[vpn-help] Asymmetric routing on Ubuntu 11.04 connecting to Juniper SSG 550

Kevin VPN kvpn at live.com
Thu Jan 5 21:25:10 CST 2012 

On 12/21/2011 03:44 PM, Robin Polak wrote:
> Hello,
>
> I'm getting an established connection to my Juniper SSG 550, however the
> traffic is egressing through the tap0 interface and than ingressing through
> eth0.  You can see this behavior in the packet capture below.  The debug
> log shows no errors.  My configuration is as follows:
>
...
> 15:21:04.712747 IP 192.168.1.2.4500>  74.120.51.132.4500:
> isakmp-nat-keep-alive
> 15:21:04.723654 IP 192.168.1.2.4500>  74.120.51.132.4500: NONESP-encap:
> isakmp: phase 2/others I inf[E]
> 15:21:04.726302 IP 74.120.51.132.4500>  192.168.1.2.4500: NONESP-encap:
> isakmp: phase 2/others R inf[E]
> 15:21:04.935739 IP 192.168.1.2.4500>  74.120.51.132.4500: NONESP-encap:
> isakmp: phase 2/others I inf[E]
> 15:21:04.937389 IP 192.168.1.2.4500>  74.120.51.132.4500: NONESP-encap:
> isakmp: phase 2/others I inf[E]
> 15:21:07.174577 IP 74.120.51.132.4500>  192.168.1.2.10954:
> isakmp-nat-keep-alive
> 15:21:07.174659 IP 192.168.1.2>  74.120.51.132: ICMP 192.168.1.2 udp port
> 10954 unreachable, length 37
>
...
> 11/12/21 15:20:34 ii : nat discovery - local address is translated
> 11/12/21 15:20:34 ii : switching to src nat-t udp port 4500
> 11/12/21 15:20:34 ii : switching to dst nat-t udp port 4500
> 11/12/21 15:20:34>= : cookies :
> 11/12/21 15:20:34>= : message
> 11/12/21 15:20:34 ii : phase1 sa established
> 11/12/21 15:20:34 ii : 74.120.51.132:4500<->  192.168.1.2:4500
...
> 11/12/21 15:20:52 ii : phase2 ids accepted
> 11/12/21 15:20:52 ii : - loc ANY:10.22.22.24:* ->  ANY:10.0.0.0/8:*
> 11/12/21 15:20:52 ii : - rmt ANY:10.0.0.0/8:* ->  ANY:10.22.22.24:*
> 11/12/21 15:20:52 ii : phase2 sa established

Hi Robin,

I'm not sure I see it.  I do see the odd packet in the capture destined 
for the local host on port 10954 which seems wrong, but I'm not sure 
what that means.

About the only thing that comes to mind is related to the rogue port 
10954 traffic.  Is it possible that the SSG 550 is somehow thinking that 
the local host 10.22.22.24 is NATted behind 192.168.1.2 rather than 
being at the end of a tunnel?  So when outbound traffic for 10.22.22.24 
is received at the SSG's ingress, instead of putting it into the tunnel, 
it NATs it and sends it out it's Internet interface?

More information about the vpn-help mailing list