Re: Re: Communication breakdown....|
"Damion K. Wilson" <dwilson,AT,ibl,DOT,bm>|
Fri, 28 Feb 2003 17:31:49 +0100|
I'm not sure I understand what's going on here, either. Only the source IP
address is "learned' the port always stays the same. If the NAT firewall
tries to masquerade the outgoing source port then the peer will still try to
use the defined port to to respond and not the source port in the last
received packet. It may hinge on how the firewall reacts to seeing an
incoming packet on a destination port that is not in its masquerade tables.
Personally, I set the firewall to port forward anything incoming on the CIPE
port directly to the CIPE peer. I think CIPE handles this situation
differently than CIPE-Win32, but I'm not sure.
On Friday 28 February 2003 07:57 am, you wrote:
> Hello Damion,
> well I have a bit more information now, although I don't really
> know what it all means but here goes:
> 1. I setup a local VPN (on my local subnet) and pinged away all day
> without problems.
> 2. The problem still occurs when connnecting to the remote machine
> (via the Firebox NAT); everything works fine until ... bang... and our
> firewall is blocking packets coming in on a different port than I
> would have expected. ie. normally the packets look a bit like this:
> local_ip:6023 <---> virtual_remote_ip:6023
> when things are broken our firewall reports blocking these type
> local_ip:6023 <---> firewall_ip:32768 (blocked)
> this is very strange as the remote machine is setup explicitly to
> tunnel to virtual_remote_ip:6023. Also, the ip address of the firewall
> NAT box should not be visible to the end nodes.
> When a dynamic ip address node (like mine) connects to a static ip
> peer node, the static peer node learns the remote ip address from the
> incoming packets. In this case, does it also use the port number? And
> does this learning mechanism kick in too in the case where the peer
> machine is statically defined, ie. could this explain my problem
> above? For example, is our firewall NAT box was misbehaving is some
> manner could this cause my local box to redirect it's outgoing traffic
> to the wrong ip:port?