ipv6-crypt in tracker but it's not enabled

[atomicsushi]

Hi,

I have a netgate vpn hardware client connecting through the checkpoint firewall and terminating on a 3rd party device which sits behind the FW.

In the tracker, instead of seeing protocol 50 come through, all I see is UDP500 and protocol ipv6-crypt. Why am I seeing ipv6-crypt when I don't have it enabled?

However, when i do a tcpdump on both the incoming and outgoing interface on the firewall, i see protocol ESP packets come through ok.

What I am seeing on the tcpdump and capture is - traffic coming in OK from the netgate on eth1c0 and leaving eth2c0 to get to the 3rd party device. I also see the 3rd party device responding back through eth2c0 but the packets never leave the firewall. I don't see anything going back out on eth1c0 from the 3rd party device.

Here's the dump of the capture, note that 3rd party device is loadsharing between 203.68.68.50 and 203.68.68.51
The netgate is 216.89.213.27


Firewall2007[admin]# fw monitor -e "accept ((src=216.89.213.27) or (dst=216.89.213.27));"

monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)

eth2c0:i[80]: 203.68.68.50 -> 216.89.213.27 (50) len=80 id=5961

eth2c0:i[144]: 203.68.68.50 -> 216.89.213.27 (50) len=144 id=5962

eth2c0:i[80]: 203.68.68.50 -> 216.89.213.27 (50) len=80 id=6271

eth2c0:i[144]: 203.68.68.50 -> 216.89.213.27 (50) len=144 id=6272

eth2c0:i[80]: 203.68.68.50 -> 216.89.213.27 (50) len=80 id=6659

eth2c0:i[144]: 203.68.68.50 -> 216.89.213.27 (50) len=144 id=6660

eth2c0:i[80]: 203.68.68.50 -> 216.89.213.27 (50) len=80 id=7308

eth2c0:i[144]: 203.68.68.50 -> 216.89.213.27 (50) len=144 id=7309

eth2c0:i[80]: 203.68.68.50 -> 216.89.213.27 (50) len=80 id=7774

eth2c0:i[144]: 203.68.68.50 -> 216.89.213.27 (50) len=144 id=7775

UNKNOWN:i[220]: 216.89.213.27 -> 203.68.68.51 (UDP) len=220 id=4200 UDP: 500 -> 500
UNKNOWN:I[220]: 216.89.213.27 -> 203.68.68.51 (UDP) len=220 id=4200 UDP: 500 -> 500
eth2c0:o[220]: 216.89.213.27 -> 203.68.68.51 (UDP) len=220 id=4200 UDP: 500 -> 500
eth2c0:O[220]: 216.89.213.27 -> 203.68.68.51 (UDP) len=220 id=4200 UDP: 500 -> 500
eth2c0:i[241]: 203.68.68.51 -> 216.89.213.27 (UDP) len=241 id=24407 UDP: 500 -> 500
eth2c0:I[241]: 203.68.68.51 -> 216.89.213.27 (UDP) len=241 id=24407 UDP: 500 -> 500
UNKNOWN:o[241]: 203.68.68.51 -> 216.89.213.27 (UDP) len=241 id=24407 UDP: 500 -> 500
UNKNOWN:O[241]: 203.68.68.51 -> 216.89.213.27 (UDP) len=241 id=24407 UDP: 500 -> 500
eth2c0:i[80]: 203.68.68.51 -> 216.89.213.27 (50) len=80 id=11200
eth2c0:i[160]: 203.68.68.51 -> 216.89.213.27 (50) len=160 id=11202

Please let me know if you need more information, any help is appreciated!!

Thanks,

a-sushi in d pod.

[melipla]

Quote:

Originally Posted by atomicsushi

In the tracker, instead of seeing protocol 50 come through, all I see is UDP500 and protocol ipv6-crypt. Why am I seeing ipv6-crypt when I don't have it enabled?

However, when i do a tcpdump on both the incoming and outgoing interface on the firewall, i see protocol ESP packets come through ok.

You will see "ipv6-crypt" as the service for most of the protocols listed in the IPSEC group [the exception being IKE], if you look at the information field you should see ESP listed. Its very misleading and the fact that you can't filter on ipv6-crypt in the service doesn't help matters.

[atomicsushi]

Thanks Melipla!

Any ideas why the firewall isn't processing (50) ?

[melipla]

The firewall doesn't appear to be accepting any of the port 50 traffic inbound (hence only the little i). Are there any drops in the logs? You could try appending a "-p all" onto your fwmonitor which will give you more information that may provide a clue to the problem.