Security Basics mailing list archives
RE: frequent vpn tunnel drops
From: new bie kapper <securekaps () yahoo com>
Date: Mon, 8 Mar 2004 22:29:28 -0800 (PST)
hi all , Attached is the log of the concentrator ,sometimes it gives "recieved unencrpted packet when crypto active ,othertimes it gives duplicate first packet detected. The log observed for the watchguard is also attached. Thanks --- "Rosenhan, David" <David.Rosenhan () swiftbrands com> wrote:
I see this is a debug from an initial connection, I am assuming this debug is from the concentrator, and after the first part of it you see a "duplicate first packet detected" error. This error means the client is resending packets to the concentrator, but for some reason the ACK packets that the concentrator sends out are not being received by the client. This could be because UDP port 500 is being blocked from the concentrator to the internet, or ESP is being blocked. I would suggest turning on transparent tunneling using UDP port 4500, this is called NAT-T in the concentrator. This can be done in the concentrator under this menu: Configuration | System | Tunneling Protocols | IPSec | NAT Transparency. If this is not an option then you have the option above NAT-T that will allow your client to establish a tunnel over any TCP port you configure in that same menu, the same port will need to be manually configured on the client. There is one other option in the group configuration that allows the client to connect over different UDP ports, this can be configured under this menu: Configuration | User Management | Groups, choose the group the user is connecting to, click the "client config" tab and the third and fourth option is where you can configure this. If this does not work then send the debugs from the client side and we can look at them. Thanks!! David Rosenhan, CCNP Information Technology -----Original Message----- From: new bie kapper [mailto:securekaps () yahoo com] Sent: Friday, February 27, 2004 7:21 AM To: security-basics () securityfocus com Subject: frequent vpn tunnel drops hi all, i am just stuck with this big problem and hav no clue whatz going on!!i am into security monitoring of a client and we have a VPN Tunnel through our VPN CONCENTRATOR 3000 SERIES to their watchguard firebox.The tunnel stays up for anything from 1 minute to 2 days up and then goes down!! Everything worked fine before 3 weeks ,but since then its been frequent tunnel drops.i have logged the error messages i get on my vpn concentrator to see if anybody can help me with this. Could there be a routing policy issue at their end..which i doubt since it was working before!!and since the tunnel comes up for variable times!!could be a ipsec fragmentation issue!!??just wondering!! thanks..below is the log 58518 02/27/2004 07:42:08.380 SEV=5 IKE/35 RPT=2455 65.68.11.49 Group [65.68.11.49] Received remote IP Proxy Subnet data in ID Payload: Address 10.40.1.0, Mask 255.255.255.0, Protocol 0, Port 0 58521 02/27/2004 07:42:08.380 SEV=5 IKE/34 RPT=2458 65.68.11.49 Group [65.68.11.49] Received local IP Proxy Subnet data in ID Payload: Address 172.16.2.0, Mask 255.255.255.0, Protocol 0, Port 0 58524 02/27/2004 07:42:08.380 SEV=5 IKE/66 RPT=7250 65.68.11.49 Group [65.68.11.49] IKE Remote Peer configured for SA: L2L: CommercialBank 58525 02/27/2004 07:42:08.380 SEV=5 IKE/75 RPT=6857 65.68.11.49 Group [65.68.11.49] Overriding Initiator's IPSec rekeying duration from 86400 to 28800 seconds 58527 02/27/2004 07:42:28.570 SEV=4 IKEDBG/0 RPT=3072 QM FSM error (P2 struct &0x330a17c, mess id 0xc0a6e099)! 58528 02/27/2004 07:42:28.570 SEV=4 IKEDBG/65 RPT=9942 65.68.11.49 Group [65.68.11.49] IKE QM Responder FSM error history (struct &0x330a17c) <state>, <event>: QM_DONE, EV_ERROR QM_WAIT_MSG3, EV_RESEND_MSG QM_WAIT_MSG3, NullEvent QM_SND_MSG2, EV_SND_MSG 58533 02/27/2004 07:42:38.380 SEV=4 AUTH/23 RPT=876 65.68.11.49 User 65.68.11.49 disconnected: duration: 0:56:18 58534 02/27/2004 07:42:38.600 SEV=4 IKE/41 RPT=8619 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 58537 02/27/2004 07:43:10.600 SEV=4 IKEDBG/65 RPT=9943 65.68.11.49 IKE MM Initiator FSM error history (struct &0x3a2a554) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG2, EV_RETRY MM_WAIT_MSG2, EV_TIMEOUT MM_WAIT_MSG2, NullEvent 58541 02/27/2004 07:43:12.420 SEV=4 IKE/41 RPT=8620 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 58544 02/27/2004 07:43:43.540 SEV=4 IKE/0 RPT=8192 65.68.11.49 Duplicate first packet detected! 58545 02/27/2004 07:43:44.420 SEV=4 IKEDBG/65 RPT=9944 65.68.11.49 IKE MM Initiator FSM error history (struct &0x373ffc4) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG2, EV_RETRY MM_WAIT_MSG2, EV_TIMEOUT MM_WAIT_MSG2, NullEvent 58549 02/27/2004 07:43:53.550 SEV=4 IKE/0 RPT=8193 65.68.11.49 Duplicate first packet detected! 58550 02/27/2004 07:44:03.560 SEV=4 IKE/0 RPT=8194 65.68.11.49 Duplicate first packet detected! 58551 02/27/2004 07:44:05.640 SEV=4 IKEDBG/65 RPT=9945 65.68.11.49 IKE MM Responder FSM error history (struct &0x37806c8) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG3, EV_TIMEOUT MM_WAIT_MSG3, NullEvent MM_SND_MSG2, EV_SND_MSG 58555 02/27/2004 07:44:07.530 SEV=4 IKE/41 RPT=8621 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 58558 02/27/2004 07:44:23.580 SEV=4 IKE/0 RPT=8195 65.68.11.49 Duplicate first packet detected! 58559 02/27/2004 07:44:39.530 SEV=4 IKEDBG/65 RPT=9946 65.68.11.49 IKE MM Initiator FSM error history (struct &0x3932278)
=== message truncated === __________________________________ Do you Yahoo!? Yahoo! Search - Find what youre looking for faster http://search.yahoo.com
31599 03/09/2004 00:19:53.280 SEV=4 IKE/41 RPT=17020 IKE Initiator: Rekeying Phase 2, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 31602 03/09/2004 00:19:53.350 SEV=4 IKE/0 RPT=9658 65.68.11.49 Group [65.68.11.49] received an unencrypted packet when crypto active!! Dropping packet. 31604 03/09/2004 00:20:01.870 SEV=4 IKE/0 RPT=9659 65.68.11.49 Group [65.68.11.49] received an unencrypted packet when crypto active!! Dropping packet. 31606 03/09/2004 00:20:09.340 SEV=4 IKE/0 RPT=9660 65.68.11.49 Group [65.68.11.49] received an unencrypted packet when crypto active!! Dropping packet. 31615 03/09/2004 00:20:17.340 SEV=4 IKE/0 RPT=9661 65.68.11.49 Group [65.68.11.49] received an unencrypted packet when crypto active!! Dropping packet. 31617 03/09/2004 00:20:25.280 SEV=4 IKEDBG/0 RPT=3217 QM FSM error (P2 struct &0x34dd044, mess id 0x210c59b7)! 31618 03/09/2004 00:20:25.280 SEV=4 IKEDBG/65 RPT=17216 65.68.11.49 Group [65.68.11.49] IKE QM Initiator FSM error history (struct &0x34dd044) <state>, <event>: QM_DONE, EV_ERROR QM_WAIT_MSG2, EV_TIMEOUT QM_WAIT_MSG2, NullEvent QM_SND_MSG1, EV_SND_MSG 31623 03/09/2004 00:20:25.280 SEV=4 AUTH/23 RPT=978 65.68.11.49 User 65.68.11.49 disconnected: duration: 20:24:32 31624 03/09/2004 00:20:26.270 SEV=4 IKE/41 RPT=17022 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 31627 03/09/2004 00:20:27.090 SEV=4 IKE/119 RPT=1848 65.68.11.49 Group [65.68.11.49] PHASE 1 COMPLETED 31628 03/09/2004 00:20:27.090 SEV=4 AUTH/22 RPT=1092 User 65.68.11.49 connected 31629 03/09/2004 00:20:27.170 SEV=4 IKE/49 RPT=14098 65.68.11.49 Group [65.68.11.49] Security negotiation complete for LAN-to-LAN Group (65.68.11.49) Initiator, Inbound SPI = 0x4d38a2a7, Outbound SPI = 0x1e04cf4f 31632 03/09/2004 00:20:27.170 SEV=4 IKE/120 RPT=14103 65.68.11.49 Group [65.68.11.49] PHASE 2 COMPLETED (msgid=5619a636)
252798 02/27/04 07:18:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 252828 02/27/04 07:19:02 n allow in ipsec0 92 icmp 20 127 172.16.2.32 10.40.1.96 8 0 (Any) 252858 02/27/04 07:19:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 252878 02/27/04 07:19:40 n allow out eth1 48 tcp 20 128 10.40.1.168 128.121.26.136 1210 80 syn (Proxied-HTTP) 252928 02/27/04 07:19:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 252938 02/27/04 07:19:49 n allow in eth0 48 tcp 20 47 65.54.247.156 65.68.11.49 1841 25 syn (SMTP) 252958 02/27/04 07:19:56 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47673 4105 syn (WatchGuard) 252998 02/27/04 07:19:56 n allow out eth1 48 tcp 20 127 10.40.1.163 64.152.73.143 2263 80 syn (Proxied-HTTP) 253048 02/27/04 07:19:57 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47674 4105 syn (WatchGuard) 253078 02/27/04 07:19:57 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47675 4105 syn (WatchGuard) 253098 02/27/04 07:19:58 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47676 4105 syn (WatchGuard) 253118 02/27/04 07:19:58 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47677 4105 syn (WatchGuard) 253148 02/27/04 07:19:59 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1 unknown ? (ip options) 253158 02/27/04 07:19:59 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47678 4105 syn (WatchGuard) 253178 02/27/04 07:20:00 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47679 4105 syn (WatchGuard) 253198 02/27/04 07:20:00 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47680 4105 syn (WatchGuard) 253238 02/27/04 07:20:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 253278 02/27/04 07:20:32 n allow in eth0 48 tcp 20 110 129.237.35.130 65.68.11.49 44736 25 syn (SMTP) 253308 02/27/04 07:20:35 n allow out eth1 48 tcp 20 127 10.40.1.149 206.204.187.25 4389 80 syn (Proxied-HTTP) 253358 02/27/04 07:20:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 253368 02/27/04 07:20:55 n allow out eth1 66 icmp 20 128 10.40.1.119 143.166.83.231 8 0 (Ping) 253428 02/27/04 07:21:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 253458 02/27/04 07:21:33 n allow out eth1 48 tcp 20 128 10.40.1.104 208.189.18.244 1712 110 syn (Proxied-HTTP) 253488 02/27/04 07:21:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 253498 02/27/04 07:21:47 n allow in eth0 48 tcp 20 111 12.110.238.110 65.68.11.49 21939 25 syn (SMTP) 253538 02/27/04 07:21:58 n deny in eth0 44 tcp 20 112 67.233.141.122 65.68.11.49 4843 135 syn (default) 253558 02/27/04 07:22:00 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1 unknown ? (ip options) 253578 02/27/04 07:22:01 n deny in eth0 44 tcp 20 112 67.233.141.122 65.68.11.49 4843 135 syn (default) 253598 02/27/04 07:22:07 n deny in eth0 44 tcp 20 112 67.233.141.122 65.68.11.49 4843 135 syn (default) 253628 02/27/04 07:22:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 253648 02/27/04 07:22:19 n deny in eth0 44 tcp 20 112 67.233.141.122 65.68.11.49 4843 135 syn (default) 253698 02/27/04 07:22:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 253728 02/27/04 07:23:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 253758 02/27/04 07:23:42 n allow in ipsec0 92 icmp 20 127 172.16.2.32 10.40.1.95 8 0 (Any) 253788 02/27/04 07:23:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 253838 02/27/04 07:24:01 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1 unknown ? (ip options) 253848 02/27/04 07:24:02 n allow in eth0 48 tcp 20 46 64.14.205.126 65.68.11.49 47320 25 syn (SMTP) 253878 02/27/04 07:24:03 n allow in ipsec0 92 icmp 20 127 172.16.2.32 10.40.1.96 8 0 (Any) 253898 02/27/04 07:24:05 n allow in eth0 44 tcp 20 42 12.145.180.24 65.68.11.49 51623 25 syn (SMTP) 253928 02/27/04 07:24:07 n allow out eth1 48 tcp 20 127 10.40.1.168 128.121.26.135 1214 80 syn (Proxied-HTTP) 253978 02/27/04 07:24:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 253998 02/27/04 07:24:16 n deny in eth0 48 tcp 20 109 172.152.115.20 65.68.11.49 1085 3127 syn (default) 254048 02/27/04 07:24:37 n deny in eth0 838 udp 20 114 216.140.179.104 65.68.11.49 23200 1026 (default) 254068 02/27/04 07:24:38 n deny in eth0 838 udp 20 114 215.234.254.81 65.68.11.49 14211 1027 (default) 254088 02/27/04 07:24:40 n allow out eth1 48 tcp 20 127 10.40.1.168 206.204.187.25 1216 80 syn (Proxied-HTTP) 254138 02/27/04 07:24:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 254148 02/27/04 07:24:56 n allow in eth0 68 tcp 20 46 66.218.79.62 65.68.11.49 37488 25 syn (SMTP) 254178 