[ previous ] [ next ] [ threads ]
 
 From: 
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: udp/4500 not permitted by firewall
 Date:  Wed, 28 Nov 2007 18:57:33 +0200
Hi,

Turn on logging of firewall rules and check, is there dropped incoming UDP 
packets?
I have seen it before but I have not tested it with 1.3b5.
In my case it seems that it happens if UDP packet gets fragmented and 
monowall
considers one of the fragments as BAD.

Marek

"nik" <nik at ngo dot org dot uk> wrote in message news:474D4630 dot 4010609 at ngo dot org dot uk...
> I'm trying to connect to my employers L2TP VPN through my m0n0wall server.
>
> The network normally looks like this:
>
>   { Internet } -- [ADSL router] -- [m0n0wall] -- [laptop]
>
> and it doesn't work.  My L2TP connection instructions say to ensure that 
> ports udp/500 and udp/4500 are permitted through the firewall, and 
> appropriately NATd.  I have two NAT rules in place for udp/500 and 
> udp/4500, and the associated firewall rules.  I also added entries for 
> ESP, so the complete relevant firewall rules look like:
>
>   Proto   Source   Port   Destination   Port
>
>   ESP     *           *   laptop_ip        *
>   UDP     *        4500   laptop_ip     4500
>   UDP     *         500   laptop_ip      500
>
> These rules are at the top of the firewall list, and there are no other 
> rules that affect this combination of protocols and ports.
>
> AIUI, that should work.  However, it doesn't.  If I try and connect by 
> going through m0n0wall a tcpdump shows (laptop IP replaced with laptop_ip, 
> server IP replaced with server_ip, and leading timestamps removed):
>
> IP laptop_ip.500 > server_ip.500: isakmp: phase 1 I ident
> IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
> IP laptop_ip.500 > server_ip.500: isakmp: phase 1 I ident
> IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
> IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I 
> ident[E]
> IP laptop_ip > server_ip: udp
> IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
> IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
> IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I 
> ident[E]
> IP laptop_ip > server_ip: udp
> IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I 
> ident[E]
> IP laptop_ip > server_ip: udp
> IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
> IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I 
> ident[E]
> IP laptop_ip > server_ip: udp
> IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I 
> ident[E]
> IP laptop_ip > server_ip: udp
> IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
> IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I 
> ident[E]
> IP laptop_ip > server_ip: udp
> IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I 
> ident[E]
> IP laptop_ip > server_ip: udp
>
> So the initial back and forth over port 500 works, the laptop sends 
> various packets to the server on port 4500, but never gets a reply. 
> Eventually the L2TP connection times out.
>
> If I remove m0n0wall, and connect the laptop directly to the ADSL router 
> and do the same thing, so the network looks like this:
>
>   { Internet } -- [ADSL router] -- [laptop]
>
> it works and connects within a few seconds.  The relevant tcpdump looks 
> like:
>
> IP laptop_ip.500 > server_ip.500: isakmp: phase 1 I ident
> IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
> IP laptop_ip.500 > server_ip.500: isakmp: phase 1 I ident
> IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
> IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I 
> ident[E]
> IP laptop_ip > server_ip: udp
> IP server_ip.4500 > laptop_ip.4500: NONESP-encap: isakmp: phase 1 R 
> ident[E]
> IP server_ip > laptop_ip: udp
> IP server_ip.4500 > laptop_ip.4500: NONESP-encap: isakmp: phase 1 R 
> ident[E]
> IP server_ip > laptop_ip: udp
> IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 2/others I 
> oakley-quick[E]
> IP server_ip.4500 > laptop_ip.4500: NONESP-encap: isakmp: phase 2/others R 
> oakley-quick[EC]
> IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 2/others I 
> oakley-quick[EC]
> IP server_ip.4500 > laptop_ip.4500: NONESP-encap: isakmp: phase 2/others R 
> oakley-quick[EC]
> IP laptop_ip.4500 > server_ip.4500: UDP-encap: 
> ESP(spi=0xbbaf17ec,seq=0x1), length 100
> IP server_ip.4500 > laptop_ip.4500: UDP-encap: 
> ESP(spi=0x0adfcc1d,seq=0x1), length 156
> IP server_ip.4500 > laptop_ip.4500: UDP-encap: 
> ESP(spi=0x0adfcc1d,seq=0x2), length 52
> IP laptop_ip.4500 > server_ip.4500: UDP-encap: 
> ESP(spi=0xbbaf17ec,seq=0x2), length 60
> IP laptop_ip.4500 > server_ip.4500: UDP-encap: 
> ESP(spi=0xbbaf17ec,seq=0x3), length 76
>
> As you can see, they start out identical, and then differ at line 7, where 
> the incoming request from the server to the laptop on port 4500 reaches 
> the laptop.  That packet never arrives at the laptop if I use m0n0wall.
>
> Any thoughts?  Options I've missed?
>
> I've tried this on 1.231 and 1.3b5 with the same result.
>
> N