[Oisf-users] IPSec handshake and AF-Packet

'Andreas Herz' andi at geekosphere.org
Fri Nov 27 11:34:44 UTC 2015 

On 26/11/15 at 12:33, Leonard Jacobs wrote:
> There are no rules triggered associated with VPN.
> 
> When you run TCPDump, you see traffic on the inbound interface but no traffic on the other interface.
> 
> Only use the packet copying of AF-Packet mode.  No other bridging.

I don't use AF-Packet mode this way, but i use NFQUEUE. Is it possible
to try NFQUEUE mode to compare it with AF-Packet mode?

But for now i have no other idea so far, maybe someelse has more
insight.

> - interface: eth0
>     threads: 6
>     cluster-id: 99
>     cluster-type: cluster_flow
>     defrag: yes
>     use-mmap: yes
>     buffer-size: 64535
>     copy-mode: ips
>     copy-iface: p1p1
>   - interface: p1p1
>     threads: 6
>     cluster-id: 98
>     cluster-type: cluster_flow
>     copy-mode: ips
>     copy-iface: eth0
>     defrag: yes
>     buffer-size: 64535
>     use-mmap: yes
> 
> -----Original Message-----
> From: Andreas Herz [mailto:andi at geekosphere.org] 
> Sent: Thursday, November 26, 2015 1:56 AM
> To: Leonard Jacobs
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] IPSec handshake and AF-Packet
> 
> On 25/11/15 at 18:03, Leonard Jacobs wrote:
> > Well here is what we have discovered so far.  There appears to be an 
> > incompatibility between SonicWALL's Global VPN Client version
> > 4.9.4.0305 or higher. Possibly version 4.9.0 too but we have not 
> > tested that version yet.  We know for sure that version 4.2.6.0305 
> > works fine.
> 
> Does it trigger any rules?
> 
> > The symptom is IKE Phase 1 does not complete when IPSec VPN handshake 
> > traffic passes through the IPS set to AF-packet mode.  We have not 
> > tested  NFQUEUE mode.
> 
> How did you configure the AF-packet mode exactly? Do you use bridging?
> 
> > SonicWALL obviously changed something in their Global VPN Client 
> > software.
> > 
> > Thanks.
> > 
> > Leonard
> > 
> > -----Original Message----- From: Oisf-users 
> > [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf 
> > Of Victor Julien Sent: Wednesday, November 25, 2015 7:07 AM To:
> > oisf-users at lists.openinfosecfoundation.org Subject: Re: [Oisf-users] 
> > IPSec handshake and AF-Packet
> > 
> > On 25-11-15 13:56, Leonard Jacobs wrote:
> > > Experiencing IPSec handshake being stopped in AF-Packet mode.
> > > Setting defrag to no seems to help and connection is establushed but 
> > > sometimes seems to have latency. Sometimes connection is just 
> > > stopped. If connection is already established when Suricata is 
> > > started then connection stays established. What could be causing 
> > > this issue?
> > 
> > When reporting issues like this it's helpful if you can add more 
> > details, pcaps, log messages, anything.
> > 
> > -- --------------------------------------------- Victor Julien 
> > http://www.inliniac.net/ PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> > 
> > _______________________________________________ Suricata IDS Users 
> > mailing list: oisf-users at openinfosecfoundation.org Site:
> > http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 4 & 5 in Barcelona:
> > http://oisfevents.net
> > 
> > _______________________________________________ Suricata IDS Users 
> > mailing list: oisf-users at openinfosecfoundation.org Site:
> > http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 4 & 5 in Barcelona:
> > http://oisfevents.net
> 
> --
> Andreas Herz
> 

-- 
Andreas Herz

More information about the Oisf-users mailing list