[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] openvpn -vs- masquerading


  • Subject: Re: [Openvpn-users] openvpn -vs- masquerading
  • From: "James Yonan" <jim@xxxxxxxx>
  • Date: Fri, 26 Jul 2002 12:53:40 -0600

Bob,

It looks like your masquerading server or firewall is changing the source
port number mid-session.

OpenVPN when run in SSL/TLS mode, will currently drop packets if they change
their source IP address or port number in the middle of an SSL/TLS session.
This is designed to prevent DoS attacks.  Static key mode on the other hand
is a stateless protocol and therefore is less vulnerable to DoS attacks.
Because of this, --float will allow dynamic IP address or port changes at
any time when using Static key mode.

Right now the only way to make this work with SSL/TLS mode would be to
use --ping and --ping-restart to force a timeout and renegotiate the SSL/TLS
session.  That is because SSL/TLS mode will not accept a source IP/port
change without a new SSL/TLS key negotiation.

You raise a good point, it would be useful if SSL/TLS mode could handle a
mid-session source IP/port change without a full renegotiation.  I will look
into ways of doing this that are secure.

Best Regards,
James

----- Original Message -----
From: "Bob" <thoth@xxxxxxxxxxxxxx>
To: <openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
Sent: Friday, July 26, 2002 8:43 AM
Subject: [Openvpn-users] openvpn -vs- masquerading


> It appears openvpn does not work well in the presence of masquerading.
>
> I have a host on the internet, and another host behind a masquerading
> (port-NAT ?) firewall (which is obviously going to "float").
>
> Initially, they seem to get along, but then I start getting these:
>
> Jul 26 10:38:16 shita openvpn[21667]: TLS Error: Unknown data channel key
ID or IP address received from 66.0.13.200:13401: 0
>
>   It appears that shita wants to communicate with the NATted box on port
> 13377, but the firewall has changed which UDP port it is NATting to.
>
>   I had hoped that openVPN would be able to recover from this wackiness,
> but maybe I'm missing a config option.
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users