Re: [FW-1] SecuRemote thru OpenBSD 3.2 PF

Wed, 29 Jan 2003 11:28:57 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
(BHash: SHA1
(B
(BHi,
(B
(BDo you have Linux 7.3 and NG FP3?
(B
(BCould you sniff the traffic and see if you have the same packets?
(BHere is another example. But it's not with openbsd any more it's Linksys
(Brouter. And it works! Because Linksys and FreeBSD or another nat device
(Bdo not care about bad frag bits.
(B
(B
(B=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
(B
(B01/29-11:22:47.765191 xxx.xxx.xxx.xxx:500 -> xxx.xxx.xxx.xxx:1036
(BUDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:212 DF
(BLen: 192
(B=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
(B
(B01/29-11:22:47.815945 xxx.xxx.xxx.xxx:1036 -> xxx.xxx.xxx.xxx:500
(BUDP TTL:128 TOS:0x0 ID:1797 IpLen:20 DgmLen:104
(BLen: 84
(B=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
(B
(B01/29-11:22:47.832979 fi.re.wa.ll -> nat.dev.i.ce
(BUDP TTL:64 TOS:0x0 ID:812 IpLen:20 DgmLen:1500 DF MF
(BFrag Offset: 0x0000   Frag Size: 0x05C8
(B=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
(B
(B01/29-11:22:47.833002 fi.re.wa.ll -> nat.dev.i.ce
(BUDP TTL:64 TOS:0x0 ID:812 IpLen:20 DgmLen:320 DF
(BFrag Offset: 0x00B9   Frag Size: 0x0073
(B=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
(B
(B01/29-11:22:47.934279 fi.re.wa.ll -> nat.dev.i.ce
(BUDP TTL:64 TOS:0x0 ID:813 IpLen:20 DgmLen:1500 DF MF
(BFrag Offset: 0x0000   Frag Size: 0x05C8
(B=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
(B
(B
(BWell OpenBSd cares and IDS cares:
(B
(B
(B[**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
(B[Classification: Misc activity] [Priority: 3]
(B01/29-11:21:31.556957 fi.re.wa.ll -> nat.dev.i.ce
(BUDP TTL:64 TOS:0x0 ID:814 IpLen:20 DgmLen:1500 DF MF
(BFrag Offset: 0x0000   Frag Size: 0x05C8
(B
(B
(B
(B
(BFritze, Stefan wrote:
(B| Hi,
(B|
(B| i have this running but i use FreeBSD as NAT Gateway.  On the FreeBSD
(Bbox i
(B| configured NAT and IPFW. There are two rules in the IPFW nessasary if you
(B| want to use SecuRemote/SecureClient behind it. These are:
(B|
(B| ipfw allow udp from any to any 500
(B| ipfw allow esp from any to any
(B|
(B| Stefan
(B|
(B|
(B| -----Original Message-----
(B| From: Vadim Kuznetsov [mailto:[EMAIL PROTECTED]]
(B| Sent: Dienstag, 28. Januar 2003 19:37
(B| To: [EMAIL PROTECTED]
(B| Subject: [FW-1] SecuRemote thru OpenBSD 3.2 PF
(B|
(B|
(B| Hi,
(B|
(B|
(B| My test environment is NG FP3 on Linux 7.3 and SecuRemote 53328 on W2k
(B| behind OpenBSD 3.2 PF/NAT
(B|
(B| I'm trying to create site.
(B| It does not work so far. :(
(B|
(B| I sniffed the traffic between FW and NAT device.
(B|
(B| Here is interesting part
(B|
(B| 16:19:39.550591 fi.re.wa.ll.isakmp > o.bsd.pf.nat.59225: isakmp 1.0
(B| msgid 00000000: phase 1 R ident[E]: [|id] (len mi
(B| smatch: isakmp 1628/ip 1472) (frag 64242:1480@0+) (ttl 64, len 1500)
(B| ~                         4500 05dc faf2 6000 4011 ea01 xxxx xxxx
(B| ~                         xxxx xxxx 01f4 e759 0664 8b4a dbeb 48d5
(B|
(B|
(B| The packets has both DF and MF set.
(B| OBSD PF scrub in all, srcub out all is going to discard those packets.
(B|
(B| Is this Linux bug?
(B| CP?
(B| OBSD?
(B| Any comments?
(B|
(B| Does anybody get such configuration working?
(B|
(B|
(B
(B
(B
(B
(B- --
(BThanks,
(B
(BVadim Kuznetsov
(BSystems Administrator
(B-----BEGIN PGP SIGNATURE-----
(BVersion: GnuPG v1.2.1 (MingW32)
(B
(BiD4DBQE+OAagZlJj7TmMsZ8RAgu1AJj6xuuXqUME4lXvmA1DvqF0bSLKAJ4mUqca
(BGE7W/0+mGDuN48mFr5wweg==
(B=LI0O
(B-----END PGP SIGNATURE-----
(B
(B=================================================
(BTo set vacation, Out Of Office, or away messages,
(Bsend an email to [EMAIL PROTECTED]
(Bin the BODY of the email add:
(Bset fw-1-mailinglist nomail
(B=================================================
(BTo unsubscribe from this mailing list,
(Bplease see the instructions at
(Bhttp://www.checkpoint.com/services/mailing.html
(B=================================================
(BIf you have any questions on how to change your
(Bsubscription options, email
([EMAIL PROTECTED]
(B=================================================

Reply via email to