IPSEC VPN problems upgrading to Ubuntu Edgy

I upgraded my home gateway firewall to Edgy today in the hope of fixing some SATA problems I’ve been experiencing. The new Edgy kernel might help – we’ll see.

Anyway, it went pretty well. Two runs (?) of apt-get dist-upgrade -u, a reboot and there I was.

Unfortunately I had two problems with my Openswan IPSEC VPNs. I’m not so sure if these count as bugs. I’ll be investigating further and reporting if so. Anyway, techie details follow…
Continue reading IPSEC VPN problems upgrading to Ubuntu Edgy

TCP, NAT and 2MSL mismatch

We have a client that connects over the NHS internal network to a server hosted at our site. We have lots of clients like this, but these are slightly different because they NAT all their machines to one IP before it gets to us.

Recently they complained about connection problems and after lots of investigation we managed to get a packet capture of the problem (IPs changed of course):

 1  0.00 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
 2  0.00 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [SYN, ACK]
 3  0.01 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [ACK]
 4  0.08 192.168.0.1 -> 10.0.0.254 HTTP POST
 5  0.24 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [ACK]
 6  0.23 192.168.0.1 -> 10.0.0.254 HTTP Continuation
 7  0.24 10.0.0.254 -> 192.168.0.1 HTTP HTTP/1.1 200 OK 1365
 8  0.24 10.0.0.254 -> 192.168.0.1 HTTP Continuation
 9  0.24 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [FIN, ACK]
10  0.29 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [ACK]
11  0.31 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [FIN, ACK]
12  0.31 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [ACK]
13  0.34 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [ACK]
14 68.26 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
15 71.18 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
16 77.13 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
17 98.25 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [RST, CWR]


Continue reading TCP, NAT and 2MSL mismatch