02/27/04 07:25:11 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47783 4105 syn (WatchGuard) 254198 02/27/04 07:25:12 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47784 4105 syn (WatchGuard) 254218 02/27/04 07:25:13 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47785 4105 syn (WatchGuard) 254238 02/27/04 07:25:13 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47786 4105 syn (WatchGuard) 254258 02/27/04 07:25:14 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47787 4105 syn (WatchGuard) 254278 02/27/04 07:25:14 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47788 4105 syn (WatchGuard) 254308 02/27/04 07:25:14 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47789 4105 syn (WatchGuard) 254328 02/27/04 07:25:15 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49 47790 4105 syn (WatchGuard) 254358 02/27/04 07:25:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 254408 02/27/04 07:25:35 n allow out eth1 48 tcp 20 128 10.40.1.149 206.204.187.25 4390 80 syn (Proxied-HTTP) 254458 02/27/04 07:25:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 254468 02/27/04 07:25:49 n allow in eth0 48 tcp 20 44 207.19.80.9 65.68.11.49 4690 25 syn (SMTP) 254498 02/27/04 07:25:55 n allow out eth1 66 icmp 20 128 10.40.1.119 143.166.83.231 8 0 (Ping) 254518 02/27/04 07:26:02 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1 unknown ? (ip options) 254548 02/27/04 07:26:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 254598 02/27/04 07:26:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 254628 02/27/04 07:27:15 n allow out eth1 48 tcp 20 128 10.40.1.149 206.204.187.25 4391 80 syn (Proxied-HTTP) 254678 02/27/04 07:27:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 254738 02/27/04 07:27:46 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 254768 02/27/04 07:28:03 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1 unknown ? (ip options) 254788 02/27/04 07:28:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 254798 02/27/04 07:28:28 y kernel Channel 3 looks dead 254808 02/27/04 07:28:28 y kernel ipsec: Output SA changing state DYING or DEAD 254818 02/27/04 07:28:28 y iked[129] Acquiring key for channel/policy 3/0 254828 02/27/04 07:28:28 y iked[129] TO 12.40.44.251 QM-HDR* -C0A6E099 ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID 254868 02/27/04 07:28:38 y iked[129] RE-TO 12.40.44.251 QM-HDR* -C0A6E099 ISA_HASH 254888 02/27/04 07:28:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 254898 02/27/04 07:28:48 y iked[129] RE-TO 12.40.44.251 QM-HDR* -C0A6E099 ISA_HASH 254908 02/27/04 07:28:58 y kernel Channel 3 looks dead 254918 02/27/04 07:28:58 y kernel ipsec: Output SA changing state DYING or DEAD 254928 02/27/04 07:28:58 y kernel ipsec0: packet (d749) failed with SA expired, SPI=330157796, src=65.68.11.49, dest=12.40.44.251, sa.saddr=65.68.11.49, sa.daddr=12.40.44.251 254938 02/27/04 07:28:58 y kernel ipsec: Output SA id now DEAD 254948 02/27/04 07:28:58 y iked[129] ipsec_nl_catcher: Key negotiation already in progress for channel 3 254958 02/27/04 07:28:59 y iked[129] RE-TO 12.40.44.251 QM-HDR* -C0A6E099 ISA_HASH 254978 02/27/04 07:29:09 y iked[129] RE-TO 12.40.44.251 QM-HDR* -C0A6E099 ISA_HASH 254998 02/27/04 07:29:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 255008 02/27/04 07:29:19 y iked[129] RE-TO 12.40.44.251 QM-HDR* -C0A6E099 ISA_HASH 255058 02/27/04 07:29:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 255068 02/27/04 07:29:48 y iked[129] Deleting SA: peer 12.40.44.251 255078 02/27/04 07:29:48 y iked[129] my_cookie B62FE794BFE101CB 255088 02/27/04 07:29:48 y iked[129] peer_cookie 7692B3890C5D9443 255098 02/27/04 07:29:53 y kernel ipsec: Acquiring keys for channel 3 255108 02/27/04 07:29:53 y iked[129] Acquiring key for channel/policy 3/0 255118 02/27/04 07:29:53 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255128 02/27/04 07:30:03 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255148 02/27/04 07:30:04 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1 unknown ? (ip options) 255158 02/27/04 07:30:13 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255178 02/27/04 07:30:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 255188 02/27/04 07:30:23 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255228 02/27/04 07:30:33 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255248 02/27/04 07:30:35 n allow out eth1 48 tcp 20 128 10.40.1.149 206.204.187.25 4392 80 syn (Proxied-HTTP) 255268 02/27/04 07:30:43 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255288 02/27/04 07:30:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 255328 02/27/04 07:31:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 255338 02/27/04 07:31:18 y iked[129] Deleting SA: peer 12.40.44.251 255348 02/27/04 07:31:18 y iked[129] my_cookie 24211F3EDCC1F88C 255358 02/27/04 07:31:18 y iked[129] peer_cookie 0000000000000000 255368 02/27/04 07:31:18 y kernel ipsec: Acquiring keys for channel 3 255378 02/27/04 07:31:18 y iked[129] Acquiring key for channel/policy 3/0 255388 02/27/04 07:31:18 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255408 02/27/04 07:31:28 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255448 02/27/04 07:31:38 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255478 02/27/04 07:31:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 255488 02/27/04 07:31:48 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255508 02/27/04 07:31:57 n allow out eth1 48 tcp 20 127 10.40.1.104 208.189.18.244 1713 110 syn (Proxied-HTTP) 255518 02/27/04 07:31:59 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255538 02/27/04 07:32:05 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1 unknown ? (ip options) 255548 02/27/04 07:32:09 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255578 02/27/04 07:32:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 255588 02/27/04 07:32:19 y iked[129] Deleting SA: peer 12.40.44.251 255598 02/27/04 07:32:19 y iked[129] my_cookie 62DB33034582B7CC 255608 02/27/04 07:32:19 y iked[129] peer_cookie 0000000000000000 255618 02/27/04 07:32:23 y kernel ipsec: Acquiring keys for channel 3 255628 02/27/04 07:32:23 y iked[129] Acquiring key for channel/policy 3/0 255638 02/27/04 07:32:23 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255658 02/27/04 07:32:33 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255678 02/27/04 07:32:43 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255708 02/27/04 07:32:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 255718 02/27/04 07:32:55 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255768 02/27/04 07:33:05 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255788 02/27/04 07:33:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 255798 02/27/04 07:33:15 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255828 02/27/04 07:33:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 255838 02/27/04 07:33:51 y iked[129] Deleting SA: peer 12.40.44.251 255848 02/27/04 07:33:51 y iked[129] my_cookie C96E83BE750514CA 255858 02/27/04 07:33:51 y iked[129] peer_cookie 0000000000000000 255868 02/27/04 07:33:51 y http-proxy[31149] [10.40.1.149:4392 206.204.187.25:80/WxAlertIsapi/WxAlertIsapi.cgi?GetAlert30&Magic=1&ZipCode=67357&StationID=PARNS&Units=0&RegNum=21836554&Version=3.0&t= 255888 02/27/04 07:33:53 y kernel ipsec: Acquiring keys for channel 3 255898 02/27/04 07:33:53 y iked[129] Acquiring key for channel/policy 3/0 255908 02/27/04 07:33:53 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255948 02/27/04 07:34:03 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 255968 02/27/04 07:34:06 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1 unknown ? (ip options) 255988 02/27/04 07:34:13 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256008 02/27/04 07:34:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 256018 02/27/04 07:34:23 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256038 02/27/04 07:34:33 