'Re: Need Help with Cisco sw VPN behind IpFilter/OpenBSD'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Need Help with Cisco sw VPN behind IpFilter/OpenBSD
From:       "Crist J. Clark" <crist.clark () attbi ! com>
Date:       2002-08-20 18:49:52
[Download RAW message or body]

On Sat, Aug 17, 2002 at 02:11:23AM +0000, Vadim Pushkin wrote:
> >From: "Crist J. Clark" <crist.clark@attbi.com>
> 
> [snip]
> 
> >> The VPN that I am trying to connect to uses udp for authentication,
> >> then esp for encrypted traffic.
> >
> >No, it sure looks like it is tunnelling the ESP through
> >10000/udp. That is the default port Cisco Concentrators use for UDP
> >tunnelling.
> >
> >> >>
> >> >> Thank you. What I am seeing is the following from tcpdump, but what
> >> >> puzzles me is the fact that I sometimes see VPN.XXX.NET.IP, and some
> >> >> times I see VPN.XXX.NET-ROUTER.IP, which are not even the same 
> >subnet.
> >> >> See belows output sample.
> >> >>
> >> >> 21:05:38.838016 204.177.198.17.isakmp > VPN.XXX.NET.IP.isakmp:  
> >isakmp
> >> >v1.0
> >> >> exchange INFO encrypted
> >> >>        cookie: 77ebe015bdc5ecce->2b4ea8a31d8bf87f msgid: fe44266a 
> >len:
> >> >84
> >> >> 21:05:38.855278 VPN.XXX.NET.IP.isakmp > 204.177.198.17.isakmp:  
> >isakmp
> >> >v1.0
> >> >> exchange INFO encrypted
> >> >>        cookie: 77ebe015bdc5ecce->2b4ea8a31d8bf87f msgid: e58d1012 
> >len:
> >> >84
> >> >> 21:05:49.853889 204.177.198.17.isakmp > VPN.XXX.NET.IP.isakmp:  
> >isakmp
> >> >v1.0
> >> >> exchange INFO encrypted
> >> >>        cookie: 77ebe015bdc5ecce->2b4ea8a31d8bf87f msgid: afa02b26 
> >len:
> >> >76
> >> >
> >> >Looks reasonable.
> >> >
> >> >> 21:05:49.854443 204.177.198.17.10346 > VPN.XXX.NET.IP.10000:  udp 1
> >> >> 21:05:49.871418 VPN.XXX.NET-ROUTER.IP > 204.177.198.17: icmp: host
> >> >> VPN.XXX.NET-ROUTER.IP unreachable - admin prohibited filter
> >> >
> >> >OK, it looks like a firewall at the remote site, VPN.XXX.NET-ROUTER.IP,
> >> >is blocking the VPN packets (10000/udp). Run tcpdump with '-vvv' to
> >> >print all the detail it can, especially to print the details about the
> >> >header of the packet that caused the ICMP error message.
> >>
> >> Further investigation reveals that VPN.XXX.NET-ROUTER.IP does indeed
> >> block all icmp traffic,
> >
> >No, it looks like VPN.XXX.NET-ROUTER.IP is blocking 10000/udp. When it
> >blocks a packet it sends you and ICMP message to tell you about
> >it. VPN.XXX.NET-ROUTER.IP may block ICMP from you too, but it would
> >not have any impact on the VPN. Did you run tcpdump with '-vvv' to
> >verify what packets are causing VPN.XXX.NET-ROUTER.IP to send you the
> >ICMP-admin-prohib messages?
> 
> 21:57:34.160497 204.177.198.17.isakmp > VPN.XXX.NET.IP.isakmp:  isakmp v1.0 
> exchange INFO encrypted
>        cookie: edef0f4054612c7c->ea0b8220bfa51f9b msgid: 4ba5f653 len: 76 
> (ttl 127, id 20052)
> 21:57:34.161423 204.177.198.17.10001 > VPN.XXX.NET.IP.10000:  [no cksum] 
> udp 1 (ttl 127, id 1536)
> 21:57:34.177659 VPN.XXX.NET-ROUTER.IP > 204.177.198.17: icmp: host 
> VPN.XXX.NET.IP unreachable - admin prohibited filter (ttl 247, id 4421)
> 21:57:44.173992 204.177.198.17.10001 > VPN.XXX.NET.IP.10000:  [no cksum] 
> udp 1 (ttl 127, id 1537)
> 21:57:44.186489 VPN.XXX.NET-ROUTER.IP > 204.177.198.17: icmp: host 
> VPN.XXX.NET.IP unreachable - admin prohibited filter (ttl 247, id 4431)

Is that all tcpdump(8) is printing with '-vv'? You must have an older
version. Try, 'tcpdump -nxvv'.

> >> yet others are able to connect and their routers,
> >> D-Link, etc, do not even try to perform any icmp traffic.
> >> Is there any reason why I am trying to use icmp? Is there any way to
> >> prevent that?
> >
> >You're not using ICMP. We see the 10000/udp packet go out, and then
> >the ICMP-admin-prohib from VPN.XXX.NET-ROUTER.IP is sent back. The
> >router is probiting 10000/udp. As for why others can do it... I guess
> >they are not blocked?
> 
> There is no ACL on VPN.XXX.NET-ROUTER.IP, there is however a deny all
> icmp from all. Just to recal, I *do* get authenticated, just no other
> traffic afterwards.

But the VPN doesn't use ICMP for anything. The authentication, which
takes place over 500/udp, all works. Once you try to move data, things
don't work. In the dump, we see port 10000/udp traffic go out, which
is consistent with Cisco Concentrators UDP encapsulation. We see ICMP
unreachables come back. It sure looks like the 10000/udp traffic is
being blocked. Once we see inside the ICMP unreachables, we can tell
for sure.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic