[Openswan Users] Connection to IPSEC thru Alcatel Speedtouch Router
Leonard Tulipan
l.tulipan at mpwi.at
Fri May 7 12:33:58 CEST 2004
Hi!
So I am back at it again.
VPN works fine.
Here's a trace when doing this from my machine, from which I am writing
this mail:
mail is me the other is the Linux System with (still) freeswan.
192.168.0.94 is just changed by me. This is of course a reachable IP on
the internet.
tcpdump -i any -N -R -E 3des-cbc:XXXXXXXXXXXXXXXXXXXXXXX -q proto 50 or
udp port 500
tcpdump: listening on any
10:34:26.318982 mail.isakmp > 192-168-66-94.isakmp: udp 76
10:34:26.321265 mail.isakmp > 192-168-66-94.isakmp: udp 76
10:34:26.334627 mail.isakmp > 192-168-66-94.isakmp: udp 196
10:34:26.336119 192-168-66-94.isakmp > mail.isakmp: udp 84 (DF)
10:34:26.474622 mail.isakmp > 192-168-66-94.isakmp: udp 204
10:34:26.508767 192-168-66-94.isakmp > mail.isakmp: udp 180 (DF)
10:34:26.626554 mail.isakmp > 192-168-66-94.isakmp: udp 92
10:34:26.627901 192-168-66-94.isakmp > mail.isakmp: udp 148 (DF)
10:34:26.746036 mail.isakmp > 192-168-66-94.isakmp: udp 308
10:34:26.782361 192-168-66-94.isakmp > mail.isakmp: udp 284 (DF)
10:34:26.904894 mail.isakmp > 192-168-66-94.isakmp: udp 52
10:34:30.536751 mail > 192-168-66-94: ESP(spi=0x2e7d330e,seq=0x1)
10:34:30.722376 192-168-66-94 > mail: ESP(spi=0xe610a506,seq=0x1)
So, this customer of our has a DSL Connection behind a Alcatel
Speedtouch 510 Router. A CLI Dokumentation exists on the net, so I was
able to puncture the included firewall to let Protocol 50 (ESP) and UDP
500 (ISAKMP) thru.
This is done (hopefully) with these entries on the router (10.0.0.0 is
the private net, 192.168.0.94 is in fact the VPN Gateway on the internet)
...............
rule create chain=sink index=4 prot=udp dstport=500 action=accept
..............
rule create chain=forward index=0 src=10.0.0.0/8 dst=192.168.0.94
prot=50 action=accept
rule create chain=forward index=1 src=10.0.0.0/8 dst=192.168.0.94
prot=udp dstport=500 action=accept
rule create chain=forward index=2 src=10.0.0.0/8 dst=192.168.0.94
prot=udp dstport=503 action=accept
..................
rule create chain=source index=5 prot=udp dstport=500 action=accept
...............
rule create chain=source index=7 prot=50 action=accept
.................
Now this is the tcpdump I recorded
12:31:14.951180 192.168.21.133.10008 > 192.168.0.94.isakmp: isakmp:
phase 1 I ident: [|sa]
12:31:22.144375 192.168.21.133.10008 > 192.168.0.94.isakmp: isakmp:
phase 1 I ident: [|sa]
12:31:30.142837 192.168.21.133.10008 > 192.168.0.94.isakmp: isakmp:
phase 1 I ident: [|sa]
12:31:32.973126 192.168.21.133.10008 > 192.168.0.94.isakmp: isakmp:
phase 2/others I inf:
(d: doi=ipsec proto=isakmp spilen=16 nspi=1
spi=903d4e01c610e1100000000000000000)
So, this means the f*#+$ router mangles the packets, right? it should be
source port 500 and dst port 500 but the source was changed!
Also, what I don't get is, why I don't see any ESP Packets with tcpdump.
Is this normal? Should ESP (protocol 50) traffic happen at all?
Thanks for any light you can shed on this
Cheers
Leonard
More information about the Users
mailing list