Security Basics mailing list archives
RE: frequent vpn tunnel drops
From: new bie kapper <securekaps () yahoo com>
Date: Mon, 8 Mar 2004 22:29:28 -0800 (PST)
hi all , Attached is the log of the concentrator ,sometimes it gives "recieved unencrpted packet when crypto active ,othertimes it gives duplicate first packet detected. The log observed for the watchguard is also attached. Thanks --- "Rosenhan, David" <David.Rosenhan () swiftbrands com> wrote:
I see this is a debug from an initial connection, I am assuming this debug is from the concentrator, and after the first part of it you see a "duplicate first packet detected" error. This error means the client is resending packets to the concentrator, but for some reason the ACK packets that the concentrator sends out are not being received by the client. This could be because UDP port 500 is being blocked from the concentrator to the internet, or ESP is being blocked. I would suggest turning on transparent tunneling using UDP port 4500, this is called NAT-T in the concentrator. This can be done in the concentrator under this menu: Configuration | System | Tunneling Protocols | IPSec | NAT Transparency. If this is not an option then you have the option above NAT-T that will allow your client to establish a tunnel over any TCP port you configure in that same menu, the same port will need to be manually configured on the client. There is one other option in the group configuration that allows the client to connect over different UDP ports, this can be configured under this menu: Configuration | User Management | Groups, choose the group the user is connecting to, click the "client config" tab and the third and fourth option is where you can configure this. If this does not work then send the debugs from the client side and we can look at them. Thanks!! David Rosenhan, CCNP Information Technology -----Original Message----- From: new bie kapper [mailto:securekaps () yahoo com] Sent: Friday, February 27, 2004 7:21 AM To: security-basics () securityfocus com Subject: frequent vpn tunnel drops hi all, i am just stuck with this big problem and hav no clue whatz going on!!i am into security monitoring of a client and we have a VPN Tunnel through our VPN CONCENTRATOR 3000 SERIES to their watchguard firebox.The tunnel stays up for anything from 1 minute to 2 days up and then goes down!! Everything worked fine before 3 weeks ,but since then its been frequent tunnel drops.i have logged the error messages i get on my vpn concentrator to see if anybody can help me with this. Could there be a routing policy issue at their end..which i doubt since it was working before!!and since the tunnel comes up for variable times!!could be a ipsec fragmentation issue!!??just wondering!! thanks..below is the log 58518 02/27/2004 07:42:08.380 SEV=5 IKE/35 RPT=2455 65.68.11.49 Group [65.68.11.49] Received remote IP Proxy Subnet data in ID Payload: Address 10.40.1.0, Mask 255.255.255.0, Protocol 0, Port 0 58521 02/27/2004 07:42:08.380 SEV=5 IKE/34 RPT=2458 65.68.11.49 Group [65.68.11.49] Received local IP Proxy Subnet data in ID Payload: Address 172.16.2.0, Mask 255.255.255.0, Protocol 0, Port 0 58524 02/27/2004 07:42:08.380 SEV=5 IKE/66 RPT=7250 65.68.11.49 Group [65.68.11.49] IKE Remote Peer configured for SA: L2L: CommercialBank 58525 02/27/2004 07:42:08.380 SEV=5 IKE/75 RPT=6857 65.68.11.49 Group [65.68.11.49] Overriding Initiator's IPSec rekeying duration from 86400 to 28800 seconds 58527 02/27/2004 07:42:28.570 SEV=4 IKEDBG/0 RPT=3072 QM FSM error (P2 struct &0x330a17c, mess id 0xc0a6e099)! 58528 02/27/2004 07:42:28.570 SEV=4 IKEDBG/65 RPT=9942 65.68.11.49 Group [65.68.11.49] IKE QM Responder FSM error history (struct &0x330a17c) <state>, <event>: QM_DONE, EV_ERROR QM_WAIT_MSG3, EV_RESEND_MSG QM_WAIT_MSG3, NullEvent QM_SND_MSG2, EV_SND_MSG 58533 02/27/2004 07:42:38.380 SEV=4 AUTH/23 RPT=876 65.68.11.49 User 65.68.11.49 disconnected: duration: 0:56:18 58534 02/27/2004 07:42:38.600 SEV=4 IKE/41 RPT=8619 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 58537 02/27/2004 07:43:10.600 SEV=4 IKEDBG/65 RPT=9943 65.68.11.49 IKE MM Initiator FSM error history (struct &0x3a2a554) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG2, EV_RETRY MM_WAIT_MSG2, EV_TIMEOUT MM_WAIT_MSG2, NullEvent 58541 02/27/2004 07:43:12.420 SEV=4 IKE/41 RPT=8620 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 58544 02/27/2004 07:43:43.540 SEV=4 IKE/0 RPT=8192 65.68.11.49 Duplicate first packet detected! 58545 02/27/2004 07:43:44.420 SEV=4 IKEDBG/65 RPT=9944 65.68.11.49 IKE MM Initiator FSM error history (struct &0x373ffc4) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG2, EV_RETRY MM_WAIT_MSG2, EV_TIMEOUT MM_WAIT_MSG2, NullEvent 58549 02/27/2004 07:43:53.550 SEV=4 IKE/0 RPT=8193 65.68.11.49 Duplicate first packet detected! 58550 02/27/2004 07:44:03.560 SEV=4 IKE/0 RPT=8194 65.68.11.49 Duplicate first packet detected! 58551 02/27/2004 07:44:05.640 SEV=4 IKEDBG/65 RPT=9945 65.68.11.49 IKE MM Responder FSM error history (struct &0x37806c8) <state>, <event>: MM_DONE, EV_ERROR MM_WAIT_MSG3, EV_TIMEOUT MM_WAIT_MSG3, NullEvent MM_SND_MSG2, EV_SND_MSG 58555 02/27/2004 07:44:07.530 SEV=4 IKE/41 RPT=8621 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 58558 02/27/2004 07:44:23.580 SEV=4 IKE/0 RPT=8195 65.68.11.49 Duplicate first packet detected! 58559 02/27/2004 07:44:39.530 SEV=4 IKEDBG/65 RPT=9946 65.68.11.49 IKE MM Initiator FSM error history (struct &0x3932278)
=== message truncated === __________________________________ Do you Yahoo!? Yahoo! Search - Find what youre looking for faster http://search.yahoo.com
31599 03/09/2004 00:19:53.280 SEV=4 IKE/41 RPT=17020 IKE Initiator: Rekeying Phase 2, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 31602 03/09/2004 00:19:53.350 SEV=4 IKE/0 RPT=9658 65.68.11.49 Group [65.68.11.49] received an unencrypted packet when crypto active!! Dropping packet. 31604 03/09/2004 00:20:01.870 SEV=4 IKE/0 RPT=9659 65.68.11.49 Group [65.68.11.49] received an unencrypted packet when crypto active!! Dropping packet. 31606 03/09/2004 00:20:09.340 SEV=4 IKE/0 RPT=9660 65.68.11.49 Group [65.68.11.49] received an unencrypted packet when crypto active!! Dropping packet. 31615 03/09/2004 00:20:17.340 SEV=4 IKE/0 RPT=9661 65.68.11.49 Group [65.68.11.49] received an unencrypted packet when crypto active!! Dropping packet. 31617 03/09/2004 00:20:25.280 SEV=4 IKEDBG/0 RPT=3217 QM FSM error (P2 struct &0x34dd044, mess id 0x210c59b7)! 31618 03/09/2004 00:20:25.280 SEV=4 IKEDBG/65 RPT=17216 65.68.11.49 Group [65.68.11.49] IKE QM Initiator FSM error history (struct &0x34dd044) <state>, <event>: QM_DONE, EV_ERROR QM_WAIT_MSG2, EV_TIMEOUT QM_WAIT_MSG2, NullEvent QM_SND_MSG1, EV_SND_MSG 31623 03/09/2004 00:20:25.280 SEV=4 AUTH/23 RPT=978 65.68.11.49 User 65.68.11.49 disconnected: duration: 20:24:32 31624 03/09/2004 00:20:26.270 SEV=4 IKE/41 RPT=17022 65.68.11.49 IKE Initiator: New Phase 1, Intf 2, IKE Peer 65.68.11.49 local Proxy Address 172.16.2.0, remote Proxy