I had a similar problem with getting some OSX clients tunneling from behind nat/fw to an outside VPN. The only solution I could come up with was redirecting the GRE packets (proto 47) from the outside to a static IP inside the LAN. My very-limited understanding of GRE is that it always uses port 0, which makes true NAT very difficult due to the fact that you can't get unique ports to map, or TCP sessions to hold onto. Although, if anyone has any working solutions for mapping multiple VPN tunnels through ipfilter/ipnat, I would love to know about them.
-Max ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 30, 2002 10:39 AM Subject: could someone help me with tcpdump? > > Hello all > > I am trying to get a couple of win2k vpn boxen to work across a firewall. Here is a dump, my comments are in between each dump line. I want to see if I understand what I am looking at. > > 12:17:12.246870 156.98.222.175.1064 > 156.98.190.111.1723: S 3085367584:3085367584(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > > 222.175 makes the initial contact to 19.11 with a "S" syn packet? The workstation port is 1064 and the server port is 1723 which is the vpn port. The two numbers (#:#) are the tcp sequence numbers? What is "win" and the stuff after that? > > 12:17:12.247288 156.98.190.111.1723 > 156.98.222.175.1064: S 3369974062:3369974062(0) ack 3085367585 win 64240 <mss 1460,nop,nop,sackOK> (DF) > > 190.111 port 1723 replies to 222.175. I see the "ack" later on, so was I wrong about the "S" being syn above because it is still here. Why is the number after the ack one larger than the above? > > 12:17:12.247570 156.98.222.175.1064 > 156.98.190.111.1723: . ack 1 win 17520 (DF) > > 222.175 syn acks. > > What is this stuff below? > > 12:17:12.247800 156.98.222.175.1064 > 156.98.190.111.1723: P 1:157(156) ack 1 win 17520 (DF) > 12:17:12.248204 156.98.190.111.1723 > 156.98.222.175.1064: P 1:157(156) ack 157 win 64084 (DF) > 12:17:15.479988 156.98.190.111.1723 > 156.98.222.175.1064: P 1:157(156) ack 157 win 64084 (DF) > 12:17:15.480651 156.98.222.175.1064 > 156.98.190.111.1723: P 157:325(168) ack 157 win 17364 (DF) > 12:17:15.481998 156.98.190.111.1723 > 156.98.222.175.1064: P 157:189(32) ack 325 win 63916 (DF) > 12:17:15.484913 156.98.222.175.1064 > 156.98.190.111.1723: P 325:349(24) ack 189 win 17332 (DF) > 12:17:15.698650 156.98.190.111.1723 > 156.98.222.175.1064: . ack 349 win 63892 (DF) > > Nothing happens, the workstation can't seem to get authenticated. I think I am not yet transfering protocol 47 though and I am looking into that now. I just want to understand tcpdump better. I almost feel like I had something lower level that showed me this stuff a little more raw. --of course I don't even understand what I have now! :-) > > --ja > -- >
