[vpn-help] Asymmetric routing on Ubuntu 11.04 connecting to Juniper SSG 550

Robin Polak robin.polak at gmail.com
Wed Dec 21 14:44:43 CST 2011


Hello,

I'm getting an established connection to my Juniper SSG 550, however the
traffic is egressing through the tap0 interface and than ingressing through
eth0.  You can see this behavior in the packet capture below.  The debug
log shows no errors.  My configuration is as follows:

n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:1
n:client-dns-used:0
n:client-dns-auto:0
n:phase1-dhgroup:2
n:phase1-keylen:0
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-keylen:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:client-wins-used:1
n:client-wins-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
b:auth-mutual-psk:******
n:phase2-pfsgroup:2
s:client-saved-username:robin
n:client-dns-suffix-auto:0
s:client-dns-addr:10.22.5.11
s:client-dns-suffix:limebrokerage.com
s:network-host:74.120.51.132
s:client-auto-mode:push
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:fqdn
s:ident-client-data:shrew-test.limebrokerage.com
s:ident-server-type:fqdn
s:ident-server-data:vpn.limebrokerage.com
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
s:policy-level:auto
s:policy-list-include:10.0.0.0 / 255.0.0.0


15:20:32.145967 IP 74.120.51.132.4500 > 192.168.1.2.10954:
isakmp-nat-keep-alive
15:20:32.146026 IP 192.168.1.2 > 74.120.51.132: ICMP 192.168.1.2 udp port
10954 unreachable, length 37
15:20:34.654003 IP 192.168.1.2.500 > 74.120.51.132.500: isakmp: phase 1 I
agg
15:20:34.660619 IP 74.120.51.132.500 > 192.168.1.2.500: isakmp: phase 1 R
agg
15:20:34.706413 IP 192.168.1.2.4500 > 74.120.51.132.4500: NONESP-encap:
isakmp: phase 1 I agg[E]
15:20:34.707306 IP 192.168.1.2.4500 > 74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I inf[E]
15:20:37.262667 IP 74.120.51.132.4500 > 192.168.1.2.4500:
isakmp-nat-keep-alive
15:20:37.262715 IP 74.120.51.132.4500 > 192.168.1.2.10954:
isakmp-nat-keep-alive
15:20:37.262784 IP 192.168.1.2 > 74.120.51.132: ICMP 192.168.1.2 udp port
10954 unreachable, length 37
15:20:39.667849 ARP, Request who-has 192.168.1.1 tell 192.168.1.2, length 28
15:20:39.672386 ARP, Reply 192.168.1.1 is-at 00:18:4d:55:64:0c, length 46
15:20:40.852408 IP 74.120.51.132.4500 > 192.168.1.2.4500: NONESP-encap:
isakmp: phase 2/others R #6[E]
15:20:40.853671 IP 192.168.1.2.4500 > 74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I #6[E]
15:20:40.856264 IP 74.120.51.132.4500 > 192.168.1.2.4500: NONESP-encap:
isakmp: phase 2/others R #6[E]
15:20:40.857352 IP 192.168.1.2.4500 > 74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I #6[E]
15:20:40.859623 IP 74.120.51.132.4500 > 192.168.1.2.4500: NONESP-encap:
isakmp: phase 2/others R #6[E]
15:20:40.860525 IP 192.168.1.2.4500 > 74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I #6[E]
15:20:41.848580 IP 74.120.51.132.4500 > 192.168.1.2.10954:
isakmp-nat-keep-alive
15:20:41.848675 IP 192.168.1.2 > 74.120.51.132: ICMP 192.168.1.2 udp port
10954 unreachable, length 37
15:20:47.089814 IP 74.120.51.132.4500 > 192.168.1.2.10954:
isakmp-nat-keep-alive
15:20:47.089914 IP 192.168.1.2 > 74.120.51.132: ICMP 192.168.1.2 udp port
10954 unreachable, length 37
15:20:49.710203 IP 192.168.1.2.4500 > 74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I inf[E]
15:20:49.710559 IP 192.168.1.2.4500 > 74.120.51.132.4500:
isakmp-nat-keep-alive
15:20:49.721911 IP 74.120.51.132.4500 > 192.168.1.2.4500: NONESP-encap:
isakmp: phase 2/others R inf[E]
15:20:52.214025 IP 74.120.51.132.4500 > 192.168.1.2.10954:
isakmp-nat-keep-alive
15:20:52.214100 IP 192.168.1.2 > 74.120.51.132: ICMP 192.168.1.2 udp port
10954 unreachable, length 37
