[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: VPN and @Home

Hi Marsha!

On 25 Jun 2001, at 15:57, Marsha Wilson wrote:

> have NO problems. However, whenever I make a connection over @Home I can only
> make the tunnel connection. No data is passed. I can't even ping an internal IP
> address. According to my VPN manufacturer it sounds like ports ESP 50 and AH 51
> are being blocked. I am sure @Home is blocking a port, even though they
> thoroughly deny it. I am sure there is a work around but I have no clue what it
> is. F.Y.I. my firewall is an IPSEC/IKE compliant firewall. 

I know there are some ISP which block for reason ever the ESP protocol. But 
maybe your server or your opposite client firewalls rules a the reason for the 
problem, sometimes they forgot the rules for the virtual VPN-interfaces 
(ipsec0 ...).

You can make a simple check with tcpdump on you extern interface to check if 
ESP is transmitted, eg.

gate.bdw:~# tcpdump -i eth1 proto esp
tcpdump: listening on eth1
23:57:24.697027 gate.bdw > gate.bdf: ip-proto-50 92
23:57:24.777582 gate.bdf > gate.bdw: ip-proto-50 76
23:57:24.778159 gate.bdw > gate.bdf: ip-proto-50 76

Shows there is ESP-traffic on the interface, so there should be IPSEC payload 
(if the traffic goes in both directions). If you have no traffic check in a 
first step if there are no filterrules on your Linux-boxes (ipchains -L) or on 
your access-routers.

If you see ESP-traffic you can check again with tcpdump if there is traffic on 
your VPN-interface:

gate.bdw:~# tcpdump -i ipsec0
tcpdump: listening on ipsec0
00:01:08.620186 nbdf.4180 > nbdw.notes: S 335511813:335511813(0) win 16220 
<mss 16220,sackOK,timestamp 807576862[|tcp]> (DF)
00:01:08.620962 nbdw.notes > nbdf.4180: S 41295562:41295562(0) ack 335511814 
win 8760 <mss 1460> (DF)
00:01:08.705951 nbdf.4180 > nbdw.notes: . ack 1 win 16220 (DF)
00:01:08.706342 nbdf.4180 > nbdw.notes: F 1:1(0) ack 1 win 16220 (DF)
00:01:08.706906 nbdw.notes > nbdf.4180: . ack 2 win 8760 (DF)

Which here shows some Notes-traffic on the VPN.

BTW I use FreeS/WAN (www.freeswan.org) for linux based IPSEC VPNs.

bye Josef
 BERGMANN engineering & consulting  http://bec.at/

       Reason, too late perhaps, may convince you of the folly of
       misspending time.
                                        - George Washington

Reply to: