thr3ads.net - Shorewall users - [Shorewall-users] VPN router problems [Jun 2003]

If this information is useful, please help other people find it:
Share via:

Jaakko Heikkilä

2003-Jun-17 11:45 UTC

[Shorewall-users] VPN router problems

Hi,

I recently tried to upgrade Shorewall from version 1.3.10 to 1.4.2. First 
everything seemed to work right, but after few hours VPN traffic stopped 
between remote site and DMZ. I attached tcpdump from the DMZ side ethernet 
adapter of the firewall. Tcpdump shows that ESP protocol packages are not able 
to go through the firewall. Everything else is working as expected. VPN router 
is at DMZ zone and it has public IP address (replaced with
"vpnrouter.dmz.net"
in the attachment). Any idea why this happened?

Current configuration:
kernel-2.4.18-17.7.x (RedHat system)
iptables-1.2.5-3

Rules for the ipsec traffic:
ACCEPT  net:some.remote.net dmz:vpnrouter.dmz.net   udp     500 # ipsec traffic
ACCEPT  dmz:vpnrouter.dmz.net net:some.remote.net    udp     500
ACCEPT  net:some.remote.net dmz:vpnrouter.dmz.net    50      # ESP
ACCEPT  dmz:vpnrouter.dmz.net net:some.remote.net    50
ACCEPT  net:some.remote.net dmz:vpnrouter.dmz.net    51      # AH
ACCEPT  dmz:vpnrouter.dmz.net net:some.remote.net    51

proxyarp configuration:
vpnrouter.dmz.net         eth2            eth1            yes

One more thing: system log does not show any ESP packages dropped.

Thanks,
	Jaakko Heikkil?
-------------- next part --------------
13:02:39.573016 vpnrouter.dmz.net.isakmp > some.remote.net.isakmp: isakmp:
phase 1 I ident: [|sa]
13:02:39.634949 some.remote.net.isakmp > vpnrouter.dmz.net.isakmp: isakmp:
phase 1 R ident: [|sa]
13:02:39.859054 vpnrouter.dmz.net.isakmp > some.remote.net.isakmp: isakmp:
phase 1 I ident: [|ke]
13:02:39.951583 some.remote.net.isakmp > vpnrouter.dmz.net.isakmp: isakmp:
phase 1 R ident: [|ke]
13:02:40.228346 vpnrouter.dmz.net.isakmp > some.remote.net.isakmp: isakmp:
phase 1 I ident[E]: [|id]
13:02:40.258129 some.remote.net.isakmp > vpnrouter.dmz.net.isakmp: isakmp:
phase 1 R ident[E]: [|id]
13:02:40.265322 vpnrouter.dmz.net.isakmp > some.remote.net.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash]
13:02:40.534552 some.remote.net.isakmp > vpnrouter.dmz.net.isakmp: isakmp:
phase 2/others R oakley-quick[E]: [|hash]
13:02:40.546873 vpnrouter.dmz.net.isakmp > some.remote.net.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash]
13:02:40.570652 vpnrouter.dmz.net > some.remote.net:
ESP(spi=0x66c35c46,seq=0x1) [tos 0xc0]
13:02:41.570640 vpnrouter.dmz.net > some.remote.net:
ESP(spi=0x66c35c46,seq=0x2) [tos 0xc0]
13:02:42.570643 vpnrouter.dmz.net > some.remote.net:
ESP(spi=0x66c35c46,seq=0x3) [tos 0xc0]
13:02:43.570637 vpnrouter.dmz.net > some.remote.net:
ESP(spi=0x66c35c46,seq=0x4) [tos 0xc0]
13:02:43.605281 vpnrouter.dmz.net.isakmp > some.remote.net.isakmp: isakmp:
phase 1 R ident: [|sa]
13:02:44.570642 vpnrouter.dmz.net > some.remote.net:
ESP(spi=0x66c35c46,seq=0x5) [tos 0xc0]
13:02:45.570639 vpnrouter.dmz.net > some.remote.net:
ESP(spi=0x66c35c46,seq=0x6) [tos 0xc0]
13:02:46.570634 vpnrouter.dmz.net > some.remote.net:
ESP(spi=0x66c35c46,seq=0x7) [tos 0xc0]
13:02:47.570643 vpnrouter.dmz.net > some.remote.net:
ESP(spi=0x66c35c46,seq=0x8) [tos 0xc0]
13:02:48.570637 vpnrouter.dmz.net > some.remote.net:
ESP(spi=0x66c35c46,seq=0x9) [tos 0xc0]
13:02:49.570633 vpnrouter.dmz.net > some.remote.net:
ESP(spi=0x66c35c46,seq=0xa) [tos 0xc0]
13:02:50.570639 vpnrouter.dmz.net > some.remote.net:
ESP(spi=0x66c35c46,seq=0xb) [tos 0xc0]
13:02:51.570635 vpnrouter.dmz.net > some.remote.net:
ESP(spi=0x66c35c46,seq=0xc) [tos 0xc0]
13:02:52.570636 vpnrouter.dmz.net > some.remote.net:
ESP(spi=0x66c35c46,seq=0xd) [tos 0xc0]
13:02:53.570635 vpnrouter.dmz.net > some.remote.net:
ESP(spi=0x66c35c46,seq=0xe) [tos 0xc0]

Tom Eastep

2003-Jun-17 11:57 UTC

head link

[Shorewall-users] VPN router problems

On Tue, 2003-06-17 at 11:02, Jaakko Heikkil? wrote:> Hi,
> 
> I recently tried to upgrade Shorewall from version 1.3.10 to 1.4.2. First 
> everything seemed to work right, but after few hours VPN traffic stopped 
> between remote site and DMZ.
I don''t see how this can be related to Shorewall. Once you have
completed "shorewall start", there is *no Shorewall code* running! So
Shorewall either sets up the correct rules or it doesn''t.
> I attached tcpdump from the DMZ side ethernet 
> adapter of the firewall. Tcpdump shows that ESP protocol packages are not
able
> to go through the firewall.
You tcpdump output shows nothing of the kind. It shows that your local
IPSEC endpoint in the DMZ is sending ESP packets but isn''t receiving
any
in return.
> Everything else is working as expected. VPN router 
> is at DMZ zone and it has public IP address (replaced with
"vpnrouter.dmz.net"
> in the attachment). Any idea why this happened?
> 
> Current configuration:
> kernel-2.4.18-17.7.x (RedHat system)
> iptables-1.2.5-3
> 
> Rules for the ipsec traffic:
> ACCEPT  net:some.remote.net dmz:vpnrouter.dmz.net   udp     500 # ipsec
traffic
> ACCEPT  dmz:vpnrouter.dmz.net net:some.remote.net    udp     500
> ACCEPT  net:some.remote.net dmz:vpnrouter.dmz.net    50      # ESP
> ACCEPT  dmz:vpnrouter.dmz.net net:some.remote.net    50
> ACCEPT  net:some.remote.net dmz:vpnrouter.dmz.net    51      # AH
> ACCEPT  dmz:vpnrouter.dmz.net net:some.remote.net    51
> 
> proxyarp configuration:
> vpnrouter.dmz.net         eth2            eth1            yes
> 
> One more thing: system log does not show any ESP packages dropped.
Next time this occurs, use the "-i any" argument to tcpdump so that
you
can capture traffic on both the internal and external firewall
interfaces.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Jaakko Heikkilä

2003-Jun-18 03:03 UTC

head link

[Shorewall-users] VPN router problems

On 2003.06.17 21:56 Tom Eastep wrote:> On Tue, 2003-06-17 at 11:02, Jaakko Heikkil? wrote:
> > Hi,
> >
> > I recently tried to upgrade Shorewall from version 1.3.10 to 1.4.2.
First
> > everything seemed to work right, but after few hours VPN traffic
stopped
> > between remote site and DMZ.
> 
> I don''t see how this can be related to Shorewall. Once you have
> completed "shorewall start", there is *no Shorewall code*
running! So
> Shorewall either sets up the correct rules or it doesn''t.
That really is confusing. Only thing I changed in my firewall setup was 
Shorewall. I also tried to go through the "Upgrade Issues" section in
the
Shorewall documentation. There should not be any issues concerning kernel or 
iptables version.
> > I attached tcpdump from the DMZ side ethernet
> > adapter of the firewall. Tcpdump shows that ESP protocol packages are
not
> able
> > to go through the firewall.
> 
> You tcpdump output shows nothing of the kind. It shows that your local
> IPSEC endpoint in the DMZ is sending ESP packets but isn''t
receiving any
> in return.
> 
> > Everything else is working as expected. VPN router
> > is at DMZ zone and it has public IP address (replaced with
> "vpnrouter.dmz.net"
> > in the attachment). Any idea why this happened?
> >
> > Current configuration:
> > kernel-2.4.18-17.7.x (RedHat system)
> > iptables-1.2.5-3
One missing version number:
iproute-2.4.7-1
> >
> > Rules for the ipsec traffic:
> > ACCEPT  net:some.remote.net dmz:vpnrouter.dmz.net   udp     500 #
ipsec
> traffic
> > ACCEPT  dmz:vpnrouter.dmz.net net:some.remote.net    udp     500
> > ACCEPT  net:some.remote.net dmz:vpnrouter.dmz.net    50      # ESP
> > ACCEPT  dmz:vpnrouter.dmz.net net:some.remote.net    50
> > ACCEPT  net:some.remote.net dmz:vpnrouter.dmz.net    51      # AH
> > ACCEPT  dmz:vpnrouter.dmz.net net:some.remote.net    51
> >
> > proxyarp configuration:
> > vpnrouter.dmz.net         eth2            eth1            yes
> >
> > One more thing: system log does not show any ESP packages dropped.
> 
> Next time this occurs, use the "-i any" argument to tcpdump so
that you
> can capture traffic on both the internal and external firewall
> interfaces.
Actually I had two tcpdump processes running. Attached files are separate logs 
from internal and external interfaces. Again, I have changed real addresses to:
Shorewall DMZ		172.16.0.126
VPN router		10.0.0.1 (in the real life this is public ip-address)
Remote VPN router	vpn.remote.net
ISP''s gateway		gateway.isp.net
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
-- 
-----------------------------------------------------
Jaakko Heikkil?
-------------- next part --------------
13:01:28.768344 arp who-has 10.0.0.1 tell 172.16.0.126
13:01:29.767037 arp who-has 10.0.0.1 tell 172.16.0.126
13:01:30.766710 arp who-has 10.0.0.1 tell 172.16.0.126
13:01:38.767598 arp who-has 10.0.0.1 tell 172.16.0.126
13:01:39.763834 arp who-has 10.0.0.1 tell 172.16.0.126
13:01:40.763502 arp who-has 10.0.0.1 tell 172.16.0.126
13:01:48.768516 arp who-has 10.0.0.1 tell 172.16.0.126
13:01:49.760614 arp who-has 10.0.0.1 tell 172.16.0.126
13:01:50.760293 arp who-has 10.0.0.1 tell 172.16.0.126
13:01:58.773585 arp who-has 10.0.0.1 tell 172.16.0.126
13:01:59.767404 arp who-has 10.0.0.1 tell 172.16.0.126
13:02:00.767093 arp who-has 10.0.0.1 tell 172.16.0.126
13:02:08.773774 arp who-has 10.0.0.1 tell 172.16.0.126
13:02:09.764195 arp who-has 10.0.0.1 tell 172.16.0.126
13:02:10.763871 arp who-has 10.0.0.1 tell 172.16.0.126
13:02:18.768556 arp who-has 10.0.0.1 tell 172.16.0.126
13:02:19.760986 arp who-has 10.0.0.1 tell 172.16.0.126
13:02:20.760671 arp who-has 10.0.0.1 tell 172.16.0.126
13:02:20.805507 arp reply 10.0.0.1 is-at 0:7:50:49:d7:3c
13:02:20.805620 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
13:02:20.806495 arp reply 10.0.0.1 is-at 0:7:50:49:d7:3c
13:02:23.333727 arp who-has vpn.remote.net tell 10.0.0.1
13:02:24.089629 arp reply vpn.remote.net is-at 0:2:44:2e:3a:4d
13:02:24.287402 arp reply 10.0.0.1 is-at 0:7:50:49:d7:3c
13:02:24.583803 arp who-has 172.16.0.126 (0:2:44:2e:3a:4d) tell 10.0.0.1
13:02:24.583984 arp reply 172.16.0.126 is-at 0:2:44:2e:3a:4d
13:02:24.584470 arp reply 10.0.0.1 is-at 0:7:50:49:d7:3c
13:02:33.605403 arp who-has gateway.isp.net tell 10.0.0.1
13:02:34.176376 arp reply gateway.isp.net is-at 0:2:44:2e:3a:4d
13:02:39.573016 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase 1 I
ident: [|sa]
13:02:39.634949 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 R
ident: [|sa]
13:02:39.859054 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase 1 I
ident: [|ke]
13:02:39.951583 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 R
ident: [|ke]
13:02:40.228346 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase 1 I
ident[E]: [|id]
13:02:40.258129 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 R
ident[E]: [|id]
13:02:40.265322 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase
2/others I oakley-quick[E]: [|hash]
13:02:40.534552 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [|hash]
13:02:40.546873 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase
2/others I oakley-quick[E]: [|hash]
13:02:40.570652 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x1) [tos
0xc0]
13:02:41.570640 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x2) [tos
0xc0]
13:02:42.570643 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x3) [tos
0xc0]
13:02:43.570637 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x4) [tos
0xc0]
13:02:43.605281 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase 1 R
ident: [|sa]
13:02:44.570642 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x5) [tos
0xc0]
13:02:45.570639 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x6) [tos
0xc0]
13:02:46.570634 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x7) [tos
0xc0]
13:02:47.570643 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x8) [tos
0xc0]
13:02:48.570637 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x9) [tos
0xc0]
13:02:49.570633 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0xa) [tos
0xc0]
13:02:50.570639 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0xb) [tos
0xc0]
13:02:51.570635 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0xc) [tos
0xc0]
13:02:52.570636 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0xd) [tos
0xc0]
13:02:53.570635 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0xe) [tos
0xc0]
13:02:53.605287 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase 1 R
ident: [|sa]
13:02:54.570631 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0xf) [tos
0xc0]
13:03:00.881477 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [|hash]
13:03:01.139893 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase
2/others I oakley-quick[E]: [|hash]
13:03:01.200620 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [|hash]
13:03:03.605284 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase 1 R
ident: [|sa]
13:03:13.605276 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase 1 R
ident: [|sa]
13:03:58.570615 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x10) [tos
0xc0]
13:04:04.831000 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [|hash]
13:04:05.092024 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase
2/others I oakley-quick[E]: [|hash]
13:04:05.155707 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [|hash]
13:04:09.825659 arp who-has 10.0.0.1 tell 172.16.0.126
13:04:09.826604 arp reply 10.0.0.1 is-at 0:7:50:49:d7:3c
13:05:02.570602 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x11) [tos
0xc0]
13:05:03.048245 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [|hash]
13:05:03.308108 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase
2/others I oakley-quick[E]: [|hash]
13:05:03.374801 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [|hash]
13:05:07.170215 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:05:07.171371 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:05:08.036970 arp who-has 10.0.0.1 tell 172.16.0.126
13:05:08.037831 arp reply 10.0.0.1 is-at 0:7:50:49:d7:3c
13:05:18.949076 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:05:18.950218 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:05:18.991489 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:05:18.992603 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:05:19.018640 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:05:19.019755 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:05:19.069327 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:05:19.070444 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:05:19.098298 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:05:19.099406 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:06:06.570593 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x12) [tos
0xc0]
13:07:10.570573 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x13) [tos
0xc0]
13:08:14.570455 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x14) [tos
0xc0]
13:09:18.570326 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x15) [tos
0xc0]
13:10:03.954809 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:03.955956 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:08.950404 arp who-has 10.0.0.1 tell 172.16.0.126
13:10:08.951271 arp reply 10.0.0.1 is-at 0:7:50:49:d7:3c
13:10:14.096057 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:14.097212 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:14.128335 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:14.129460 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:14.164685 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:14.165804 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:14.207135 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:14.208250 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:14.234039 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:14.235146 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:22.570232 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x16) [tos
0xc0]
13:11:26.570179 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x17) [tos
0xc0]
13:12:30.570150 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x18) [tos
0xc0]
13:13:34.570143 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x19) [tos
0xc0]
13:14:38.570147 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x1a) [tos
0xc0]
13:15:05.643835 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:15:05.644999 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:15:09.327368 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:15:09.328551 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:15:10.633718 arp who-has 10.0.0.1 tell 172.16.0.126
