Actually I am having a similar problem with an entirely different (I
think) VPN solution. Pings work for me but tcp/ip *returns* don't work.
Sometimes they only fail on the first try, but for some hosts they
never respond.
Two questions, out of curiosity, is this VPN you've set up configured as
part of a network bridge, or is it a routed VPN? Secondly, have you
tried using tcpdump to figure out exactly where in the transaction the
packets are being dropped?
Tim Pushor wrote:
Hi friends,
I am having a strange problem with a VPN that I've set up between an
OpenBSD 3.9 server and a Checkpoint VPN-1 device. I've pretty much
followed the guide at http://anubis.dweebsoft.com/HOWTO/isakmpd.html. I
have to admit that I don't know enough about ipsec / isakmp.
I do get some errors in the logfile:
Feb 2 05:17:45 fw1 isakmpd[8492]: message_parse_payloads: invalid next
payload type <Unknown 60> in payload of type 8
Feb 2 05:17:45 fw1 isakmpd[8492]: dropped message from 142.59.85.18
port 500 due to notification type INVALID_PAYLOAD_TYPE
Feb 2 05:17:46 fw1 isakmpd[8492]: message_parse_payloads: invalid next
payload type <Unknown 60> in payload of type 8
Feb 2 05:17:46 fw1 isakmpd[8492]: dropped message from 142.59.85.18
port 500 due to notification type INVALID_PAYLOAD_TYPE
Feb 2 05:18:08 fw1 isakmpd[8492]: message_parse_payloads: reserved
field non-zero: 1c
Feb 2 05:18:08 fw1 isakmpd[8492]: dropped message from 142.59.85.18
port 500 due to notification type PAYLOAD_MALFORMED
But the vpn seems to work. The weird problem I am having is that every
so often, something strange happens and full packets don't seem to get
through. Pings still get through, but when cranking up the packet size
(with ping), once it its 1307, they stop. After an amount of time,
things resume - and pings 1307+ get through again (and normal data
starts flowing).
This machine also routes between vlans and I havn't noticed any
weirdness, although I am going to verify this.
I'm really throwing this out because I don't know where to look. So far
I've been focused on the key exchange but I'm starting to wonder if
maybe its somewhere else. If anyone has a clue, I would REALLY
appreciate it :)
Thanks all,
Tim