[Oisf-users] IPSec handshake and AF-Packet
Leonard Jacobs
ljacobs at netsecuris.com
Wed Nov 25 18:12:25 UTC 2015
We did run some tcpdump runs on both interfaces simultaneously but we did not save them. Just live runs. What we saw was inbound IPSec handshake traffic but nothing on the other interface that was supposed to get a copy. It seemed to work better when Defrag was set to no but the traffic did halt later in the evening.
When we did see it worked it took 3 to 5 minutes for a handshake to occur the first time we tried but subsequent tries only took about 20 seconds to have the tunnel be established.
If we try again then we will have to capture pcaps.
Thanks.
-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Victor Julien
Sent: Wednesday, November 25, 2015 7:07 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] IPSec handshake and AF-Packet
On 25-11-15 13:56, Leonard Jacobs wrote:
> Experiencing IPSec handshake being stopped in AF-Packet mode. Setting
> defrag to no seems to help and connection is establushed but sometimes
> seems to have latency. Sometimes connection is just stopped. If
> connection is already established when Suricata is started then
> connection stays established. What could be causing this issue?
When reporting issues like this it's helpful if you can add more details, pcaps, log messages, anything.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
More information about the Oisf-users
mailing list