Address 10.40.1.0, SA (L2L: CommercialBank) 31627 03/09/2004 00:20:27.090 SEV=4 IKE/119 RPT=1848 65.68.11.49 Group [65.68.11.49] PHASE 1 COMPLETED 31628 03/09/2004 00:20:27.090 SEV=4 AUTH/22 RPT=1092 User 65.68.11.49 connected 31629 03/09/2004 00:20:27.170 SEV=4 IKE/49 RPT=14098 65.68.11.49 Group [65.68.11.49] Security negotiation complete for LAN-to-LAN Group (65.68.11.49) Initiator, Inbound SPI = 0x4d38a2a7, Outbound SPI = 0x1e04cf4f 31632 03/09/2004 00:20:27.170 SEV=4 IKE/120 RPT=14103 65.68.11.49 Group [65.68.11.49] PHASE 2 COMPLETED (msgid=5619a636)
252798 02/27/04 07:18:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
252828 02/27/04 07:19:02 n allow in ipsec0 92 icmp 20 127 172.16.2.32 10.40.1.96
8 0 (Any)
252858 02/27/04 07:19:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
252878 02/27/04 07:19:40 n allow out eth1 48 tcp 20 128 10.40.1.168 128.121.26.136
1210 80 syn (Proxied-HTTP)
252928 02/27/04 07:19:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
252938 02/27/04 07:19:49 n allow in eth0 48 tcp 20 47 65.54.247.156 65.68.11.49
1841 25 syn (SMTP)
252958 02/27/04 07:19:56 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47673 4105 syn (WatchGuard)
252998 02/27/04 07:19:56 n allow out eth1 48 tcp 20 127 10.40.1.163 64.152.73.143
2263 80 syn (Proxied-HTTP)
253048 02/27/04 07:19:57 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47674 4105 syn (WatchGuard)
253078 02/27/04 07:19:57 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47675 4105 syn (WatchGuard)
253098 02/27/04 07:19:58 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47676 4105 syn (WatchGuard)
253118 02/27/04 07:19:58 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47677 4105 syn (WatchGuard)
253148 02/27/04 07:19:59 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1
unknown ? (ip options)
253158 02/27/04 07:19:59 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47678 4105 syn (WatchGuard)
253178 02/27/04 07:20:00 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47679 4105 syn (WatchGuard)
253198 02/27/04 07:20:00 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47680 4105 syn (WatchGuard)
253238 02/27/04 07:20:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
253278 02/27/04 07:20:32 n allow in eth0 48 tcp 20 110 129.237.35.130 65.68.11.49
44736 25 syn (SMTP)
253308 02/27/04 07:20:35 n allow out eth1 48 tcp 20 127 10.40.1.149 206.204.187.25
4389 80 syn (Proxied-HTTP)
253358 02/27/04 07:20:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
253368 02/27/04 07:20:55 n allow out eth1 66 icmp 20 128 10.40.1.119 143.166.83.231
8 0 (Ping)
253428 02/27/04 07:21:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
253458 02/27/04 07:21:33 n allow out eth1 48 tcp 20 128 10.40.1.104 208.189.18.244
1712 110 syn (Proxied-HTTP)
253488 02/27/04 07:21:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
253498 02/27/04 07:21:47 n allow in eth0 48 tcp 20 111 12.110.238.110 65.68.11.49
21939 25 syn (SMTP)
253538 02/27/04 07:21:58 n deny in eth0 44 tcp 20 112 67.233.141.122 65.68.11.49
4843 135 syn (default)
253558 02/27/04 07:22:00 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1
unknown ? (ip options)
253578 02/27/04 07:22:01 n deny in eth0 44 tcp 20 112 67.233.141.122 65.68.11.49
4843 135 syn (default)
253598 02/27/04 07:22:07 n deny in eth0 44 tcp 20 112 67.233.141.122 65.68.11.49
4843 135 syn (default)
253628 02/27/04 07:22:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
253648 02/27/04 07:22:19 n deny in eth0 44 tcp 20 112 67.233.141.122 65.68.11.49
