[vpn-help] Asymmetric routing on Ubuntu 11.04 connecting to Juniper SSG 550
Kevin VPN
kvpn at live.com
Wed Jan 11 20:07:15 CST 2012
On 01/06/2012 09:06 AM, Robin Polak wrote:
> On Thu, Jan 5, 2012 at 22:25, Kevin VPN<kvpn at live.com> wrote:
>
>> On 12/21/2011 03:44 PM, Robin Polak wrote:
>>
>>> Hello,
>>>
>>> I'm getting an established connection to my Juniper SSG 550, however the
>>> traffic is egressing through the tap0 interface and than ingressing
>>> through
>>> eth0. You can see this behavior in the packet capture below. The debug
>>> log shows no errors. My configuration is as follows:
>>>
>>> ...
>>
>> 15:21:04.712747 IP 192.168.1.2.4500> 74.120.51.132.4500:
>>> isakmp-nat-keep-alive
>>> 15:21:04.723654 IP 192.168.1.2.4500> 74.120.51.132.4500: NONESP-encap:
>>> isakmp: phase 2/others I inf[E]
>>> 15:21:04.726302 IP 74.120.51.132.4500> 192.168.1.2.4500: NONESP-encap:
>>> isakmp: phase 2/others R inf[E]
>>> 15:21:04.935739 IP 192.168.1.2.4500> 74.120.51.132.4500: NONESP-encap:
>>> isakmp: phase 2/others I inf[E]
>>> 15:21:04.937389 IP 192.168.1.2.4500> 74.120.51.132.4500: NONESP-encap:
>>> isakmp: phase 2/others I inf[E]
>>> 15:21:07.174577 IP 74.120.51.132.4500> 192.168.1.2.10954:
>>> isakmp-nat-keep-alive
>>> 15:21:07.174659 IP 192.168.1.2> 74.120.51.132: ICMP 192.168.1.2 udp port
>>> 10954 unreachable, length 37
>>>
>>> ...
>>
>>> 11/12/21 15:20:34 ii : nat discovery - local address is translated
>>>
>>> 11/12/21 15:20:34 ii : switching to src nat-t udp port 4500
>>> 11/12/21 15:20:34 ii : switching to dst nat-t udp port 4500
>>> 11/12/21 15:20:34>= : cookies :
>>> 11/12/21 15:20:34>= : message
>>> 11/12/21 15:20:34 ii : phase1 sa established
>>> 11/12/21 15:20:34 ii : 74.120.51.132:4500<-> 192.168.1.2:4500
>>>
>> ...
>>
>> 11/12/21 15:20:52 ii : phase2 ids accepted
>>> 11/12/21 15:20:52 ii : - loc ANY:10.22.22.24:* -> ANY:10.0.0.0/8:*
>>> 11/12/21 15:20:52 ii : - rmt ANY:10.0.0.0/8:* -> ANY:10.22.22.24:*
>>> 11/12/21 15:20:52 ii : phase2 sa established
>>>
>>
>> Hi Robin,
>>
>> I'm not sure I see it. I do see the odd packet in the capture destined
>> for the local host on port 10954 which seems wrong, but I'm not sure what
>> that means.
>>
>
> Hi Kevin,
>
> Here is an excerpt from the capture showing the packet in question. If
> as you describe the Juniper routes traffic destined for 10.22.22.24 out
> it's internet interface it would get null routed at the edge. RFC1918
> addresses are not routed by ISPs.
>
> 15:20:54.178124 IP 192.168.1.2.4500> 74.120.51.132.4500: UDP-encap:
> ESP(spi=0x9a03b617,seq=0x2), length 116
> 15:20:54.193481 IP 74.120.51.132.4500> 192.168.1.2.4500: UDP-encap:
> ESP(spi=0x0db448a1,seq=0x2), length 116 *- Encap*
> 15:20:54.193481 IP 10.22.5.100> 10.22.22.24: ICMP echo reply, id 1902, seq
> 3, length 64 * -Decap (should be on tap0)*
>
Hi Robin,
Now I see what you're seeing. My apologies for missing it, I forgot
dumps would only come from one interface at a time.
This sounds a little like a problem that was discussed on the list
before. See if this post helps out:
http://lists.shrew.net/pipermail/vpn-help/2008-November/000950.html
More information about the vpn-help
mailing list