[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IP protocol passage

PC Drew wrote:
> ----- Original Message -----
> From: "Mike Ayers" <mike_(_dot_)_ayers_(_at_)_earthling_(_dot_)_net>
> To: <misc_(_at_)_openbsd_(_dot_)_org>
> Sent: Tuesday, August 21, 2001 12:14 AM
> Subject: IP protocol passage
> > Here is my setup:
> >
> > ISP <--> pppoe <--> ipnat <--> ipf <--> 192.168.x.x
> >
> > I have it all set up and running well with HTTP, newsgroups, mail,
> > etc.  However, I want to use my company's extranet as well.  In order to
> > do this, I need to be able to pass IP packets of type 50 & 51
> > (encapsulated security and authentication header, respectively).

> If you're VPN client is a computer inside the firewall and the firewall is
> just passing packets through:
> 1. on the firewall, run tcpdump on the internal interface.  If your internal
> interfaces is fxp1, do this:
> $ sudo tcpdump -ni fxp1 'port 500'

	Packets are coming from the client, but there are no response packets.

> 2.  If you see appropriate traffic from the tcpdump and the VPN client is
> still timing out, then try listening on the external interface of your
> firewall to see if the packets are making it through the box.  Assuming the
> external interface is fxp0, here's what that command would look like:
> $ sudo tcpdump -ni fxp0 'port 500'

	Okay, it gets a little tricky here (or so I think).  There are two 
interfaces, dc1 and tun0 - dc1 feeds ppoe, which feeds tun0.  However, I
find that I get no packets from dc1, probably because tcpdump can't
decode pppoe packets.

> If you see the same packets leaving on the external interface as you saw on
> the internal interface, then you probably have a VPN configuration problem.

	I tested the VPN by dialing up my ISP and then connecting the VPN over
it.  My current suspicion is that my ISP is blocking isakmp packets. 
Since my ISP was PacBell, who sold their ISP operations to Prodigy in
the deep of the night, I would not be surprised if this were the case -
Prodigy is a "content publisher", not an ISP.  In order to test this,
could someone tell me the address of an isakmp server that they have
successfully used over the internet?  I am only looking to get rejection
packets, so no account is necessary.  I think that I already have enough
evidence, but a confirmation would help.