15:20:52.217280 IP 192.168.1.2.4500 > 74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I oakley-quick[E]
15:20:52.221604 IP 74.120.51.132.4500 > 192.168.1.2.4500: NONESP-encap:
isakmp: phase 2/others R oakley-quick[E]
15:20:52.224811 IP 192.168.1.2.4500 > 74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I oakley-quick[E]
15:20:53.178166 IP 192.168.1.2.4500 > 74.120.51.132.4500: UDP-encap:
ESP(spi=0x9a03b617,seq=0x1), length 116
15:20:53.183411 IP 74.120.51.132.4500 > 192.168.1.2.4500: UDP-encap:
ESP(spi=0x0db448a1,seq=0x1), length 116
15:20:53.183411 IP 10.22.5.100 > 10.22.22.24: ICMP echo reply, id 1902, seq
2, length 64
15:20:54.178124 IP 192.168.1.2.4500 > 74.120.51.132.4500: UDP-encap:
ESP(spi=0x9a03b617,seq=0x2), length 116
15:20:54.193481 IP 74.120.51.132.4500 > 192.168.1.2.4500: UDP-encap:
ESP(spi=0x0db448a1,seq=0x2), length 116
15:20:54.193481 IP 10.22.5.100 > 10.22.22.24: ICMP echo reply, id 1902, seq
3, length 64
15:20:55.178414 IP 192.168.1.2.4500 > 74.120.51.132.4500: UDP-encap:
ESP(spi=0x9a03b617,seq=0x3), length 116
15:20:55.181677 IP 74.120.51.132.4500 > 192.168.1.2.4500: UDP-encap:
ESP(spi=0x0db448a1,seq=0x3), length 116
15:20:55.181677 IP 10.22.5.100 > 10.22.22.24: ICMP echo reply, id 1902, seq
4, length 64
15:20:56.178174 IP 192.168.1.2.4500 > 74.120.51.132.4500: UDP-encap:
ESP(spi=0x9a03b617,seq=0x4), length 116
15:20:56.185943 IP 74.120.51.132.4500 > 192.168.1.2.4500: UDP-encap:
ESP(spi=0x0db448a1,seq=0x4), length 116
15:20:56.185943 IP 10.22.5.100 > 10.22.22.24: ICMP echo reply, id 1902, seq
5, length 64
15:20:56.990261 IP6 fe80::d47e:3302:ae48:f220.546 > ff02::1:2.547: dhcp6
solicit
15:20:57.000207 IP 74.120.51.132.4500 > 192.168.1.2.4500:
isakmp-nat-keep-alive
15:20:57.000277 IP 74.120.51.132.4500 > 192.168.1.2.10954:
isakmp-nat-keep-alive
15:20:57.000325 IP 192.168.1.2 > 74.120.51.132: ICMP 192.168.1.2 udp port
10954 unreachable, length 37
15:20:57.178877 IP 192.168.1.2.4500 > 74.120.51.132.4500: UDP-encap:
ESP(spi=0x9a03b617,seq=0x5), length 116
15:20:57.182010 IP 74.120.51.132.4500 > 192.168.1.2.4500: UDP-encap:
ESP(spi=0x0db448a1,seq=0x5), length 116
15:20:57.182010 IP 10.22.5.100 > 10.22.22.24: ICMP echo reply, id 1902, seq
6, length 64
15:20:57.990364 IP6 fe80::d47e:3302:ae48:f220.546 > ff02::1:2.547: dhcp6
solicit
15:20:58.178053 IP 192.168.1.2.4500 > 74.120.51.132.4500: UDP-encap:
ESP(spi=0x9a03b617,seq=0x6), length 116
15:20:58.180822 IP 74.120.51.132.4500 > 192.168.1.2.4500: UDP-encap:
ESP(spi=0x0db448a1,seq=0x6), length 116
15:20:58.180822 IP 10.22.5.100 > 10.22.22.24: ICMP echo reply, id 1902, seq
7, length 64
15:20:59.989700 IP6 fe80::d47e:3302:ae48:f220.546 > ff02::1:2.547: dhcp6
solicit
15:21:02.039797 IP 74.120.51.132.4500 > 192.168.1.2.10954:
isakmp-nat-keep-alive
15:21:02.039875 IP 192.168.1.2 > 74.120.51.132: ICMP 192.168.1.2 udp port
10954 unreachable, length 37
15:21:03.987860 IP6 fe80::d47e:3302:ae48:f220.546 > ff02::1:2.547: dhcp6
solicit
15:21:04.712747 IP 192.168.1.2.4500 > 74.120.51.132.4500:
isakmp-nat-keep-alive
15:21:04.723654 IP 192.168.1.2.4500 > 74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I inf[E]
15:21:04.726302 IP 74.120.51.132.4500 > 192.168.1.2.4500: NONESP-encap:
isakmp: phase 2/others R inf[E]
15:21:04.935739 IP 192.168.1.2.4500 > 74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I inf[E]
15:21:04.937389 IP 192.168.1.2.4500 > 74.120.51.132.4500: NONESP-encap:
isakmp: phase 2/others I inf[E]
15:21:07.174577 IP 74.120.51.132.4500 > 192.168.1.2.10954:
isakmp-nat-keep-alive
15:21:07.174659 IP 192.168.1.2 > 74.120.51.132: ICMP 192.168.1.2 udp port
10954 unreachable, length 37

11/12/21 15:20:34 ii : ipc client process thread begin ...
