Re: VPN and @Home
- To: debian-firewall@lists.debian.org
- Subject: Re: VPN and @Home
- From: "Josef Bergmann" <joe@bec.at>
- Date: Tue, 26 Jun 2001 00:15:39 +0200
- Message-id: <3B37D42B.19459.2EBABDB@localhost>
- In-reply-to: <99B88CEC43C8D211B23500104B79D87302DD3A55@hermes>
Hi Marsha!
On 25 Jun 2001, at 15:57, Marsha Wilson wrote:
> have NO problems. However, whenever I make a connection over @Home I can only
> make the tunnel connection. No data is passed. I can't even ping an internal IP
> address. According to my VPN manufacturer it sounds like ports ESP 50 and AH 51
> are being blocked. I am sure @Home is blocking a port, even though they
> thoroughly deny it. I am sure there is a work around but I have no clue what it
> is. F.Y.I. my firewall is an IPSEC/IKE compliant firewall.
I know there are some ISP which block for reason ever the ESP protocol. But
maybe your server or your opposite client firewalls rules a the reason for the
problem, sometimes they forgot the rules for the virtual VPN-interfaces
(ipsec0 ...).
You can make a simple check with tcpdump on you extern interface to check if
ESP is transmitted, eg.
gate.bdw:~# tcpdump -i eth1 proto esp
tcpdump: listening on eth1
23:57:24.697027 gate.bdw > gate.bdf: ip-proto-50 92
23:57:24.777582 gate.bdf > gate.bdw: ip-proto-50 76
23:57:24.778159 gate.bdw > gate.bdf: ip-proto-50 76
[...]
Shows there is ESP-traffic on the interface, so there should be IPSEC payload
(if the traffic goes in both directions). If you have no traffic check in a
first step if there are no filterrules on your Linux-boxes (ipchains -L) or on
your access-routers.
If you see ESP-traffic you can check again with tcpdump if there is traffic on
your VPN-interface:
gate.bdw:~# tcpdump -i ipsec0
tcpdump: listening on ipsec0
00:01:08.620186 nbdf.4180 > nbdw.notes: S 335511813:335511813(0) win 16220
<mss 16220,sackOK,timestamp 807576862[|tcp]> (DF)
00:01:08.620962 nbdw.notes > nbdf.4180: S 41295562:41295562(0) ack 335511814
win 8760 <mss 1460> (DF)
00:01:08.705951 nbdf.4180 > nbdw.notes: . ack 1 win 16220 (DF)
00:01:08.706342 nbdf.4180 > nbdw.notes: F 1:1(0) ack 1 win 16220 (DF)
00:01:08.706906 nbdw.notes > nbdf.4180: . ack 2 win 8760 (DF)
[...]
Which here shows some Notes-traffic on the VPN.
BTW I use FreeS/WAN (www.freeswan.org) for linux based IPSEC VPNs.
bye Josef
--
BERGMANN engineering & consulting http://bec.at/
Reason, too late perhaps, may convince you of the folly of
misspending time.
- George Washington
Reply to: