 > 4.2.2.2: ESP(spi=2525ccc9,seq=0x3)
17:15:04.052531 O 129.174.1.13 > 4.2.2.2: ESP(spi=2525ccc9,seq=0x4)
17:15:04.513526 I 4.2.2.2 > 129.174.1.13: ESP(spi=e2ce4415,seq=0x5)
17:15:04.515015 O 129.174.1.13 > 4.2.2.2: ESP(spi=2525ccc9,seq=0x5)
17:15:05.512540 I 4.2.2.2 > 129.174.1.13: ESP(spi=e2ce4415,seq=0x6)
17:15:05.514083 O 129.174.1.13 > 4.2.2.2: ESP(spi=2525ccc9,seq=0x6)
Secureplatform tcpdump
[EMAIL PROTECTED] tcpdump -i eth0 host 129.174.1.13
tcpdump: listening on eth0
13:12:48.052597 4.2.2.2.isakmp > 129.174.1.13.isakmp: isakmp: phase 1 I
ident: [|sa] (DF)
13:12:50.056904 4.2.2.2.isakmp > 129.174.1.13.isakmp: isakmp: phase 1 I
ident: [|sa] (DF)
13:12:50.385093 129.174.1.13.isakmp > 4.2.2.2.isakmp: isakmp: phase 1 R
ident: [|sa]
13:12:50.479388 4.2.2.2.isakmp > 129.174.1.13.isakmp: isakmp: phase 1 I
ident: [|ke] (DF)
13:12:50.518977 129.174.1.13.isakmp > 4.2.2.2.isakmp: isakmp: phase 1 R
ident: [|ke]
13:12:50.555640 4.2.2.2.isakmp > 129.174.1.13.isakmp: isakmp: phase 1 I
ident[E]: [|id] (DF)
13:12:50.598759 129.174.1.13.isakmp > 4.2.2.2.isakmp: isakmp: phase 1 R
ident[E]: [|id]
13:12:50.601320 4.2.2.2.isakmp > 129.174.1.13.isakmp: isakmp: phase
2/others I oakley-quick[E]: [|hash] (DF)
13:12:50.625185 129.174.1.13.isakmp > 4.2.2.2.isakmp: isakmp: phase
2/others R oakley-quick[E]: [|hash]
13:12:50.627539 4.2.2.2.isakmp > 129.174.1.13.isakmp: isakmp: phase
2/others I oakley-quick[E]: [|hash] (DF)
13:12:50.727724 4.2.2.2.isakmp > 129.174.1.13.isakmp: isakmp: phase
2/others I oakley-quick[E]: [|hash] (DF)
13:12:50.827885 4.2.2.2.isakmp > 129.174.1.13.isakmp: isakmp: phase
2/others I oakley-quick[E]: [|hash] (DF)
13:12:50.955086 129.174.1.13 > 4.2.2.2: ESP(spi=0x2525ccc9,seq=0x1)
13:12:50.959654 129.174.1.13 > 4.2.2.2: ESP(spi=0x2525ccc9,seq=0x2)
13:12:50.960781 129.174.1.13 > 4.2.2.2: ESP(spi=0x2525ccc9,seq=0x3)
13:12:50.961539 129.174.1.13 > 4.2.2.2: ESP(spi=0x2525ccc9,seq=0x4)
13:12:51.423061 129.174.1.13 > 4.2.2.2: ESP(spi=0x2525ccc9,seq=0x5)
13:12:52.423972 129.174.1.13 > 4.2.2.2: ESP(spi=0x2525ccc9,seq=0x6)
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
--
Reinhard Stich ASSIST [EMAIL PROTECTED]
Internet Security AG, 1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