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256048 02/27/04 07:34:43 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256068 02/27/04 07:34:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 256078 02/27/04 07:34:53 y iked[129] Deleting SA: peer 12.40.44.251 256088 02/27/04 07:34:53 y iked[129] my_cookie D5EAC32C6935BFB7 256098 02/27/04 07:34:53 y iked[129] peer_cookie 0000000000000000 256108 02/27/04 07:34:53 y kernel ipsec: Acquiring keys for channel 3 256118 02/27/04 07:34:53 y iked[129] Acquiring key for channel/policy 3/0 256128 02/27/04 07:34:53 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256138 02/27/04 07:35:03 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256158 02/27/04 07:35:06 n allow out eth1 48 tcp 20 127 10.40.1.149 206.204.187.25 4393 80 syn (Proxied-HTTP) 256178 02/27/04 07:35:13 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256198 02/27/04 07:35:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 256208 02/27/04 07:35:23 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256228 02/27/04 07:35:34 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256248 02/27/04 07:35:35 n allow out eth1 48 tcp 20 128 10.40.1.149 206.204.187.25 4394 80 syn (Proxied-HTTP) 256268 02/27/04 07:35:44 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256288 02/27/04 07:35:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 256308 02/27/04 07:35:54 y iked[129] Deleting SA: peer 12.40.44.251 256318 02/27/04 07:35:54 y iked[129] my_cookie 2E49CAC51376EE30 256328 02/27/04 07:35:54 y iked[129] peer_cookie 0000000000000000 256338 02/27/04 07:35:58 y kernel ipsec: Acquiring keys for channel 3 256348 02/27/04 07:35:58 y iked[129] Acquiring key for channel/policy 3/0 256358 02/27/04 07:35:58 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256388 02/27/04 07:36:07 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1 unknown ? (ip options) 256398 02/27/04 07:36:08 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256418 02/27/04 07:36:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 256428 02/27/04 07:36:18 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256458 02/27/04 07:36:30 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256508 02/27/04 07:36:40 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256528 02/27/04 07:36:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 256538 02/27/04 07:36:50 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256578 02/27/04 07:37:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 256588 02/27/04 07:37:26 y iked[129] Deleting SA: peer 12.40.44.251 256598 02/27/04 07:37:26 y iked[129] my_cookie 85A0FCF0DC32392B 256608 02/27/04 07:37:26 y iked[129] peer_cookie 0000000000000000 256618 02/27/04 07:37:29 y kernel ipsec: Acquiring keys for channel 3 256628 02/27/04 07:37:29 y iked[129] Acquiring key for channel/policy 3/0 256638 02/27/04 07:37:29 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256668 02/27/04 07:37:39 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256688 02/27/04 07:37:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 256698 02/27/04 07:37:49 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256708 02/27/04 07:37:58 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256758 02/27/04 07:38:09 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1 unknown ? (ip options) 256768 02/27/04 07:38:09 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256778 02/27/04 07:38:09 y iked[129] FROM 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID 256788 02/27/04 07:38:09 y iked[129] TO 12.40.44.251 MM-HDR ISA_KE ISA_NONCE 256798 02/27/04 07:38:09 y iked[129] FROM 12.40.44.251 MM-HDR ISA_KE ISA_NONCE ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256808 02/27/04 07:38:09 y iked[129] Rejecting peer XAUTH request: not configured 256818 02/27/04 07:38:09 y iked[129] TO 12.40.44.251 MM-HDR* ISA_ID ISA_HASH 256828 02/27/04 07:38:09 y iked[129] FROM 12.40.44.251 MM-HDR* ISA_ID ISA_HASH ISA_VENDORID 256838 