13:15:10.634598 arp reply 10.0.0.1 is-at 0:7:50:49:d7:3c
13:15:19.509310 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:15:19.510459 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:15:19.539067 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:15:19.540183 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:15:19.566691 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:15:19.567828 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:15:19.594136 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:15:19.595268 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:15:19.621200 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:15:19.622300 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:15:42.570213 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x1b) [tos
0xc0]
 > some.remote.net: icmp: echo reply (DF)
13:15:19.621200 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:15:19.622300 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:15:42.570213 10.0.0.1 > vpn.remote.net: ESP(spi=0x66c35c46,seq=0x1b) [tos
0xc0]
-------------- next part --------------
12:56:54.571339 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
12:57:04.570849 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
12:57:14.569549 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
12:57:24.569992 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
12:57:34.570716 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
12:57:44.570687 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
12:58:56.675896 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
12:59:06.674887 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
12:59:16.670434 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
12:59:26.674663 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
12:59:36.670711 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
12:59:46.670479 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
13:00:02.673968 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
13:00:04.647782 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:00:09.035131 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:00:12.058623 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:00:12.670704 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
13:00:22.670789 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
13:00:32.670999 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
13:00:42.671362 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 1 I
ident: [|sa]
13:00:52.670835 vpn.remote.net.isakmp > 10.0.0.2:03:01.200439
vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase 2/others R
oakley-quick[E]: [|hash]
13:03:01.870812 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x1)
13:03:03.605484 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase 1 R
ident: [|sa]
13:03:03.869844 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x2)
13:03:05.416006 arp who-has 10.0.0.1 tell gateway.isp.net
13:03:05.716254 arp reply 10.0.0.1 is-at 0:2:44:34:e8:17
13:03:07.872654 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x3)
13:03:13.605468 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase 1 R
ident: [|sa]
13:03:15.869047 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x4)
13:03:23.871030 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x5)
13:03:31.868822 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x6)
13:03:32.873070 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x7)
13:03:34.874864 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x8)
13:03:38.868417 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x9)
13:03:46.869702 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0xa)
13:03:54.874667 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0xb)
13:04:04.830789 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [|hash]
13:04:05.092220 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase
2/others I oakley-quick[E]: [|hash]
13:04:05.155512 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [|hash]
13:05:02.984799 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0xc)
13:05:03.047736 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [|hash]
13:05:03.308307 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase
2/others I oakley-quick[E]: [|hash]
13:03:01.200439 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [|hash]
13:03:01.870812 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x1)
13:03:03.605484 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase 1 R
ident: [|sa]
13:03:03.869844 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x2)
13:03:05.416006 arp who-has 10.0.0.1 tell gateway.isp.net
13:03:05.716254 arp reply 10.0.0.1 is-at 0:2:44:34:e8:17
13:03:07.872654 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x3)
13:03:13.605468 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase 1 R
ident: [|sa]
13:03:15.869047 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x4)
13:03:23.871030 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x5)
13:03:31.868822 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x6)
13:03:32.873070 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x7)
13:03:34.874864 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x8)
