[Oisf-users] IPSec handshake and AF-Packet

Leonard Jacobs ljacobs at netsecuris.com
Fri Nov 27 13:12:58 UTC 2015 

I agree but Dell SonicWall is going to have to agree to cooperate.

Leonard
  _____  

From: 'Andreas Herz' [mailto:andi at geekosphere.org]
To: Leonard Jacobs [mailto:ljacobs at netsecuris.com]
Cc: oisf-users at lists.openinfosecfoundation.org
Sent: Fri, 27 Nov 2015 07:07:24 -0600
Subject: Re: [Oisf-users] IPSec handshake and AF-Packet

On 27/11/15 at 07:00, Leonard Jacobs wrote:
  > Well since we have narrowed the problem down to the SonicWALL vpn client, the problem is really not a AF-Packet problem but rather the way SonicWALL implements their vpn client. They changed something about how their client works.
  
  Nevertheless it would be interesting what's the issue and why the
  traffice looks different :)
  
  > Leonard
  >   _____  
  > 
  > From: 'Andreas Herz' [mailto:andi at geekosphere.org]
  > To: Leonard Jacobs [mailto:ljacobs at netsecuris.com]
  > Cc: oisf-users at lists.openinfosecfoundation.org
  > Sent: Fri, 27 Nov 2015 05:34:44 -0600
  > Subject: Re: [Oisf-users] IPSec handshake and AF-Packet
  > 
  > On 26/11/15 at 12:33, Leonard Jacobs wrote:
  >   > There are no rules triggered associated with VPN.
  >   > 
  >   > When you run TCPDump, you see traffic on the inbound interface but no traffic on the other interface.
  >   > 
  >   > Only use the packet copying of AF-Packet mode.  No other bridging.
  >   
  >   I don't use AF-Packet mode this way, but i use NFQUEUE. Is it possible
  >   to try NFQUEUE mode to compare it with AF-Packet mode?
  >   
  >   But for now i have no other idea so far, maybe someelse has more
  >   insight.
  >   
  >   > - interface: eth0
  >   >     threads: 6
  >   >     cluster-id: 99
  >   >     cluster-type: cluster_flow
  >   >     defrag: yes
  >   >     use-mmap: yes
  >   >     buffer-size: 64535
  >   >     copy-mode: ips
  >   >     copy-iface: p1p1
  >   >   - interface: p1p1
  >   >     threads: 6
  >   >     cluster-id: 98
  >   >     cluster-type: cluster_flow
  >   >     copy-mode: ips
  >   >     copy-iface: eth0
  >   >     defrag: yes
  >   >     buffer-size: 64535
  >   >     use-mmap: yes
  >   > 
  >   > -----Original Message-----
  >   > From: Andreas Herz [mailto:andi at geekosphere.org] 
  >   > Sent: Thursday, November 26, 2015 1:56 AM
  >   > To: Leonard Jacobs
  >   > Cc: oisf-users at lists.openinfosecfoundation.org
  >   > Subject: Re: [Oisf-users] IPSec handshake and AF-Packet
  >   > 
  >   > On 25/11/15 at 18:03, Leonard Jacobs wrote:
  >   > > Well here is what we have discovered so far.  There appears to be an 
  >   > > incompatibility between SonicWALL's Global VPN Client version
  >   > > 4.9.4.0305 or higher. Possibly version 4.9.0 too but we have not 
  >   > > tested that version yet.  We know for sure that version 4.2.6.0305 
  >   > > works fine.
  >   > 
  >   > Does it trigger any rules?
  >   > 
  >   > > The symptom is IKE Phase 1 does not complete when IPSec VPN handshake 
  >   > > traffic passes through the IPS set to AF-packet mode.  We have not 
  >   > > tested  NFQUEUE mode.
  >   > 
  >   > How did you configure the AF-packet mode exactly? Do you use bridging?
  >   > 
  >   > > SonicWALL obviously changed something in their Global VPN Client 
  >   > > software.
  >   > > 
  >   > > Thanks.
  >   > > 
  >   > > Leonard
  >   > > 
  >   > > -----Original Message----- From: Oisf-users 
  >   > > [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf 
  >   > > Of Victor Julien Sent: Wednesday, November 25, 2015 7:07 AM To:
  >   > > oisf-users at lists.openinfosecfoundation.org Subject: Re: [Oisf-users] 
  >   > > IPSec handshake and AF-Packet
  >   > > 
  >   > > On 25-11-15 13:56, Leonard Jacobs wrote:
  >   > > > Experiencing IPSec handshake being stopped in AF-Packet mode.
  >   > > > Setting defrag to no seems to help and connection is establushed but 
  >   > > > sometimes seems to have latency. Sometimes connection is just 
  >   > > > stopped. If connection is already established when Suricata is 
  >   > > > started then connection stays established. What could be causing 
  >   > > > this issue?
  >   > > 
  >   > > When reporting issues like this it's helpful if you can add more 
  >   > > details, pcaps, log messages, anything.
  >   > > 
  >   > > -- --------------------------------------------- Victor Julien 
  >   > > http://www.inliniac.net/ PGP: http://www.inliniac.net/victorjulien.asc
  >   > > ---------------------------------------------
  >   > > 
  >   > > _______________________________________________ Suricata IDS Users 
  >   > > mailing list: oisf-users at openinfosecfoundation.org Site:
  >   > > http://suricata-ids.org | Support: http://suricata-ids.org/support/
  >   > > List:
  >   > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
  >   > > Suricata User Conference November 4 & 5 in Barcelona:
  >   > > http://oisfevents.net
  >   > > 
  >   > > _______________________________________________ Suricata IDS Users 
  >   > > mailing list: oisf-users at openinfosecfoundation.org Site:
  >   > > http://suricata-ids.org | Support: http://suricata-ids.org/support/
  >   > > List:
  >   > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
  >   > > Suricata User Conference November 4 & 5 in Barcelona:
  >   > > http://oisfevents.net
  >   > 
  >   > --
  >   > Andreas Herz
  >   > 
  >   
  >   -- 
  >   Andreas Herz
  >     
  
  -- 
  Andreas Herz
    
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151127/f64d3fe2/attachment-0002.html>

More information about the Oisf-users mailing list