02/27/04 07:38:09 y iked[129] TO 12.40.44.251 QM-HDR* -EBEC07EA ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID 256848 02/27/04 07:38:09 y iked[129] FROM 12.40.44.251 QM-HDR* -EBEC07EA ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID ISA_NOTIFY 256858 02/27/04 07:38:09 y iked[129] Received RESPONDER_LIFETIME message, mess_id=0xEA07ECEB 256868 02/27/04 07:38:09 y iked[129] Load outbound ESP SA, Algs=ESP_3DES/AUTH_ALG_HMAC_MD5 Life=86400sec/8192KB SPI=1BD2F19A 256878 02/27/04 07:38:09 y iked[129] Load inbound ESP SA, Algs=ESP_3DES/AUTH_ALG_HMAC_MD5 Life=86400sec/8192KB SPI=2104190F 256888 02/27/04 07:38:09 y iked[129] Tunnel created for 10.40.1.0/24 <-> 172.16.2.0/24 256898 02/27/04 07:38:10 y kernel ipsec: make bundle for channel 3, 1 in SA's, 1 out SA's 256908 02/27/04 07:38:10 y kernel ipsec: Removing old input bundle 256918 02/27/04 07:38:10 y iked[129] TO 12.40.44.251 QM-HDR* -EBEC07EA ISA_HASH 256928 02/27/04 07:38:11 y iked[129] FROM 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID 256938 02/27/04 07:38:11 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA 256948 02/27/04 07:38:11 y iked[129] FROM 12.40.44.251 MM-HDR ISA_KE ISA_NONCE ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID 256958 02/27/04 07:38:11 y iked[129] Rejecting peer XAUTH request: not configured 256968 02/27/04 07:38:11 y iked[129] TO 12.40.44.251 MM-HDR ISA_KE ISA_NONCE 256978 02/27/04 07:38:11 y iked[129] CRYPTO ACTIVE after delay 256988 02/27/04 07:38:11 y iked[129] FROM 12.40.44.251 MM-HDR* ISA_ID ISA_HASH ISA_VENDORID 256998 02/27/04 07:38:11 y iked[129] TO 12.40.44.251 MM-HDR* ISA_ID ISA_HASH 257008 02/27/04 07:38:12 y iked[129] FROM 12.40.44.251 QM-HDR* -EAF3DA95 ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID ISA_NOTIFY 257018 02/27/04 07:38:12 y iked[129] Deleting old phase 1 SA for 12.40.44.251 257028 02/27/04 07:38:12 y iked[129] Deleting SA: peer 12.40.44.251 257038 02/27/04 07:38:12 y iked[129] my_cookie C3C9CDA97D32D325 257048 02/27/04 07:38:12 y iked[129] peer_cookie 3AC869CE42DBB629 257058 02/27/04 07:38:12 y iked[129] Received INITIAL_CONTACT message, mess_id=0x95DAF3EA 257068 02/27/04 07:38:12 y iked[129] TO 12.40.44.251 QM-HDR* -EAF3DA95 ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID 257078 02/27/04 07:38:12 y iked[129] FROM 12.40.44.251 QM-HDR* -EAF3DA95 ISA_HASH 257088 02/27/04 07:38:12 y iked[129] Load outbound ESP SA, Algs=ESP_3DES/AUTH_ALG_HMAC_MD5 Life=28800sec/0KB SPI=7408CA55 257098 02/27/04 07:38:12 y iked[129] Load inbound ESP SA, Algs=ESP_3DES/AUTH_ALG_HMAC_MD5 Life=28800sec/0KB SPI=22041737 257108 02/27/04 07:38:12 y iked[129] Tunnel created for 10.40.1.0/24 <-> 172.16.2.0/24 257118 02/27/04 07:38:12 y kernel ipsec: make bundle for channel 3, 1 in SA's, 1 out SA's 257128 02/27/04 07:38:12 y kernel ipsec: Removing old input bundle 257148 02/27/04 07:38:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 257158 02/27/04 07:38:23 y http-proxy[31149] [10.40.1.149:4393 206.204.187.25:80/forecastISAPI/ForecastISAPI.cgi?Magic=10992&RegNum=21836554&ZipCode=67357&StationID=PARNS&Version=3.0&Units=0&t=10778 257208 02/27/04 07:38:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255 520 520 (blocked site) 257218 02/27/04 07:38:51 y http-proxy[31149] [10.40.1.149:4394 206.204.187.25:80/WxAlertIsapi/WxAlertIsapi.cgi?GetAlert30&Magic=1&ZipCode=67357&StationID=PARNS&Units=0&RegNum=21836554&Version=3.0&t= 257258 02/27/04 07:38:54 n allow in ipsec0 92 icmp 20 127 172.16.2.32 10.40.1.95 8 0 (Any) 257288 02/27/04 07:38:54 n allow in ipsec0 44 tcp 20 127 172.16.2.32 10.40.1.95 2463 135 syn (Any) 257318 02/27/04 07:38:54 n allow in ipsec0 78 udp 20 127 172.16.2.32 10.40.1.96 137 137 (Any)
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: frequent vpn tunnel drops Rosenhan, David (Mar 01)
- RE: frequent vpn tunnel drops new bie kapper (Mar 09)
- <Possible follow-ups>
- RE: frequent vpn tunnel drops Kathmann, Nicholas (Mar 09)
- RE: frequent vpn tunnel drops new bie kapper (Mar 12)