how-to block ads
|
TwinTowers
join:2001-10-21
Huntington, NY
edit:
September 26th, @09:38AM
|  [VPN] BEFVP41 IPsec alternative to port 500
Background: At home, I have two Linksys BEFVP41 routers (a version 1 and 2) that are directly connected to the Internet. One has a static IP address (AceDSL) and the other has a 'somewhat' dynamic IP address (Optimum Boost). By a 'somewhat' dynamic IP address, I mean that it almost never changes (I.E., months can go by). Both routers flawlessly accept connections from a number of sites (and not just from other BEFVP41's) and have done so for years.
A third router (a BEFVP41 version 1) is behind a NAT'ing firewall (I don't recall the vendor). For about 2 years, everything functioned flawlessly, both VPN tunnels being up 24/7. Recently, we switched our firewall/routers over to Fortinets. In addition, at that time, some other work was done with another network appliance (I don't recall the vendor). Since that time I have never had more than one tunnel up and now both have been down for something like two weeks.
In troubleshooting the issue, I find that all other successful connections to my home routers have the same remote and local ports: 500. For example, the following connection is successful: 2008-09-25 10:59:10 UDP from a.b.c.d:500 to e.f.g.h:500. Here, the home router's address is e.f.g.h. Now that these tunnels have stopped working, I see the following on the home router (e.f.g.h): 2008-09-25 10:59:40 UDP from i.j.k.l:60206 to 192.168.1.20:500.
i.j.k.l is the company's public IP address. It will be noted that the public address (e.f.g.h) of the home router is no longer displayed, that remote port is now 60206 and that the packet is being forwarded to an internal host (192.168.1.20) on my home network.
I swear that nothing has changed on my home router (e.f.g.h) and that port 60206 is not now nor has it ever been forwarded to 192.168.1.20 nor anywhere else. I know nothing about it.
Nothing has changed on the BEFVP41 router behind the company firewall. I have tried a number of things here, like forwarding port 60206 to the home router's internal address (192.168.1.1). No dice: all my VPN's went down when I did that.
The other home router never sees any traffic from i.j.k.l.
The network engineer working on the problem suggested that I might want to try changing the IPsec port from 500 to 1000. However, I don't believe that any version of the BEFVP41 router will do this (at least I don't see how).
Is it possible? Other than that, does anybody have any ideas? It's probably not unreasonable to posit that this behavior is linked in some way to the recent company network changes. However, if I can save the engineer some work by simply switching the IPsec off of port 500 (perhaps by some sort of port translation), then I'd like to do that. | |
NJH
join:2004-04-23 | It sounds like there is now a NAT device between i.j.k.l and the internet, so something appears to have changed there. Perhaps i.j.k.l is no longer in a DMZ or the NAT device is no longer passing through IPSec. | |
TwinTowers
join:2001-10-21
Huntington, NY
| reply to TwinTowers
Yes, I think it might be something like that, but what's puzzling is that source port of 60206. For everything else, both sides of the IPsec connection are 500. The packets arrive are definately getting through the firewall and arriving at one router, but the source port is changed (the remote port remains 500).
A stateful (including NATing) router is supposed to keep track of IP addresses so that it can tell what to do with incoming packets from external hosts. The routing can be based on remembering the IP address of the internal host, storing that in a mapping table on the outgoing connection and then properly routing the incoming traffic back from the externalto the right place based on a table look up.
Another keying entry might be if the intervening NATing router were to change the source port of the outgoing connection. The port to internal host mapping would then be used as the keying entry. Or perhaps its supposed to use both of these? I don't know enough about NAT to say.
Perhaps the changes being made are causing the checksums on the IPsec packets to be corrupted. That could cause the Linksys to simply punt them. Does anybody know how to turn on A LOT of logging on either the version 1 or version 2 router?
The other thing that I don't get is why this traffic is getting forwarded to internal host 192.168.1.20. I have traffic for ftp (21), telnet (23) and finger (79) and nothing else forwarded to this host. It's almost of the router thinks that this is an ftp data connection and is handing it off to 192.168.1.20.
I remember that there was some sort of a setting on the BEFVP41 that made it do some SERIOUS verbose logging. It was in some sort of a secret page with a check mark. I'm pretty sure it was on the version 1 router, but not on the version 2. Does anybody know anything about this? | |
-
|