4843 135 syn (default)
253698 02/27/04 07:22:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
253728 02/27/04 07:23:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
253758 02/27/04 07:23:42 n allow in ipsec0 92 icmp 20 127 172.16.2.32 10.40.1.95
8 0 (Any)
253788 02/27/04 07:23:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
253838 02/27/04 07:24:01 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1
unknown ? (ip options)
253848 02/27/04 07:24:02 n allow in eth0 48 tcp 20 46 64.14.205.126 65.68.11.49
47320 25 syn (SMTP)
253878 02/27/04 07:24:03 n allow in ipsec0 92 icmp 20 127 172.16.2.32 10.40.1.96
8 0 (Any)
253898 02/27/04 07:24:05 n allow in eth0 44 tcp 20 42 12.145.180.24 65.68.11.49
51623 25 syn (SMTP)
253928 02/27/04 07:24:07 n allow out eth1 48 tcp 20 127 10.40.1.168 128.121.26.135
1214 80 syn (Proxied-HTTP)
253978 02/27/04 07:24:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
253998 02/27/04 07:24:16 n deny in eth0 48 tcp 20 109 172.152.115.20 65.68.11.49
1085 3127 syn (default)
254048 02/27/04 07:24:37 n deny in eth0 838 udp 20 114 216.140.179.104 65.68.11.49
23200 1026 (default)
254068 02/27/04 07:24:38 n deny in eth0 838 udp 20 114 215.234.254.81 65.68.11.49
14211 1027 (default)
254088 02/27/04 07:24:40 n allow out eth1 48 tcp 20 127 10.40.1.168 206.204.187.25
1216 80 syn (Proxied-HTTP)
254138 02/27/04 07:24:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
254148 02/27/04 07:24:56 n allow in eth0 68 tcp 20 46 66.218.79.62 65.68.11.49
37488 25 syn (SMTP)
254178 02/27/04 07:25:11 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47783 4105 syn (WatchGuard)
254198 02/27/04 07:25:12 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47784 4105 syn (WatchGuard)
254218 02/27/04 07:25:13 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47785 4105 syn (WatchGuard)
254238 02/27/04 07:25:13 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47786 4105 syn (WatchGuard)
254258 02/27/04 07:25:14 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47787 4105 syn (WatchGuard)
254278 02/27/04 07:25:14 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47788 4105 syn (WatchGuard)
254308 02/27/04 07:25:14 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47789 4105 syn (WatchGuard)
254328 02/27/04 07:25:15 n allow in eth0 60 tcp 20 41 208.146.43.218 65.68.11.49
47790 4105 syn (WatchGuard)
254358 02/27/04 07:25:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
254408 02/27/04 07:25:35 n allow out eth1 48 tcp 20 128 10.40.1.149 206.204.187.25
4390 80 syn (Proxied-HTTP)
254458 02/27/04 07:25:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
254468 02/27/04 07:25:49 n allow in eth0 48 tcp 20 44 207.19.80.9 65.68.11.49
4690 25 syn (SMTP)
254498 02/27/04 07:25:55 n allow out eth1 66 icmp 20 128 10.40.1.119 143.166.83.231
8 0 (Ping)
254518 02/27/04 07:26:02 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1
unknown ? (ip options)
254548 02/27/04 07:26:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
254598 02/27/04 07:26:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
254628 02/27/04 07:27:15 n allow out eth1 48 tcp 20 128 10.40.1.149 206.204.187.25
4391 80 syn (Proxied-HTTP)
254678 02/27/04 07:27:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
254738 02/27/04 07:27:46 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
254768 02/27/04 07:28:03 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1
unknown ? (ip options)
