home bbs files messages ]

Forums before death by AOL, social media and spammers... "We can't have nice things"

   comp.dcom.vpn      VPN protocols, clients, awesomeness      2,348 messages   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]

   Message 2,134 of 2,348   
   Fred Marshall to Roy Hills   
   Re: Setting up site to site VPN with RV0   
   23 Apr 07 15:48:11   
   
   From: fmarshallx@remove_the_x.acm.org   
      
   "Roy Hills"  wrote in message   
   news:eaop239i3p3aoirrg3n7840n34c0uasmr8@4ax.com...   
   > On Sun, 22 Apr 2007 16:39:44 -0700, "Fred Marshall"   
   >  wrote:   
   >   
   >>Thanks!  Well, at this stage I have the VPN connecting and can ping   
   >>through   
   >>it. However, I can't map drives using the IP addresses of their hosts.   
   >   
   > If you can ping then the VPN is working, assuming that the ping packets   
   > (ICMP echo and echo reply are actually going over the VPN and not just   
   > being routed of course).   
   >   
   >>All I see on the hub are pretty much ISAKMP Informational packets of 126   
   >>bytes each - going one way and then the other.  Occasionally there's a   
   >>ping   
   >>from one VPN device public address to the other VPN device public   
   >>address -   
   >>and a reply.   
   >   
   > That's weird.  What you should see is some IKE (or ISAKMP, it's the same   
   > thing) activity when the VPN connects.  This will use UDP port 500 or   
   > maybe   
   > 4500 if you're using NAT Traversal.  Once the VPN is established, you   
   > shouldn't see much IKE traffic other than the occasional re-keying (maybe   
   > once every hour).   
   >   
   > When you send data over the VPN (like the ping packets), then you should   
   > see ESP (Encapsulating Security Payload) traffic, which is IP protocol 50.   
   > You should see one ESP packet for each ping request and reply.  Most   
   > sniffers will decode ESP to show the SPI numbers, but they won't be able   
   > to   
   > decode what's inside because it's encrypted.   
   >   
   > You shouldn't be seeing plain ping going over the wire, because that   
   > suggests that it's not going over the VPN.   
   >   
   > Roy   
      
   Roy,   
      
   Thanks.  Well, I set up firewall rules in the VPN routers of all possible   
   combinations:   
   inside IP to inside IP   
   inside IP to outside IP   
   outside IP to inside IP   
   outside IP to outside IP   
   entered each of these rules for the WAN interface and the LAN interface for   
   a total of 8 rules   
   Then, denied all traffic.   
   Any of these can be disabled so I've been trying with them and without them   
   and selectively so.   
      
   I found that LAN interface inside IP to inside IP was *necessary* for the   
   VPN to work.   
   That makes sense to me as the LAN interface is unencrypted / outside the   
   tunnel.   
      
   I found that WAN interface outside IP to outside IP when enabled caused   
   those outside/outside pings to show up.  But, I found no failures when the   
   outside/outside rule was disabled.  Yes, this would be outside the tunnel.   
      
   I have no explanation for why I see the packets I do with the sniffer I'm   
   using (Ethereal) .  I should think the results might vary according to which   
   set of security features are set up.   
      
   Thanks,   
      
   Fred   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]


(c) 1994,  bbs@darkrealms.ca