13:03:38.868417 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x9)
13:03:46.869702 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0xa)
13:03:54.874667 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0xb)
13:04:04.830789 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [|hash]
13:04:05.092220 10.0.0.1.isakmp > vpn.remote.net.isakmp: isakmp: phase
2/others I oakley-quick[E]: [|hash]
13:04:05.155512 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [|hash]
13:05:02.984799 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0xc)
13:05:03.047736 vpn.remote.net.isakmp > 10.0.0.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [|hash]
13:05:03.308313:05:19.018246 some.remote.net > 10.0.0.1: icmp: echo request
(DF)
13:05:19.019974 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:05:19.068940 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:05:19.070672 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:05:19.097872 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:05:19.099629 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:05:25.971692 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x11)
13:05:33.976250 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x12)
13:05:34.968614 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x13)
13:05:36.979102 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x14)
13:05:40.977404 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x15)
13:05:48.969288 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x16)
13:05:56.969757 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x17)
13:07:05.075466 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x18)
13:07:06.080633 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x19)
13:07:08.071951 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x1a)
13:07:12.069218 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x1b)
13:07:20.082456 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x1c)
13:07:28.070293 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x1d)
13:07:36.072160 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x1e)
13:07:37.069031 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x1f)
13:07:39.069078 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x20)
13:07:43.068766 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x21)
13:07:51.074272 vpn.remote.net > 10.0.0.1: ESP(spi=0xe5 10.0.0.1 >
some.remote.net: icmp: echo reply (DF)
13:05:19.018246 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:05:19.019974 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:05:19.068940 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:05:19.070672 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:05:19.097872 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:05:19.099629 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:05:25.971692 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x11)
13:05:33.976250 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x12)
13:05:34.968614 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x13)
13:05:36.979102 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x14)
13:05:40.977404 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x15)
13:05:48.969288 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x16)
13:05:56.969757 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x17)
13:07:05.075466 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x18)
13:07:06.080633 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x19)
13:07:08.071951 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x1a)
13:07:12.069218 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x1b)
13:07:20.082456 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x1c)
13:07:28.070293 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x1d)
13:07:36.072160 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x1e)
13:07:37.069031 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x1f)
13:07:39.069078 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x20)
13:07:43.068766 vpn.remote.net > 10.0.0.1:
ESP(spi=0xe844ffdb,seq=013:10:10.007414 some.remote.net.34272 >
10.0.0.1.snmp:  C=remote GetRequest(35)  system.sysObjectID.0
.iso.org.dod.internet[|snmp] (DF)
13:10:11.317339 vpn.remote.net > 10.0.0.1: ESP(spi=0x3877423d,seq=0x5) (DF)
13:10:12.009423 some.remote.net.34272 > 10.0.0.1.snmp:  C=remote
GetRequest(35)  system.sysObjectID.0 .iso.org.dod.internet[|snmp] (DF)
13:10:14.095641 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:14.097434 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:14.127946 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:14.129677 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:14.164232 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:14.166025 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:14.206538 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:14.208475 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:14.233587 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:14.235370 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:25.336632 vpn.remote.net > 10.0.0.1: ESP(spi=0x45047471,seq=0x2)
13:10:52.986012 vpn.remote.net > 10.0.0.1: ESP(spi=0x45047471,seq=0x3)
13:11:09.269791 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x30)