254788 02/27/04 07:28:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
254798 02/27/04 07:28:28 y kernel Channel 3 looks dead
254808 02/27/04 07:28:28 y kernel ipsec: Output SA changing state DYING or DEAD
254818 02/27/04 07:28:28 y iked[129] Acquiring key for channel/policy 3/0
254828 02/27/04 07:28:28 y iked[129] TO 12.40.44.251 QM-HDR* -C0A6E099 ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
254868 02/27/04 07:28:38 y iked[129] RE-TO 12.40.44.251 QM-HDR* -C0A6E099 ISA_HASH
254888 02/27/04 07:28:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
254898 02/27/04 07:28:48 y iked[129] RE-TO 12.40.44.251 QM-HDR* -C0A6E099 ISA_HASH
254908 02/27/04 07:28:58 y kernel Channel 3 looks dead
254918 02/27/04 07:28:58 y kernel ipsec: Output SA changing state DYING or DEAD
254928 02/27/04 07:28:58 y kernel ipsec0: packet (d749) failed with SA expired, SPI=330157796, src=65.68.11.49,
dest=12.40.44.251, sa.saddr=65.68.11.49, sa.daddr=12.40.44.251
254938 02/27/04 07:28:58 y kernel ipsec: Output SA id now DEAD
254948 02/27/04 07:28:58 y iked[129] ipsec_nl_catcher: Key negotiation already in progress for channel 3
254958 02/27/04 07:28:59 y iked[129] RE-TO 12.40.44.251 QM-HDR* -C0A6E099 ISA_HASH
254978 02/27/04 07:29:09 y iked[129] RE-TO 12.40.44.251 QM-HDR* -C0A6E099 ISA_HASH
254998 02/27/04 07:29:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
255008 02/27/04 07:29:19 y iked[129] RE-TO 12.40.44.251 QM-HDR* -C0A6E099 ISA_HASH
255058 02/27/04 07:29:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
255068 02/27/04 07:29:48 y iked[129] Deleting SA: peer 12.40.44.251
255078 02/27/04 07:29:48 y iked[129] my_cookie B62FE794BFE101CB
255088 02/27/04 07:29:48 y iked[129] peer_cookie 7692B3890C5D9443
255098 02/27/04 07:29:53 y kernel ipsec: Acquiring keys for channel 3
255108 02/27/04 07:29:53 y iked[129] Acquiring key for channel/policy 3/0
255118 02/27/04 07:29:53 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255128 02/27/04 07:30:03 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255148 02/27/04 07:30:04 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1
unknown ? (ip options)
255158 02/27/04 07:30:13 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255178 02/27/04 07:30:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
255188 02/27/04 07:30:23 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255228 02/27/04 07:30:33 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255248 02/27/04 07:30:35 n allow out eth1 48 tcp 20 128 10.40.1.149 206.204.187.25
4392 80 syn (Proxied-HTTP)
255268 02/27/04 07:30:43 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255288 02/27/04 07:30:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
255328 02/27/04 07:31:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
255338 02/27/04 07:31:18 y iked[129] Deleting SA: peer 12.40.44.251
255348 02/27/04 07:31:18 y iked[129] my_cookie 24211F3EDCC1F88C
255358 02/27/04 07:31:18 y iked[129] peer_cookie 0000000000000000
255368 02/27/04 07:31:18 y kernel ipsec: Acquiring keys for channel 3
255378 02/27/04 07:31:18 y iked[129] Acquiring key for channel/policy 3/0
255388 02/27/04 07:31:18 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255408 02/27/04 07:31:28 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255448 02/27/04 07:31:38 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255478 02/27/04 07:31:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
255488 02/27/04 07:31:48 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255508 02/27/04 07:31:57 n allow out eth1 48 tcp 20 127 10.40.1.104 208.189.18.244
