[Oisf-users] IPSec handshake and AF-Packet

Leonard Jacobs ljacobs at netsecuris.com
Thu Nov 26 00:03:28 UTC 2015

Well here is what we have discovered so far.  There appears to be an incompatibility between SonicWALL's Global VPN Client version or higher. Possibly version 4.9.0 too but we have not tested that version yet.  We know for sure that version works fine.

The symptom is IKE Phase 1 does not complete when IPSec VPN handshake traffic passes through the IPS set to AF-packet mode.  We have not tested  NFQUEUE mode.

SonicWALL obviously changed something in their Global VPN Client software.



-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Victor Julien
Sent: Wednesday, November 25, 2015 7:07 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] IPSec handshake and AF-Packet

On 25-11-15 13:56, Leonard Jacobs wrote:
> Experiencing IPSec handshake being stopped in AF-Packet mode. Setting 
> defrag to no seems to help and connection is establushed but sometimes 
> seems to have latency. Sometimes connection is just stopped. If 
> connection is already established when Suricata is started then 
> connection stays established. What could be causing this issue?

When reporting issues like this it's helpful if you can add more details, pcaps, log messages, anything.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

More information about the Oisf-users mailing list