[vpn-help] Asymmetric routing on Ubuntu 11.04 connecting to Juniper SSG 550

Kevin VPN kvpn at live.com
Wed Jan 11 20:07:15 CST 2012


On 01/06/2012 09:06 AM, Robin Polak wrote:
> On Thu, Jan 5, 2012 at 22:25, Kevin VPN<kvpn at live.com>  wrote:
>
>> On 12/21/2011 03:44 PM, Robin Polak wrote:
>>
>>> Hello,
>>>
>>> I'm getting an established connection to my Juniper SSG 550, however the
>>> traffic is egressing through the tap0 interface and than ingressing
>>> through
>>> eth0.  You can see this behavior in the packet capture below.  The debug
>>> log shows no errors.  My configuration is as follows:
>>>
>>>   ...
>>
>>   15:21:04.712747 IP 192.168.1.2.4500>   74.120.51.132.4500:
>>> isakmp-nat-keep-alive
>>> 15:21:04.723654 IP 192.168.1.2.4500>   74.120.51.132.4500: NONESP-encap:
>>> isakmp: phase 2/others I inf[E]
>>> 15:21:04.726302 IP 74.120.51.132.4500>   192.168.1.2.4500: NONESP-encap:
>>> isakmp: phase 2/others R inf[E]
>>> 15:21:04.935739 IP 192.168.1.2.4500>   74.120.51.132.4500: NONESP-encap:
>>> isakmp: phase 2/others I inf[E]
>>> 15:21:04.937389 IP 192.168.1.2.4500>   74.120.51.132.4500: NONESP-encap:
>>> isakmp: phase 2/others I inf[E]
>>> 15:21:07.174577 IP 74.120.51.132.4500>   192.168.1.2.10954:
>>> isakmp-nat-keep-alive
>>> 15:21:07.174659 IP 192.168.1.2>   74.120.51.132: ICMP 192.168.1.2 udp port
>>> 10954 unreachable, length 37
>>>
>>>   ...
>>
>>> 11/12/21 15:20:34 ii : nat discovery - local address is translated
>>>
>>> 11/12/21 15:20:34 ii : switching to src nat-t udp port 4500
>>> 11/12/21 15:20:34 ii : switching to dst nat-t udp port 4500
>>> 11/12/21 15:20:34>= : cookies :
>>> 11/12/21 15:20:34>= : message
>>> 11/12/21 15:20:34 ii : phase1 sa established
>>> 11/12/21 15:20:34 ii : 74.120.51.132:4500<->   192.168.1.2:4500
>>>
>> ...
>>
>>   11/12/21 15:20:52 ii : phase2 ids accepted
>>> 11/12/21 15:20:52 ii : - loc ANY:10.22.22.24:* ->   ANY:10.0.0.0/8:*
>>> 11/12/21 15:20:52 ii : - rmt ANY:10.0.0.0/8:* ->   ANY:10.22.22.24:*
>>> 11/12/21 15:20:52 ii : phase2 sa established
>>>
>>
>> Hi Robin,
>>
>> I'm not sure I see it.  I do see the odd packet in the capture destined
>> for the local host on port 10954 which seems wrong, but I'm not sure what
>> that means.
>>
>
> Hi Kevin,
>
>     Here is an excerpt from the capture showing the packet in question.  If
> as you describe the Juniper routes traffic destined for 10.22.22.24 out
> it's internet interface it would get null routed at the edge.  RFC1918
> addresses are not routed by ISPs.
>
> 15:20:54.178124 IP 192.168.1.2.4500>  74.120.51.132.4500: UDP-encap:
> ESP(spi=0x9a03b617,seq=0x2), length 116
> 15:20:54.193481 IP 74.120.51.132.4500>  192.168.1.2.4500: UDP-encap:
> ESP(spi=0x0db448a1,seq=0x2), length 116  *- Encap*
> 15:20:54.193481 IP 10.22.5.100>  10.22.22.24: ICMP echo reply, id 1902, seq
> 3, length 64 * -Decap (should be on tap0)*
>

Hi Robin,

Now I see what you're seeing.  My apologies for missing it, I forgot 
dumps would only come from one interface at a time.

This sounds a little like a problem that was discussed on the list 
before.  See if this post helps out:
http://lists.shrew.net/pipermail/vpn-help/2008-November/000950.html



More information about the vpn-help mailing list