Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » IP spoof packets and VPN clients
  •  
mct62

Messages: 14
Karma: 0
Send a private message to this user
I've got a working VPN setup (using the Kerio VPN client).

Everything seems to be working fine. However, in the security log I'm getting some anti-spoof errors from my vpn client for network time sync traffic that's going from the client (XP Pro back to the win2k domain controller). This traffic, instead of having the VPN client private address (i.e. on the internal network) as its source address, is going out with either the client's 'public' ISP LAN address, or the client's VPN interface address (i.e. the 'other' one that is assigned on the client side to the other side of the VPN routing component).

I presume that what's happening is that the NTP client in WinXP is getting a list of all addresses bound to the LAN interface, and is sending udp packets out for each such address. I'm not sure why it would do this, but it's a little bit puzzling that they would go down the tunnel?

Here is an example:

02/May/2006 08:56:59] Anti-spoofing: Packet from VPN client xxxxxx.xxxxxx, proto:UDP, len:96, ip/port:169.254.16.165:123 -> 192.168.1.3:123, udplen:68

  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
mct62 wrote on Tue, 02 May 2006 01:52

169.254.16.165


This is a Windows self-assigned IP address. Windows self-assignes when it's configured for DHCP, but can't contact any DHCP server. Such an address most probably does not belong in the network segment the PC is connceted to, thus one could view such an address as spoofed.

To get rid of this (harmless) error, either put all your PC's on fixed IP addresses or make sure they can reach the DHCP server at all times.

[Updated on: Tue, 02 May 2006 11:16]

  •  
mct62

Messages: 14
Karma: 0
Send a private message to this user
The client machine in question is indeed configured to use DHCP. It sits behind another XP machine running Internet Connection Sharing. ICS is correctly handing out a dynamic address to the client for its ethernet interface, which is in the 192.168.0.0/24 subnet.

However, that "other" address mentioned in my last posting is associated with one side of the VPN adapter on the client. (The other side being assigned an address by the vpn server).

If I go into Network Connections on the client, and select the Kerio VPN connection, it is indeed configured to get a dynamic address, but it would seem that this is not set by a dhcp query to the same dhcp server.

Here is an ipconfig dump:

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller
        Physical Address. . . . . . . . . : 00-0D-56-E9-57-AF
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        Autoconfiguration IP Address. . . : 192.168.0.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.0.1
        DNS Servers . . . . . . . . . . . : 192.168.0.1
        NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Kerio VPN:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Kerio VPN adapter
        Physical Address. . . . . . . . . : 44-45-53-54-10-08
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.253.3
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        IP Address. . . . . . . . . . . . : 169.254.16.165
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.253.1
        DHCP Server . . . . . . . . . . . : 169.254.16.164
        DNS Servers . . . . . . . . . . . : 192.168.1.3
        NetBIOS over Tcpip. . . . . . . . : Disabled
        Lease Obtained. . . . . . . . . . : Wednesday, 3 May 2006 8:23:44 AM
        Lease Expires . . . . . . . . . . : Wednesday, 3 May 2006 8:26:44 AM


In this case, I suppose I could set a static address for the VPN connection, but what should I set it to?

Secondly, why is the vpn client routing traffic down the tunnel that does not have the client tunnel endpoint address as the source address?

  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Why does your VPN adapter even have 2 IP addresses? This is what my adapter looks like:
Ethernet adapter Kerio VPN:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Kerio VPN adapter
        Physical Address. . . . . . . . . : 44-45-53-54-40-08
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.30.30.100
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 10.20.20.20
        NetBIOS over Tcpip. . . . . . . . : Disabled

I don't know if this will make a diffirence, bit it is a good idea to assign a fixed IP address to your VPN clients (and reserve this address for the user in his KWF account), if your situation allows for it. See http://support.kerio.com/index.php?_m=knowledgebase&_a=v iewarticle&kbarticleid=389&nav=0,2
  •  
mct62

Messages: 14
Karma: 0
Send a private message to this user
Hmmm...that's interesting. Why does your VPN connection only have one IP address and mine have two?

The article was interesting...as soon as I assigned a static IP to the "other" address (not the one assigned by the VPN server) it solved the problem in the Explorer address bar.

I will open a new thread on the second IP.

Cheers...
Milt
Previous Topic: i dont writing english. please you looking image in topic. (network map)
Next Topic: http protocol inspector seems to corupt downloads
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 15:12:07 CET 2017

Total time taken to generate the page: 0.00449 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.