<!DOCTYPE html PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'>
<html><head><meta http-equiv="Content-Type" content="text/html;charset=us-ascii">
<style>BODY{font:10pt Tahoma,Verdana,sans-serif} .MsoNormal{line-height:120%;margin:0}</style></head><body>
I agree but Dell SonicWall is going to have to agree to cooperate.<br><br>Leonard<br><blockquote style="padding-left: 5px; margin-left: 5px; border-left: #0000ff 2px solid; margin-right: 0px"><hr><b>From:</b> 'Andreas Herz' [mailto:andi@geekosphere.org]<br><b>To:</b> Leonard Jacobs [mailto:ljacobs@netsecuris.com]<br><b>Cc:</b> oisf-users@lists.openinfosecfoundation.org<br><b>Sent:</b> Fri, 27 Nov 2015 07:07:24 -0600<br><b>Subject:</b> Re: [Oisf-users] IPSec handshake and AF-Packet<br><br>On 27/11/15 at 07:00, Leonard Jacobs wrote:<br>
> Well since we have narrowed the problem down to the SonicWALL vpn client, the problem is really not a AF-Packet problem but rather the way SonicWALL implements their vpn client. They changed something about how their client works.<br>
<br>
Nevertheless it would be interesting what's the issue and why the<br>
traffice looks different :)<br>
<br>
> Leonard<br>
> _____ <br>
> <br>
> From: 'Andreas Herz' [mailto:<a href="mailto:andi@geekosphere.org">andi@geekosphere.org</a>]<br>
> To: Leonard Jacobs [mailto:<a href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</a>]<br>
> Cc: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><br>
> Sent: Fri, 27 Nov 2015 05:34:44 -0600<br>
> Subject: Re: [Oisf-users] IPSec handshake and AF-Packet<br>
> <br>
> On 26/11/15 at 12:33, Leonard Jacobs wrote:<br>
> > There are no rules triggered associated with VPN.<br>
> > <br>
> > When you run TCPDump, you see traffic on the inbound interface but no traffic on the other interface.<br>
> > <br>
> > Only use the packet copying of AF-Packet mode. No other bridging.<br>
> <br>
> I don't use AF-Packet mode this way, but i use NFQUEUE. Is it possible<br>
> to try NFQUEUE mode to compare it with AF-Packet mode?<br>
> <br>
> But for now i have no other idea so far, maybe someelse has more<br>
> insight.<br>
> <br>
> > - interface: eth0<br>
> > threads: 6<br>
> > cluster-id: 99<br>
> > cluster-type: cluster_flow<br>
> > defrag: yes<br>
> > use-mmap: yes<br>
> > buffer-size: 64535<br>
> > copy-mode: ips<br>
> > copy-iface: p1p1<br>
> > - interface: p1p1<br>
> > threads: 6<br>
> > cluster-id: 98<br>
> > cluster-type: cluster_flow<br>
> > copy-mode: ips<br>
> > copy-iface: eth0<br>
> > defrag: yes<br>
> > buffer-size: 64535<br>
> > use-mmap: yes<br>
> > <br>
> > -----Original Message-----<br>
> > From: Andreas Herz [mailto:<a href="mailto:andi@geekosphere.org">andi@geekosphere.org</a>] <br>
> > Sent: Thursday, November 26, 2015 1:56 AM<br>
> > To: Leonard Jacobs<br>
> > Cc: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><br>
> > Subject: Re: [Oisf-users] IPSec handshake and AF-Packet<br>
> > <br>
> > On 25/11/15 at 18:03, Leonard Jacobs wrote:<br>
> > > Well here is what we have discovered so far. There appears to be an <br>
> > > incompatibility between SonicWALL's Global VPN Client version<br>
> > > 4.9.4.0305 or higher. Possibly version 4.9.0 too but we have not <br>
> > > tested that version yet. We know for sure that version 4.2.6.0305 <br>
> > > works fine.<br>
> > <br>
> > Does it trigger any rules?<br>
> > <br>
> > > The symptom is IKE Phase 1 does not complete when IPSec VPN handshake <br>
> > > traffic passes through the IPS set to AF-packet mode. We have not <br>
> > > tested NFQUEUE mode.<br>
> > <br>
> > How did you configure the AF-packet mode exactly? Do you use bridging?<br>
> > <br>
> > > SonicWALL obviously changed something in their Global VPN Client <br>
> > > software.<br>
> > > <br>
> > > Thanks.<br>
> > > <br>
> > > Leonard<br>
> > > <br>
> > > -----Original Message----- From: Oisf-users <br>
> > > [mailto:<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@lists.openinfosecfoundation.org</a>] On Behalf <br>
> > > Of Victor Julien Sent: Wednesday, November 25, 2015 7:07 AM To:<br>
> > > <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a> Subject: Re: [Oisf-users] <br>
> > > IPSec handshake and AF-Packet<br>
> > > <br>
> > > On 25-11-15 13:56, Leonard Jacobs wrote:<br>
> > > > Experiencing IPSec handshake being stopped in AF-Packet mode.<br>
> > > > Setting defrag to no seems to help and connection is establushed but <br>
> > > > sometimes seems to have latency. Sometimes connection is just <br>
> > > > stopped. If connection is already established when Suricata is <br>
> > > > started then connection stays established. What could be causing <br>
> > > > this issue?<br>
> > > <br>
> > > When reporting issues like this it's helpful if you can add more <br>
> > > details, pcaps, log messages, anything.<br>
> > > <br>
> > > -- --------------------------------------------- Victor Julien <br>
> > > <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a> PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> > > ---------------------------------------------<br>
> > > <br>
> > > _______________________________________________ Suricata IDS Users <br>
> > > mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a> Site:<br>
> > > <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> > > List:<br>
> > > <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> > > Suricata User Conference November 4 & 5 in Barcelona:<br>
> > > <a href="http://oisfevents.net" target="_blank">http://oisfevents.net</a><br>
> > > <br>
> > > _______________________________________________ Suricata IDS Users <br>
> > > mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a> Site:<br>
> > > <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> > > List:<br>
> > > <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> > > Suricata User Conference November 4 & 5 in Barcelona:<br>
> > > <a href="http://oisfevents.net" target="_blank">http://oisfevents.net</a><br>
> > <br>
> > --<br>
> > Andreas Herz<br>
> > <br>
> <br>
> -- <br>
> Andreas Herz<br>
> <br>
<br>
-- <br>
Andreas Herz<br>
</blockquote><style>
</style>
</body></html>