11/12/21 15:20:34 <A : peer config add message
11/12/21 15:20:34 <A : proposal config message
11/12/21 15:20:34 <A : proposal config message
11/12/21 15:20:34 <A : client config message
11/12/21 15:20:34 <A : xauth username message
11/12/21 15:20:34 <A : xauth password message
11/12/21 15:20:34 <A : local id 'shrew-test.limebrokerage.com' message
11/12/21 15:20:34 <A : remote id 'vpn.limebrokerage.com' message
11/12/21 15:20:34 <A : preshared key message
11/12/21 15:20:34 <A : remote resource message
11/12/21 15:20:34 <A : peer tunnel enable message
11/12/21 15:20:34 ii : local supports XAUTH
11/12/21 15:20:34 ii : local supports nat-t ( draft v00 )
11/12/21 15:20:34 ii : local supports nat-t ( draft v01 )
11/12/21 15:20:34 ii : local supports nat-t ( draft v02 )
11/12/21 15:20:34 ii : local supports nat-t ( draft v03 )
11/12/21 15:20:34 ii : local supports nat-t ( rfc )
11/12/21 15:20:34 ii : local supports FRAGMENTATION
11/12/21 15:20:34 ii : local supports DPDv1
11/12/21 15:20:34 ii : local is SHREW SOFT compatible
11/12/21 15:20:34 ii : local is NETSCREEN compatible
11/12/21 15:20:34 ii : local is SIDEWINDER compatible
11/12/21 15:20:34 ii : local is CISCO UNITY compatible
11/12/21 15:20:34 >= : cookies :
11/12/21 15:20:34 >= : message
11/12/21 15:20:34 ii : processing phase1 packet ( 457 bytes )
11/12/21 15:20:34 =< : cookies :
11/12/21 15:20:34 =< : message
11/12/21 15:20:34 ii : matched isakmp proposal #1 transform #1
11/12/21 15:20:34 ii : - transform    = ike
11/12/21 15:20:34 ii : - cipher type  = 3des
11/12/21 15:20:34 ii : - key length   = default
11/12/21 15:20:34 ii : - hash type    = sha1
11/12/21 15:20:34 ii : - dh group     = group2 ( modp-1024 )
11/12/21 15:20:34 ii : - auth type    = xauth-initiator-psk
11/12/21 15:20:34 ii : - life seconds = 28800
11/12/21 15:20:34 ii : - life kbytes  = 0
11/12/21 15:20:34 ii : peer supports XAUTH
11/12/21 15:20:34 ii : peer supports DPDv1
11/12/21 15:20:34 ii : peer supports HEARTBEAT-NOTIFY
11/12/21 15:20:34 ii : phase1 id match
11/12/21 15:20:34 ii : received = fqdn vpn.limebrokerage.com
11/12/21 15:20:34 ii : peer supports nat-t ( draft v02 )
11/12/21 15:20:34 ii : nat discovery - local address is translated
11/12/21 15:20:34 ii : switching to src nat-t udp port 4500
11/12/21 15:20:34 ii : switching to dst nat-t udp port 4500
11/12/21 15:20:34 >= : cookies :
11/12/21 15:20:34 >= : message
11/12/21 15:20:34 ii : phase1 sa established
11/12/21 15:20:34 ii : 74.120.51.132:4500 <-> 192.168.1.2:4500
11/12/21 15:20:34 ii : :
11/12/21 15:20:34 ii : sending peer INITIAL-CONTACT notification
11/12/21 15:20:34 ii : - 192.168.1.2:4500 -> 74.120.51.132:4500
11/12/21 15:20:34 ii : - isakmp spi = :
11/12/21 15:20:34 ii : - data size 0
11/12/21 15:20:34 >= : cookies :
11/12/21 15:20:34 >= : message
11/12/21 15:20:40 ii : processing config packet ( 76 bytes )
