[ previous ] [ next ] [ threads ]
 
 From:  Chris Olive <chris at technologEase dot com>
 To:  M0n0Wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  ~OT: Howto read/interpret ipf log entries (and Nortel VPN client issues)
 Date:  Sun, 30 May 2004 20:30:17 -0500
Strictly speaking, this is somewhat OT, but since my ipf/ipmon log 
entries are being generated by m0n0wall, I thought I would ask here... 
(a quick perusal of Google didn't lead me to anything quick...)

I'm trying to run a VPN client to reach my corporate network, and it's 
not working.  I suspect that m0n0wall is doing its job and blocking the 
traffic in some way, and I'm trying to determine how/why.  I looked in 
the logs to see if anything looks revealing and I see the following 
(quite a few times, actually):

May 30 17:57:42 fw ipmon[69]: 17:57:41.476323 2x ng0 @0:27 b 
xxx.yyy.143.10 -> 192.168.0.200 PR udp len 20 (756) frag +736@744 IN

where "xxx.yyy" is the class B address of my company's IP or the source 
IP (in this case).  I'm not sure what all the other stuff means (being 
an ipf novice), if someone can break it down for me.  I at least can 
understand most of it and read this line as...

- Date/Time stamp of log entry
- "fw" = "firewall" where "fw.local" is defined in my local DNS, hence 
"fw" for the machine name (of m0n0wall)
- "ipmon" is the monitoring daemon/process (?), but I'm not sure what 
the [69] means?  Can't be port 69, can it?  (That's tftp...)
- Next log segment is another timestamp
- "2x" means?
- "ng0" is on m0n0wall
- "@0:27" means?
- xxx.yyy.143.10 is incoming IP address
- 192.168.0.200 is the destination IP on my private LAN (my workstation 
running the VPN software)
- "PR" means?  (Type of packet, I'm thinking?  Like ACK, SYN, etc.?  
Prolog?)
- "udp" is udp packet of...
- length 20
- "(756)" means?
- "frag" means the packet was a fragment, I assume (and causes me to 
think this is the problem since m0n0wall is presently set to drop packet 
frags.)
- "+736@744" means?
- "IN" means incoming packet

So...  I've got most of it figured out, but I'm wondering about the few 
missing pieces of the puzzle.

Also... I'm trying to use "Contivity VPN client" from Nortel Networks.  
Maybe someone knows right off the bat what might be my problem using 
this VPN client with m0n0wall?  Bear in mind I'm sitting BEHIND m0n0wall 
trying to go OUT and connect to my company LAN; I'm not sitting outside 
trying to get IN through m0n0wall.

Also, if someone DOES know where I can get help on reading ipf/ipmon log 
entries, I'd appreciate it.  Not all the log entries are the same as you 
all well know.

Thanks,
Chris
-----
Chris Olive
chris at technologEase dot com