On Fri, Oct 19, 2007 at 04:21:31PM -0400, Greg Troxel wrote:
> 
> Do you have static NAT port forwarding on the server side to make this
> work?  That seems not to be the issue.
> 

Yes.  The server side internet router is set to port forward all ports
to the NetBSD rasvpn box.

> 
> .  Can you observe the
> packets arriving at the XP machine after they have been taken out of ESP?
> 

That is about all I can observe - wireshark does not seem to "see" the
ESP traffic, I don't know why.

> What do you mean by "out of state"?  Is there a firewall on the XP
> machine, or are you saying that the TCP someone gets something that has
> a sequence number that is too high, and thus doesn't send an ack?
> 

What I mean by out of state is that most of the traffic flow I can see
is between the xp client and the remote server (192.168.168.100 <=>
192.168.2.10) but, suddenly, I see a couple of tcp fragments from
192.168.1.253 directed at 192.168.168.100, the xp machine reacts to
these packets by sending a RST because they are not part of an
established connection.  I didn't sniff the NetBSD side, so I can only
speculate that a large packet came from the remote server
(192.168.2.10) was fragmented but the fragments were not directed the
right way.


> 
> Presumably the nat only happens to packets not intended for remote VPN
> space.
>

Presumably - really, the packets destined for the xp client tunnel end
point should
never hit the interface performing the the NAT because, by that time,
they should be safely within the IPSEC tunnel.

> 
> So looking with tcpdump, I'd expect to see
> 
> A = 1500 byte packet leaving 192.168.2.10 which is IP TCP
> 
> 3 (presumably that's where 554 comes from) packets leaving NetBSD RASVPN
> server, and each should be
> 
> IP UDP ESP IP-fragment(3 parts of A)
> 
> Does that match what you are seeing?

It's difficult to say because I couldn't see the ESP traffic - all I
can see is what looks like a normal application conversation happen
but then it just stalls and I get the tcp fragments from a place they
should not come from.

I did turn off the esp_frag in racoon.conf on the rasvpn server, that
seemed to make things work for me.  On one of my client's machines I
had to also adjust the MTU on the vpn virtual interface which, also,
is very strange because I was able to vpn and work fine from his
internet connection.

-- 
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."