11/12/21 15:20:40 =< : cookies :
11/12/21 15:20:40 =< : message
11/12/21 15:20:40 ii : - xauth authentication type
11/12/21 15:20:40 ii : - xauth username
11/12/21 15:20:40 ii : - xauth password
11/12/21 15:20:40 ii : received basic xauth request -
11/12/21 15:20:40 ii : - standard xauth username
11/12/21 15:20:40 ii : - standard xauth password
11/12/21 15:20:40 ii : sending xauth response for rpolak
11/12/21 15:20:40 >= : cookies :
11/12/21 15:20:40 >= : message
11/12/21 15:20:40 ii : processing config packet ( 100 bytes )
11/12/21 15:20:40 =< : cookies :
11/12/21 15:20:40 =< : message
11/12/21 15:20:40 ii : received config push request
11/12/21 15:20:40 ii : building config attribute list
11/12/21 15:20:40 ii : sending config push acknowledge
11/12/21 15:20:40 >= : cookies :
11/12/21 15:20:40 >= : message
11/12/21 15:20:40 ii : processing config packet ( 68 bytes )
11/12/21 15:20:40 =< : cookies :
11/12/21 15:20:40 =< : message
11/12/21 15:20:40 ii : received xauth result -
11/12/21 15:20:40 ii : user rpolak authentication succeeded
11/12/21 15:20:40 ii : sending xauth acknowledge
11/12/21 15:20:40 >= : cookies :
11/12/21 15:20:40 >= : message
11/12/21 15:20:40 ii : opened tap device tap0
11/12/21 15:20:40 ii : configured adapter tap0
11/12/21 15:20:40 ii : creating NONE INBOUND policy ANY:74.120.51.132:* ->
ANY:192.168.1.2:*
11/12/21 15:20:40 ii : creating NONE OUTBOUND policy ANY:192.168.1.2:* ->
ANY:74.120.51.132:*
11/12/21 15:20:40 ii : created NONE policy route for 74.120.51.132/32
11/12/21 15:20:40 ii : creating IPSEC INBOUND policy ANY:10.0.0.0/8:* ->
ANY:10.22.22.24:*
11/12/21 15:20:40 ii : creating IPSEC OUTBOUND policy ANY:10.22.22.24:* ->
ANY:10.0.0.0/8:*
11/12/21 15:20:40 ii : created IPSEC policy route for 10.0.0.0/8
11/12/21 15:20:49 ii : sending peer DPDV1-R-U-THERE notification
11/12/21 15:20:49 ii : - 192.168.1.2:4500 -> 74.120.51.132:4500
11/12/21 15:20:49 ii : - isakmp spi = :
11/12/21 15:20:49 ii : - data size 4
11/12/21 15:20:49 >= : cookies :
11/12/21 15:20:49 >= : message
11/12/21 15:20:49 ii : processing informational packet ( 92 bytes )
11/12/21 15:20:49 =< : cookies :
11/12/21 15:20:49 =< : message
11/12/21 15:20:49 ii : received peer DPDV1-R-U-THERE-ACK notification
11/12/21 15:20:49 ii : - 74.120.51.132:4500 -> 192.168.1.2:4500
11/12/21 15:20:49 ii : - isakmp spi = :
11/12/21 15:20:49 ii : - data size 4
11/12/21 15:20:52 >= : cookies :
11/12/21 15:20:52 >= : message
11/12/21 15:20:52 ii : processing phase2 packet ( 308 bytes )
11/12/21 15:20:52 =< : cookies :
11/12/21 15:20:52 =< : message
11/12/21 15:20:52 ii : matched ipsec-esp proposal #1 transform #1
11/12/21 15:20:52 ii : - transform    = esp-3des
11/12/21 15:20:52 ii : - key length   = default
11/12/21 15:20:52 ii : - encap mode   = udp-tunnel ( draft )
11/12/21 15:20:52 ii : - msg auth     = hmac-sha1
