Home page logo

basics logo Security Basics mailing list archives

Very Strange Incident
From: "Alan Greig" <Alan.Greig () Ogilvie co uk>
Date: Mon, 22 Mar 2004 08:23:38 -0000

Hi Folks,

We have a small satellite office located in a managed office space and
as such use the buildings shared leased line. Last week the S2S Vpn
between this office and our headoffice went down with our HQ firewall
displaying the following error message. 

VPN packet dropped (100R->Vraptor: Protocol=IPSEC-ESP spi=0x4ac80658):
The packet is either too old or has been received before (potential
replay attack?) (tunnel 6.isakmp.104 () 100r <VPN-100r>) 

I performed a traceroute from our head office which completed fine yet
when I performed a traceroute from other Internet connections the
responding device was another unit on the same subnet as our firewall.
The managed office has a cisco 2600 router behind which there is a small
subnet for the firewalls belonging to residents. All firewalls have a
world routable address so the cisco isn't doing anything clever. Whats
concerning me is that the managed office space IT guy is being very
cagey about the whole incident. He will only tell me that another IT
company installed a device into the subnet but won't tell me who they
were, what it was or its purpose. As the Cisco was the last hop before
the subnet I can't think why traceroutes would be redirected to this new
device. Especially as only the ISP has access to the router to make
config changes. 

Can anyone think of any reason that would allow for such strange
activity. Other sources have suggested some form of network monitor.

Any help much appreciated.


CONFIDENTIALITY NOTICE:  This email and any attachments may be confidential. They may contain privileged information 
and are intended for the named addressee (s) only. They must not be distributed without our consent. If you are not the 
intended recipient, please notify us immediately and delete the message and any attachments from your computer, do not 
disclose, distribute, or retain this email or any part of it.
DISCLAIMER: Internet communications are not secure and therefore Ogilvie Group Ltd does not accept legal responsibility 
for the contents of this message.  Unless expressly stated, opinions in this email are those of the individual sender, 
and not of Ogilvie Group Ltd.   Ogilvie Group Ltd checks outgoing e-mails with anti-virus software that is regularly 
updated however this does not guarantee that any files attached to this e-mail are virus free. You must therefore take 
full responsibility for virus checking. Ogilvie Group Ltd reserves the right to monitor all email communications 
through their networks.

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]