[ previous ] [ next ] [ threads ]
 
 From:  Peter Allgeyer <allgeyer at web dot de>
 To:  Gregory Abbott <blondguyg at seezar dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] VPN client trouble behind m0n0wall
 Date:  Thu, 24 Nov 2005 15:50:59 +0100
Hi Gregory!

Am Mittwoch, den 23.11.2005, 21:29 -0500 schrieb Gregory Abbott:
> I'm at a loss right now on where to go to figure out why VPN connections
> from behind my m0n0wall will no longer work to the VPN from work.
So you'll have to debug the whole thing. We can't help w/o knowing whats
exactly going on. So lets see:

> 15:24:27.989306  WAN  66.133.x.x   10.5.27.21         UDP
> 15:24:22.987884  WAN  66.133.x.x   10.5.27.21         UDP
> 15:24:21.015540  WAN  66.133.x.x   10.5.27.21         UDP
> 15:24:13.016823  WAN  66.133.x.x   10.5.27.21         UDP

No Port numbers? Give us:
a) raw log from m0n0wall (both, accepted and denied packets)
b) an output of tcpdump from your client

For example:
a)
Nov 24 13:44:43 m0n0wall ipmon[86]: 13:38:06.311737 sis0 @100:3 p
vpnclient,500 -> vpnserver,500 PR udp len 20 896 K-S K-F IN
Nov 24 13:44:44 m0n0wall ipmon[86]: 13:38:06.644791 sis0 @100:3 p
vpnclient,4500 -> vpnserver,4500 PR udp len 20 204 K-S K-F IN

b)
13:33:43.919074 IP vpnclient.33159 > vpnserver.29747: UDP, length: 16
13:33:43.919368 IP vpnclient.33159 > vpnserver.29747: UDP, length: 12
13:33:44.012143 IP vpnclient.isakmp > vpnserver.isakmp: isakmp: phase 1
I agg
13:33:44.253519 IP vpnserver.isakmp > vpnclient.isakmp: isakmp: phase 1
R agg
13:33:44.347442 IP vpnclient.4500 > vpnserver.4500: UDP, length: 176
13:33:44.347616 IP vpnclient.4500 > vpnserver.4500: UDP, length: 1
13:33:44.454710 IP vpnserver.4500 > vpnclient.4500: UDP, length: 112
13:33:47.179708 IP vpnclient.4500 > vpnserver.4500: UDP, length: 88
13:33:47.277829 IP vpnserver.4500 > vpnclient.4500: UDP, length: 72
13:33:47.278476 IP vpnclient.4500 > vpnserver.4500: UDP, length: 64
13:33:47.287506 IP vpnclient.4500 > vpnserver.4500: UDP, length: 184
13:33:47.396304 IP vpnserver.4500 > vpnclient.4500: UDP, length: 328
13:33:47.410645 IP vpnclient.4500 > vpnserver.4500: UDP, length: 1032
13:33:47.568953 IP vpnserver.4500 > vpnclient.4500: UDP, length: 96
13:33:47.576174 IP vpnserver.4500 > vpnclient.4500: UDP, length: 184
13:33:47.578971 IP vpnclient.4500 > vpnserver.4500: UDP, length: 56
13:33:47.580363 IP vpnclient.33159 > vpnserver.29747: UDP, length: 12

As you can see from the above output, only port 4500/udp and port
500/udp are required (outgoing). Port 29747/udp is interesting, though.

And yes, tcpdump for m0n0wall would be very appreciated.

Ciao ...
	... PIT ..


---------------------------------------------------------------------------
 copyleft(c) by |   _-_     Dijkstra probably hates me (Linus Torvalds,
 Peter Allgeyer | 0(o_o)0   in kernel/sched.c)
---------------oOO--(_)--OOo-----------------------------------------------