1713 110 syn (Proxied-HTTP)
255518 02/27/04 07:31:59 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255538 02/27/04 07:32:05 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1
unknown ? (ip options)
255548 02/27/04 07:32:09 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255578 02/27/04 07:32:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
255588 02/27/04 07:32:19 y iked[129] Deleting SA: peer 12.40.44.251
255598 02/27/04 07:32:19 y iked[129] my_cookie 62DB33034582B7CC
255608 02/27/04 07:32:19 y iked[129] peer_cookie 0000000000000000
255618 02/27/04 07:32:23 y kernel ipsec: Acquiring keys for channel 3
255628 02/27/04 07:32:23 y iked[129] Acquiring key for channel/policy 3/0
255638 02/27/04 07:32:23 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255658 02/27/04 07:32:33 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255678 02/27/04 07:32:43 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255708 02/27/04 07:32:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
255718 02/27/04 07:32:55 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255768 02/27/04 07:33:05 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255788 02/27/04 07:33:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
255798 02/27/04 07:33:15 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255828 02/27/04 07:33:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
255838 02/27/04 07:33:51 y iked[129] Deleting SA: peer 12.40.44.251
255848 02/27/04 07:33:51 y iked[129] my_cookie C96E83BE750514CA
255858 02/27/04 07:33:51 y iked[129] peer_cookie 0000000000000000
255868 02/27/04 07:33:51 y http-proxy[31149] [10.40.1.149:4392
206.204.187.25:80/WxAlertIsapi/WxAlertIsapi.cgi?GetAlert30&Magic=1&ZipCode=67357&StationID=PARNS&Units=0&RegNum=21836554&Version=3.0&t=
255888 02/27/04 07:33:53 y kernel ipsec: Acquiring keys for channel 3
255898 02/27/04 07:33:53 y iked[129] Acquiring key for channel/policy 3/0
255908 02/27/04 07:33:53 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255948 02/27/04 07:34:03 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
255968 02/27/04 07:34:06 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1
unknown ? (ip options)
255988 02/27/04 07:34:13 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256008 02/27/04 07:34:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
256018 02/27/04 07:34:23 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256038 02/27/04 07:34:33 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256048 02/27/04 07:34:43 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256068 02/27/04 07:34:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
256078 02/27/04 07:34:53 y iked[129] Deleting SA: peer 12.40.44.251
256088 02/27/04 07:34:53 y iked[129] my_cookie D5EAC32C6935BFB7
256098 02/27/04 07:34:53 y iked[129] peer_cookie 0000000000000000
256108 02/27/04 07:34:53 y kernel ipsec: Acquiring keys for channel 3
256118 02/27/04 07:34:53 y iked[129] Acquiring key for channel/policy 3/0
256128 02/27/04 07:34:53 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256138 02/27/04 07:35:03 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256158 02/27/04 07:35:06 n allow out eth1 48 tcp 20 127 10.40.1.149 206.204.187.25
4393 80 syn (Proxied-HTTP)
256178 02/27/04 07:35:13 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256198 02/27/04 07:35:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
