[Oisf-users] IPSec handshake and AF-Packet

Leonard Jacobs ljacobs at netsecuris.com
Thu Nov 26 18:33:24 UTC 2015 

There are no rules triggered associated with VPN.

When you run TCPDump, you see traffic on the inbound interface but no traffic on the other interface.

Only use the packet copying of AF-Packet mode.  No other bridging.

- interface: eth0
    threads: 6
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    buffer-size: 64535
    copy-mode: ips
    copy-iface: p1p1
  - interface: p1p1
    threads: 6
    cluster-id: 98
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: eth0
    defrag: yes
    buffer-size: 64535
    use-mmap: yes

-----Original Message-----
From: Andreas Herz [mailto:andi at geekosphere.org] 
Sent: Thursday, November 26, 2015 1:56 AM
To: Leonard Jacobs
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] IPSec handshake and AF-Packet

On 25/11/15 at 18:03, Leonard Jacobs wrote:
> Well here is what we have discovered so far.  There appears to be an 
> incompatibility between SonicWALL's Global VPN Client version
> 4.9.4.0305 or higher. Possibly version 4.9.0 too but we have not 
> tested that version yet.  We know for sure that version 4.2.6.0305 
> works fine.

Does it trigger any rules?

> The symptom is IKE Phase 1 does not complete when IPSec VPN handshake 
> traffic passes through the IPS set to AF-packet mode.  We have not 
> tested  NFQUEUE mode.

How did you configure the AF-packet mode exactly? Do you use bridging?

> SonicWALL obviously changed something in their Global VPN Client 
> software.
> 
> Thanks.
> 
> Leonard
> 
> -----Original Message----- From: Oisf-users 
> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf 
> Of Victor Julien Sent: Wednesday, November 25, 2015 7:07 AM To:
> oisf-users at lists.openinfosecfoundation.org Subject: Re: [Oisf-users] 
> IPSec handshake and AF-Packet
> 
> On 25-11-15 13:56, Leonard Jacobs wrote:
> > Experiencing IPSec handshake being stopped in AF-Packet mode.
> > Setting defrag to no seems to help and connection is establushed but 
> > sometimes seems to have latency. Sometimes connection is just 
> > stopped. If connection is already established when Suricata is 
> > started then connection stays established. What could be causing 
> > this issue?
> 
> When reporting issues like this it's helpful if you can add more 
> details, pcaps, log messages, anything.
> 
> -- --------------------------------------------- Victor Julien 
> http://www.inliniac.net/ PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> _______________________________________________ Suricata IDS Users 
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
> 
> _______________________________________________ Suricata IDS Users 
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net

--
Andreas Herz

More information about the Oisf-users mailing list