[Oisf-users] IPSec handshake and AF-Packet

Leonard Jacobs ljacobs at netsecuris.com
Fri Nov 27 13:00:18 UTC 2015


Well since we have narrowed the problem down to the SonicWALL vpn client, the problem is really not a AF-Packet problem but rather the way SonicWALL implements their vpn client. They changed something about how their client works.

Leonard
  _____  

From: 'Andreas Herz' [mailto:andi at geekosphere.org]
To: Leonard Jacobs [mailto:ljacobs at netsecuris.com]
Cc: oisf-users at lists.openinfosecfoundation.org
Sent: Fri, 27 Nov 2015 05:34:44 -0600
Subject: Re: [Oisf-users] IPSec handshake and AF-Packet

On 26/11/15 at 12:33, Leonard Jacobs wrote:
  > There are no rules triggered associated with VPN.
  > 
  > When you run TCPDump, you see traffic on the inbound interface but no traffic on the other interface.
  > 
  > Only use the packet copying of AF-Packet mode.  No other bridging.
  
  I don't use AF-Packet mode this way, but i use NFQUEUE. Is it possible
  to try NFQUEUE mode to compare it with AF-Packet mode?
  
  But for now i have no other idea so far, maybe someelse has more
  insight.
  
  > - interface: eth0
  >     threads: 6
  >     cluster-id: 99
  >     cluster-type: cluster_flow
  >     defrag: yes
  >     use-mmap: yes
  >     buffer-size: 64535
  >     copy-mode: ips
  >     copy-iface: p1p1
  >   - interface: p1p1
  >     threads: 6
  >     cluster-id: 98
  >     cluster-type: cluster_flow
  >     copy-mode: ips
  >     copy-iface: eth0
  >     defrag: yes
  >     buffer-size: 64535
  >     use-mmap: yes
  > 
  > -----Original Message-----
  > From: Andreas Herz [mailto:andi at geekosphere.org] 
  > Sent: Thursday, November 26, 2015 1:56 AM
  > To: Leonard Jacobs
  > Cc: oisf-users at lists.openinfosecfoundation.org
  > Subject: Re: [Oisf-users] IPSec handshake and AF-Packet
  > 
  > On 25/11/15 at 18:03, Leonard Jacobs wrote:
  > > Well here is what we have discovered so far.  There appears to be an 
  > > incompatibility between SonicWALL's Global VPN Client version
  > > 4.9.4.0305 or higher. Possibly version 4.9.0 too but we have not 
  > > tested that version yet.  We know for sure that version 4.2.6.0305 
  > > works fine.
  > 
  > Does it trigger any rules?
  > 
  > > The symptom is IKE Phase 1 does not complete when IPSec VPN handshake 
  > > traffic passes through the IPS set to AF-packet mode.  We have not 
  > > tested  NFQUEUE mode.
  > 
  > How did you configure the AF-packet mode exactly? Do you use bridging?
  > 
  > > SonicWALL obviously changed something in their Global VPN Client 
  > > software.
  > > 
  > > Thanks.
  > > 
  > > Leonard
  > > 
  > > -----Original Message----- From: Oisf-users 
  > > [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf 
  > > Of Victor Julien Sent: Wednesday, November 25, 2015 7:07 AM To:
  > > oisf-users at lists.openinfosecfoundation.org Subject: Re: [Oisf-users] 
  > > IPSec handshake and AF-Packet
  > > 
  > > On 25-11-15 13:56, Leonard Jacobs wrote:
  > > > Experiencing IPSec handshake being stopped in AF-Packet mode.
  > > > Setting defrag to no seems to help and connection is establushed but 
  > > > sometimes seems to have latency. Sometimes connection is just 
  > > > stopped. If connection is already established when Suricata is 
  > > > started then connection stays established. What could be causing 
  > > > this issue?
  > > 
  > > When reporting issues like this it's helpful if you can add more 
  > > details, pcaps, log messages, anything.
  > > 
  > > -- --------------------------------------------- Victor Julien 
  > > http://www.inliniac.net/ PGP: http://www.inliniac.net/victorjulien.asc
  > > ---------------------------------------------
  > > 
  > > _______________________________________________ Suricata IDS Users 
  > > mailing list: oisf-users at openinfosecfoundation.org Site:
  > > http://suricata-ids.org | Support: http://suricata-ids.org/support/
  > > List:
  > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
  > > Suricata User Conference November 4 & 5 in Barcelona:
  > > http://oisfevents.net
  > > 
  > > _______________________________________________ Suricata IDS Users 
  > > mailing list: oisf-users at openinfosecfoundation.org Site:
  > > http://suricata-ids.org | Support: http://suricata-ids.org/support/
  > > List:
  > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
  > > Suricata User Conference November 4 & 5 in Barcelona:
  > > http://oisfevents.net
  > 
  > --
  > Andreas Herz
  > 
  
  -- 
  Andreas Herz
    
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151127/674a0fff/attachment-0002.html>


More information about the Oisf-users mailing list