[Oisf-users] IPSec handshake and AF-Packet

Andreas Herz andi at geekosphere.org
Thu Nov 26 07:55:56 UTC 2015 

On 25/11/15 at 18:03, Leonard Jacobs wrote:
> Well here is what we have discovered so far.  There appears to be an
> incompatibility between SonicWALL's Global VPN Client version
> 4.9.4.0305 or higher. Possibly version 4.9.0 too but we have not
> tested that version yet.  We know for sure that version 4.2.6.0305
> works fine.

Does it trigger any rules?

> The symptom is IKE Phase 1 does not complete when IPSec VPN handshake
> traffic passes through the IPS set to AF-packet mode.  We have not
> tested  NFQUEUE mode.

How did you configure the AF-packet mode exactly? Do you use bridging?

> SonicWALL obviously changed something in their Global VPN Client
> software.
> 
> Thanks.
> 
> Leonard
> 
> -----Original Message----- From: Oisf-users
> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf
> Of Victor Julien Sent: Wednesday, November 25, 2015 7:07 AM To:
> oisf-users at lists.openinfosecfoundation.org Subject: Re: [Oisf-users]
> IPSec handshake and AF-Packet
> 
> On 25-11-15 13:56, Leonard Jacobs wrote:
> > Experiencing IPSec handshake being stopped in AF-Packet mode.
> > Setting defrag to no seems to help and connection is establushed but
> > sometimes seems to have latency. Sometimes connection is just
> > stopped. If connection is already established when Suricata is
> > started then connection stays established. What could be causing
> > this issue?
> 
> When reporting issues like this it's helpful if you can add more
> details, pcaps, log messages, anything.
> 
> -- --------------------------------------------- Victor Julien
> http://www.inliniac.net/ PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
> 
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net

-- 
Andreas Herz

More information about the Oisf-users mailing list