256208 02/27/04 07:35:23 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256228 02/27/04 07:35:34 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256248 02/27/04 07:35:35 n allow out eth1 48 tcp 20 128 10.40.1.149 206.204.187.25
4394 80 syn (Proxied-HTTP)
256268 02/27/04 07:35:44 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256288 02/27/04 07:35:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
256308 02/27/04 07:35:54 y iked[129] Deleting SA: peer 12.40.44.251
256318 02/27/04 07:35:54 y iked[129] my_cookie 2E49CAC51376EE30
256328 02/27/04 07:35:54 y iked[129] peer_cookie 0000000000000000
256338 02/27/04 07:35:58 y kernel ipsec: Acquiring keys for channel 3
256348 02/27/04 07:35:58 y iked[129] Acquiring key for channel/policy 3/0
256358 02/27/04 07:35:58 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256388 02/27/04 07:36:07 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1
unknown ? (ip options)
256398 02/27/04 07:36:08 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256418 02/27/04 07:36:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
256428 02/27/04 07:36:18 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256458 02/27/04 07:36:30 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256508 02/27/04 07:36:40 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256528 02/27/04 07:36:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
256538 02/27/04 07:36:50 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256578 02/27/04 07:37:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
256588 02/27/04 07:37:26 y iked[129] Deleting SA: peer 12.40.44.251
256598 02/27/04 07:37:26 y iked[129] my_cookie 85A0FCF0DC32392B
256608 02/27/04 07:37:26 y iked[129] peer_cookie 0000000000000000
256618 02/27/04 07:37:29 y kernel ipsec: Acquiring keys for channel 3
256628 02/27/04 07:37:29 y iked[129] Acquiring key for channel/policy 3/0
256638 02/27/04 07:37:29 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256668 02/27/04 07:37:39 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256688 02/27/04 07:37:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
256698 02/27/04 07:37:49 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256708 02/27/04 07:37:58 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256758 02/27/04 07:38:09 n deny in eth0 32 igmp 24 1 192.168.1.254 224.0.0.1
unknown ? (ip options)
256768 02/27/04 07:38:09 y iked[129] RE-TO 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID
ISA_VENDORID
256778 02/27/04 07:38:09 y iked[129] FROM 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID
256788 02/27/04 07:38:09 y iked[129] TO 12.40.44.251 MM-HDR ISA_KE ISA_NONCE
256798 02/27/04 07:38:09 y iked[129] FROM 12.40.44.251 MM-HDR ISA_KE ISA_NONCE ISA_VENDORID ISA_VENDORID
ISA_VENDORID ISA_VENDORID
256808 02/27/04 07:38:09 y iked[129] Rejecting peer XAUTH request: not configured
256818 02/27/04 07:38:09 y iked[129] TO 12.40.44.251 MM-HDR* ISA_ID ISA_HASH
256828 02/27/04 07:38:09 y iked[129] FROM 12.40.44.251 MM-HDR* ISA_ID ISA_HASH ISA_VENDORID
256838 02/27/04 07:38:09 y iked[129] TO 12.40.44.251 QM-HDR* -EBEC07EA ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
256848 02/27/04 07:38:09 y iked[129] FROM 12.40.44.251 QM-HDR* -EBEC07EA ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
ISA_NOTIFY
256858 02/27/04 07:38:09 y iked[129] Received RESPONDER_LIFETIME message, mess_id=0xEA07ECEB
256868 02/27/04 07:38:09 y iked[129] Load outbound ESP SA, Algs=ESP_3DES/AUTH_ALG_HMAC_MD5 Life=86400sec/8192KB
