While testing NATT new code, I found something strange.
Here is the tcpdump from A, which is the initiator (FreeBSD with
KAME's racoon + my NATT patches), B is the ipsec-tools gate (FreeBSD):
15:38:51.673330 A.500 > B.500: isakmp: phase 1 I agg: [|sa]
15:38:52.106942 B.500 > A.500: isakmp: phase 1 R agg: [|sa]
15:38:52.342163 A.4500 > B.4500: udp 104
Switching to port 4500...
15:38:52.363597 A.4500 > B.4500: udp 96
15:38:52.462763 A.4500 > B.4500: udp 448
15:38:52.485352 B.500 > A.500: isakmp: phase 2/others R inf[E]:
And here is the strange message, which is not on ports 4500. According
to my logs, it is the INITIAL-CONTACT sent by B.
15:38:52.811431 B.4500 > A.4500: udp 304
The end of the phase2.
15:38:52.812599 A.4500 > B.4500: udp 64
15:39:00.302175 A.4500 > B.4500: udp 84
Probably some traffic, or an initial contact from A to B.
15:39:01.085441 B.4500 > A.4500: udp 1
15:39:06.704248 A.4500 > B.4500: udp 132
15:39:06.845573 B.4500 > A.4500: udp 132
DPD R_U_THERE / ACK.
I had a quick look at the source code, and didn't find anything wrong
for now. I'll try to understant why this message is not port-floated,
but if someone else has an idea....
Get latest updates about Open Source Projects, Conferences and News.