13:11:10.284708 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x31)
13:11:12.270388 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x32)
13:11:16.273204 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x33)
13:11:23.602581 vpn.remote.net > 10.0.0.1: ESP(spi=0x45047471,seq=0x4)
13:11:24.270912 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x34)
13:11:32.269934 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x35)
13:11:40.272451 vpn.remote.net > 10.0.0.1:
ESP(spi=0xe844ffdb,seq=.org.dod.internet[|snmp] (DF)
13:10:10.007414 some.remote.net.34272 > 10.0.0.1.snmp:  C=remote
GetRequest(35)  system.sysObjectID.0 .iso.org.dod.internet[|snmp] (DF)
13:10:11.317339 vpn.remote.net > 10.0.0.1: ESP(spi=0x3877423d,seq=0x5) (DF)
13:10:12.009423 some.remote.net.34272 > 10.0.0.1.snmp:  C=remote
GetRequest(35)  system.sysObjectID.0 .iso.org.dod.internet[|snmp] (DF)
13:10:14.095641 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:14.097434 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:14.127946 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:14.129677 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:14.164232 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:14.166025 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:14.206538 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:14.208475 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:14.233587 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:10:14.235370 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:10:25.336632 vpn.remote.net > 10.0.0.1: ESP(spi=0x45047471,seq=0x2)
13:10:52.986012 vpn.remote.net > 10.0.0.1: ESP(spi=0x45047471,seq=0x3)
13:11:09.269791 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x30)
13:11:10.284708 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x31)
13:11:12.270388 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x32)
13:11:16.273204 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x33)
13:11:23.602581 vpn.remote.net > 10.0.0.1: ESP(spi=0x45047471,seq=0x4)
13:11:24.270912 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x34)
13:11:32.269934 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x35)
13:11:40.272451 some.remote13:15:03.572988 vpn.remote.net > 10.0.0.1:
ESP(spi=0x3877423d,seq=0x6) (DF)
13:15:05.643336 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:15:05.645234 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:15:07.063742 vpn.remote.net > 10.0.0.1: ESP(spi=0x3877423d,seq=0x7) (DF)
13:15:09.326894 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:15:09.328772 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:15:09.415542 some.remote.net.34580 > 10.0.0.1.snmp:  C=remote
GetRequest(35)  system.sysObjectID.0 .iso.org.dod.internet[|snmp] (DF)
13:15:11.086596 vpn.remote.net > 10.0.0.1: ESP(spi=0x3877423d,seq=0x8) (DF)
13:15:11.409488 some.remote.net.34580 > 10.0.0.1.snmp:  C=remote
GetRequest(35)  system.sysObjectID.0 .iso.org.dod.internet[|snmp] (DF)
13:15:13.414259 some.remote.net.34580 > 10.0.0.1.snmp:  C=remote
GetRequest(35)  system.sysObjectID.0 .iso.org.dod.internet[|snmp] (DF)
13:15:13.472482 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x48)
13:15:14.470057 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x49)
13:15:15.420894 some.remote.net.34580 > 10.0.0.1.snmp:  C=remote
GetRequest(35)  system.sysObjectID.0 .iso.org.dod.internet[|snmp] (DF)
13:15:16.469960 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x4a)
13:15:16.579676 vpn.remote.net > 10.0.0.1: ESP(spi=0x45047471,seq=0xa)
13:15:17.408704 some.remote.net.34580 > 10.0.0.1.snmp:  C=remote
GetRequest(35)  system.sysObjectID.0 .iso.org.dod.internet[|snmp] (DF)
13:15:19.508802 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:15:19.510680 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:15:19.538605 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:15:19.540401 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:15:19.566265 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:15:19.568050 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:15:19.593702 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:15:19.595498 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:15:19.620757 some.remote.net > 10.0.0.1: icmp: echo request (DF)
13:15:19.622519 10.0.0.1 > some.remote.net: icmp: echo reply (DF)
13:15:20.471886 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x4b)
13:15:28.482946 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x4c)
13:15:36.469645 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x4d)
13:15:44.469219 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x4e)
13:15:45.469201 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x4f)
13:15:47.471525 vpn.remote.net > 10.0.0.1: ESP(spi=0xe844ffdb,seq=0x50)

Tom Eastep

2003-Jun-18 06:14 UTC

head link

[Shorewall-users] VPN router problems

Please follow the instructions at http://www.shorewall.net/support.htm
under the red bold heading "If you are having connection problems of any
kind then:"

And DON''T MODIFY THE OUTPUT of "shorewall status" -- If you
want to send
it to me off-list, that''s fine.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Jun 2003 - VPN router problems

[Shorewall-users] VPN router problems

[Shorewall-users] VPN router problems

[Shorewall-users] VPN router problems

[Shorewall-users] VPN router problems