SPI=1BD2F19A
256878 02/27/04 07:38:09 y iked[129] Load inbound ESP SA, Algs=ESP_3DES/AUTH_ALG_HMAC_MD5 Life=86400sec/8192KB
SPI=2104190F
256888 02/27/04 07:38:09 y iked[129] Tunnel created for 10.40.1.0/24 <-> 172.16.2.0/24
256898 02/27/04 07:38:10 y kernel ipsec: make bundle for channel 3, 1 in SA's, 1 out SA's
256908 02/27/04 07:38:10 y kernel ipsec: Removing old input bundle
256918 02/27/04 07:38:10 y iked[129] TO 12.40.44.251 QM-HDR* -EBEC07EA ISA_HASH
256928 02/27/04 07:38:11 y iked[129] FROM 12.40.44.251 MM-HDR ISA_SA ISA_VENDORID
256938 02/27/04 07:38:11 y iked[129] TO 12.40.44.251 MM-HDR ISA_SA
256948 02/27/04 07:38:11 y iked[129] FROM 12.40.44.251 MM-HDR ISA_KE ISA_NONCE ISA_VENDORID ISA_VENDORID
ISA_VENDORID ISA_VENDORID
256958 02/27/04 07:38:11 y iked[129] Rejecting peer XAUTH request: not configured
256968 02/27/04 07:38:11 y iked[129] TO 12.40.44.251 MM-HDR ISA_KE ISA_NONCE
256978 02/27/04 07:38:11 y iked[129] CRYPTO ACTIVE after delay
256988 02/27/04 07:38:11 y iked[129] FROM 12.40.44.251 MM-HDR* ISA_ID ISA_HASH ISA_VENDORID
256998 02/27/04 07:38:11 y iked[129] TO 12.40.44.251 MM-HDR* ISA_ID ISA_HASH
257008 02/27/04 07:38:12 y iked[129] FROM 12.40.44.251 QM-HDR* -EAF3DA95 ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
ISA_NOTIFY
257018 02/27/04 07:38:12 y iked[129] Deleting old phase 1 SA for 12.40.44.251
257028 02/27/04 07:38:12 y iked[129] Deleting SA: peer 12.40.44.251
257038 02/27/04 07:38:12 y iked[129] my_cookie C3C9CDA97D32D325
257048 02/27/04 07:38:12 y iked[129] peer_cookie 3AC869CE42DBB629
257058 02/27/04 07:38:12 y iked[129] Received INITIAL_CONTACT message, mess_id=0x95DAF3EA
257068 02/27/04 07:38:12 y iked[129] TO 12.40.44.251 QM-HDR* -EAF3DA95 ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
257078 02/27/04 07:38:12 y iked[129] FROM 12.40.44.251 QM-HDR* -EAF3DA95 ISA_HASH
257088 02/27/04 07:38:12 y iked[129] Load outbound ESP SA, Algs=ESP_3DES/AUTH_ALG_HMAC_MD5 Life=28800sec/0KB
SPI=7408CA55
257098 02/27/04 07:38:12 y iked[129] Load inbound ESP SA, Algs=ESP_3DES/AUTH_ALG_HMAC_MD5 Life=28800sec/0KB
SPI=22041737
257108 02/27/04 07:38:12 y iked[129] Tunnel created for 10.40.1.0/24 <-> 172.16.2.0/24
257118 02/27/04 07:38:12 y kernel ipsec: make bundle for channel 3, 1 in SA's, 1 out SA's
257128 02/27/04 07:38:12 y kernel ipsec: Removing old input bundle
257148 02/27/04 07:38:15 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
257158 02/27/04 07:38:23 y http-proxy[31149] [10.40.1.149:4393
206.204.187.25:80/forecastISAPI/ForecastISAPI.cgi?Magic=10992&RegNum=21836554&ZipCode=67357&StationID=PARNS&Version=3.0&Units=0&t=10778
257208 02/27/04 07:38:45 n deny in eth0 52 udp 20 49 192.168.1.254 192.168.1.255
520 520 (blocked site)
257218 02/27/04 07:38:51 y http-proxy[31149] [10.40.1.149:4394
206.204.187.25:80/WxAlertIsapi/WxAlertIsapi.cgi?GetAlert30&Magic=1&ZipCode=67357&StationID=PARNS&Units=0&RegNum=21836554&Version=3.0&t=
257258 02/27/04 07:38:54 n allow in ipsec0 92 icmp 20 127 172.16.2.32 10.40.1.95
8 0 (Any)
257288 02/27/04 07:38:54 n allow in ipsec0 44 tcp 20 127 172.16.2.32 10.40.1.95
2463 135 syn (Any)
257318 02/27/04 07:38:54 n allow in ipsec0 78 udp 20 127 172.16.2.32 10.40.1.96
137 137 (Any)
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: frequent vpn tunnel drops Rosenhan, David (Mar 01)
- RE: frequent vpn tunnel drops new bie kapper (Mar 09)
- <Possible follow-ups>
- RE: frequent vpn tunnel drops Kathmann, Nicholas (Mar 09)
- RE: frequent vpn tunnel drops new bie kapper (Mar 12)