what is the actual issue? no authentication? no ...??? --- "Ibarra, Michael" <[EMAIL PROTECTED]> wrote: > Hello All: > > Just as an FYI, I've tried out these rules on my > brand new Soekris > box, also running OpenBSD-3.1 and IPFilter-3.4.28. I > _was_ able to > connect to my Cisco concentrator from inside, > identical setup, but > only to a Windows 2000 workstation, not to my XP > workstation. At > first I did have a problem and that was that I was > using an older > VPN client software, it was 3.5.1. I've reinstalled > using 3.5.2b > and had no problems. I did use rdr for inbound udp > ports 500 and > 10000 to my internal host. Perhaps that is your > problem, wrong > client software? > > Best regards, > > -mike > > >From: "Vadim Pushkin" <[EMAIL PROTECTED]> > > >From: "Crist J. Clark" <[EMAIL PROTECTED]> > > [snip] > > > > The VPN that I am trying to connect to uses udp > for authentication, > > > then esp for encrypted traffic. > > > >No, it sure looks like it is tunnelling the ESP > through > >10000/udp. That is the default port Cisco > Concentrators use for UDP > >tunnelling. > > > > > >> > > > >> Thank you. What I am seeing is the following > from tcpdump, but what > > > >> puzzles me is the fact that I sometimes see > VPN.XXX.NET.IP, and some > > > >> times I see VPN.XXX.NET-ROUTER.IP, which are > not even the same > >subnet. > > > >> See belows output sample. > > > >> > > > >> 21:05:38.838016 204.177.198.17.isakmp > > VPN.XXX.NET.IP.isakmp: > >isakmp > > > >v1.0 > > > >> exchange INFO encrypted > > > >> cookie: > 77ebe015bdc5ecce->2b4ea8a31d8bf87f msgid: fe44266a > >len: > > > >84 > > > >> 21:05:38.855278 VPN.XXX.NET.IP.isakmp > > 204.177.198.17.isakmp: > >isakmp > > > >v1.0 > > > >> exchange INFO encrypted > > > >> cookie: > 77ebe015bdc5ecce->2b4ea8a31d8bf87f msgid: e58d1012 > >len: > > > >84 > > > >> 21:05:49.853889 204.177.198.17.isakmp > > VPN.XXX.NET.IP.isakmp: > >isakmp > > > >v1.0 > > > >> exchange INFO encrypted > > > >> cookie: > 77ebe015bdc5ecce->2b4ea8a31d8bf87f msgid: afa02b26 > >len: > > > >76 > > > > > > > >Looks reasonable. > > > > > > > >> 21:05:49.854443 204.177.198.17.10346 > > VPN.XXX.NET.IP.10000: udp 1 > > > >> 21:05:49.871418 VPN.XXX.NET-ROUTER.IP > > 204.177.198.17: icmp: host > > > >> VPN.XXX.NET-ROUTER.IP unreachable - admin > prohibited filter > > > > > > > >OK, it looks like a firewall at the remote > site, VPN.XXX.NET-ROUTER.IP, > > > >is blocking the VPN packets (10000/udp). Run > tcpdump with '-vvv' to > > > >print all the detail it can, especially to > print the details about the > > > >header of the packet that caused the ICMP error > message. > > > > > > Further investigation reveals that > VPN.XXX.NET-ROUTER.IP does indeed > > > block all icmp traffic, > > > >No, it looks like VPN.XXX.NET-ROUTER.IP is blocking > 10000/udp. When it > >blocks a packet it sends you and ICMP message to > tell you about > >it. VPN.XXX.NET-ROUTER.IP may block ICMP from you > too, but it would > >not have any impact on the VPN. Did you run tcpdump > with '-vvv' to > >verify what packets are causing > VPN.XXX.NET-ROUTER.IP to send you the > >ICMP-admin-prohib messages? > > 21:57:34.160497 204.177.198.17.isakmp > > VPN.XXX.NET.IP.isakmp: isakmp v1.0 > exchange INFO encrypted > cookie: edef0f4054612c7c->ea0b8220bfa51f9b > msgid: 4ba5f653 len: 76 > (ttl 127, id 20052) > 21:57:34.161423 204.177.198.17.10001 > > VPN.XXX.NET.IP.10000: [no cksum] udp > > 1 (ttl 127, id 1536) > 21:57:34.177659 VPN.XXX.NET-ROUTER.IP > > 204.177.198.17: icmp: host > VPN.XXX.NET.IP unreachable - admin prohibited filter > (ttl 247, id 4421) > 21:57:44.173992 204.177.198.17.10001 > > VPN.XXX.NET.IP.10000: [no cksum] udp > > 1 (ttl 127, id 1537) > 21:57:44.186489 VPN.XXX.NET-ROUTER.IP > > 204.177.198.17: icmp: host > VPN.XXX.NET.IP unreachable - admin prohibited filter > (ttl 247, id 4431) > > > > > > yet others are able to connect and their > routers, > > > D-Link, etc, do not even try to perform any icmp > traffic. > > > Is there any reason why I am trying to use icmp? > Is there any way to > > > prevent that? > > > >You're not using ICMP. We see the 10000/udp packet > go out, and then > >the ICMP-admin-prohib from VPN.XXX.NET-ROUTER.IP is > sent back. The > >router is probiting 10000/udp. As for why others > can do it... I guess > >they are not blocked? > > There is no ACL on VPN.XXX.NET-ROUTER.IP, there is > however a deny all > icmp from all. Just to recal, I *do* get > authenticated, just no other > traffic afterwards. > > -vadim
===== SRR __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com