11/12/21 15:20:52 ii : - pfs dh group = group2 ( modp-1024 )
11/12/21 15:20:52 ii : - life seconds = 3600
11/12/21 15:20:52 ii : - life kbytes  = 0
11/12/21 15:20:52 ii : phase2 ids accepted
11/12/21 15:20:52 ii : - loc ANY:10.22.22.24:* -> ANY:10.0.0.0/8:*
11/12/21 15:20:52 ii : - rmt ANY:10.0.0.0/8:* -> ANY:10.22.22.24:*
11/12/21 15:20:52 ii : phase2 sa established
11/12/21 15:20:52 ii : 192.168.1.2:4500 <-> 74.120.51.132:4500
11/12/21 15:20:52 >= : cookies :
11/12/21 15:20:52 >= : message
11/12/21 15:21:04 ii : sending peer DPDV1-R-U-THERE notification
11/12/21 15:21:04 ii : - 192.168.1.2:4500 -> 74.120.51.132:4500
11/12/21 15:21:04 ii : - isakmp spi = :
11/12/21 15:21:04 ii : - data size 4
11/12/21 15:21:04 >= : cookies :
11/12/21 15:21:04 >= : message
11/12/21 15:21:04 ii : processing informational packet ( 92 bytes )
11/12/21 15:21:04 =< : cookies :
11/12/21 15:21:04 =< : message
11/12/21 15:21:04 ii : received peer DPDV1-R-U-THERE-ACK notification
11/12/21 15:21:04 ii : - 74.120.51.132:4500 -> 192.168.1.2:4500
11/12/21 15:21:04 ii : - isakmp spi = :
11/12/21 15:21:04 ii : - data size 4
11/12/21 15:21:04 <A : peer tunnel disable message
11/12/21 15:21:04 ii : removing IPSEC INBOUND policy ANY:10.0.0.0/8:* ->
ANY:10.22.22.24:*
11/12/21 15:21:04 ii : removing IPSEC OUTBOUND policy ANY:10.22.22.24:* ->
ANY:10.0.0.0/8:*
11/12/21 15:21:04 ii : removed IPSEC policy route for ANY:10.0.0.0/8:*
11/12/21 15:21:04 ii : removing NONE INBOUND policy ANY:74.120.51.132:* ->
ANY:192.168.1.2:*
11/12/21 15:21:04 ii : removing NONE OUTBOUND policy ANY:192.168.1.2:* ->
ANY:74.120.51.132:*
11/12/21 15:21:04 ii : removed NONE policy route for ANY:74.120.51.132:*
11/12/21 15:21:04 ii : closed tap device tap0
11/12/21 15:21:04 DB : removing tunnel config references
11/12/21 15:21:04 DB : removing tunnel phase2 references
11/12/21 15:21:04 ii : sending peer DELETE message
11/12/21 15:21:04 ii : - 192.168.1.2:4500 -> 74.120.51.132:4500
11/12/21 15:21:04 ii : - ipsec-esp spi =
11/12/21 15:21:04 ii : - data size 0
11/12/21 15:21:04 >= : cookies :
11/12/21 15:21:04 >= : message
11/12/21 15:21:04 ii : phase2 removal before expire time
11/12/21 15:21:04 DB : removing tunnel phase1 references
11/12/21 15:21:04 ii : sending peer DELETE message
11/12/21 15:21:04 ii : - 192.168.1.2:4500 -> 74.120.51.132:4500
11/12/21 15:21:04 ii : - isakmp spi = :
11/12/21 15:21:04 ii : - data size 0
11/12/21 15:21:04 >= : cookies :
11/12/21 15:21:04 >= : message
11/12/21 15:21:04 ii : phase1 removal before expire time
11/12/21 15:21:04 DB : removing all peer tunnel refrences
11/12/21 15:21:04 ii : ipc client process thread exit ...

-- 
Robin Polak
E-Mail: robin.polak at gmail.com
V. 917-494-2080
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20111221/860ceea9/attachment-0001.html>


More information about the vpn-help mailing list