On Fri, Aug 16, 2002 at 08:58:11PM +0000, Vadim Pushkin wrote:
> >From: "Crist J. Clark" <[EMAIL PROTECTED]>
> >Reply-To: [EMAIL PROTECTED]
> >To: Vadim Pushkin <[EMAIL PROTECTED]>
> >CC: [EMAIL PROTECTED]
> >Subject: Re: Need Help with Cisco sw VPN behind IpFilter/OpenBSD
> >Date: Fri, 16 Aug 2002 09:30:16 -0700
> >
> >On Fri, Aug 16, 2002 at 01:28:38AM +0000, Vadim Pushkin wrote:
> >> >From: "Crist J. Clark" <[EMAIL PROTECTED]>
> >> >Reply-To: [EMAIL PROTECTED]
> >> >
> >> >[snip]
> >> >
> >> >> >> # 192.168.1.0 is my Unnatted/internal network.
> >> >> >> #
> >> >> >> pass in proto esp from vpn.XXX.net/32 to 192.168.1.0/24
> >> >> >> pass out proto esp from 192.168.1.0/24 to vpn.XXX.net/32
> >> >> >
> >> >> >Find out if you are using ESP or 10000/udp.
> >> >>
> >> >> I am seeing alot of isakmp traffic getting blocked. I _believe_
> >> >> that it is ESP.
> >> >
> >> >You seem to be very confused. ISAKMP rides over 500/udp. UDP is an IP
> >> >protocol (protocol 17 to be exact). ESP, Encapsulated Security
> >> >Payload, is a completely separate IP protocol (protocol 50).
>
> The VPN that I am trying to connect to uses udp for authentication,
> then esp for encrypted traffic.
No, it sure looks like it is tunnelling the ESP through
10000/udp. That is the default port Cisco Concentrators use for UDP
tunnelling.
> >>
> >> Thank you. What I am seeing is the following from tcpdump, but what
> >> puzzles me is the fact that I sometimes see VPN.XXX.NET.IP, and some
> >> times I see VPN.XXX.NET-ROUTER.IP, which are not even the same subnet.
> >> See belows output sample.
> >>
> >> 21:05:38.838016 204.177.198.17.isakmp > VPN.XXX.NET.IP.isakmp: isakmp
> >v1.0
> >> exchange INFO encrypted
> >> cookie: 77ebe015bdc5ecce->2b4ea8a31d8bf87f msgid: fe44266a len:
> >84
> >> 21:05:38.855278 VPN.XXX.NET.IP.isakmp > 204.177.198.17.isakmp: isakmp
> >v1.0
> >> exchange INFO encrypted
> >> cookie: 77ebe015bdc5ecce->2b4ea8a31d8bf87f msgid: e58d1012 len:
> >84
> >> 21:05:49.853889 204.177.198.17.isakmp > VPN.XXX.NET.IP.isakmp: isakmp
> >v1.0
> >> exchange INFO encrypted
> >> cookie: 77ebe015bdc5ecce->2b4ea8a31d8bf87f msgid: afa02b26 len:
> >76
> >
> >Looks reasonable.
> >
> >> 21:05:49.854443 204.177.198.17.10346 > VPN.XXX.NET.IP.10000: udp 1
> >> 21:05:49.871418 VPN.XXX.NET-ROUTER.IP > 204.177.198.17: icmp: host
> >> VPN.XXX.NET-ROUTER.IP unreachable - admin prohibited filter
> >
> >OK, it looks like a firewall at the remote site, VPN.XXX.NET-ROUTER.IP,
> >is blocking the VPN packets (10000/udp). Run tcpdump with '-vvv' to
> >print all the detail it can, especially to print the details about the
> >header of the packet that caused the ICMP error message.
>
> Further investigation reveals that VPN.XXX.NET-ROUTER.IP does indeed
> block all icmp traffic,
No, it looks like VPN.XXX.NET-ROUTER.IP is blocking 10000/udp. When it
blocks a packet it sends you and ICMP message to tell you about
it. VPN.XXX.NET-ROUTER.IP may block ICMP from you too, but it would
not have any impact on the VPN. Did you run tcpdump with '-vvv' to
verify what packets are causing VPN.XXX.NET-ROUTER.IP to send you the
ICMP-admin-prohib messages?
> yet others are able to connect and their routers,
> D-Link, etc, do not even try to perform any icmp traffic.
> Is there any reason why I am trying to use icmp? Is there any way to
> prevent that?
You're not using ICMP. We see the 10000/udp packet go out, and then
the ICMP-admin-prohib from VPN.XXX.NET-ROUTER.IP is sent back. The
router is probiting 10000/udp. As for why others can do it... I guess
they are not blocked?
--
Crist J. Clark | [EMAIL PROTECTED]
| [EMAIL PROTECTED]
http://people.freebsd.org/~cjc/ | [EMAIL PROTECTED]
