Sounds like Opportunistic Encryption. https://en.wikipedia.org/wiki/Opportunistic_encryption#Windows_OS
On Thu, Sep 03, 2015 at 09:53:46AM -0400, Robert Webb wrote: > There is no VPN in the picture here. These are straight workstations > on the network that the packets are coming from. > > According to a pcaket capture in wireshark, these are isakmp packets > reaching out to host names of web sites that are being browsed. So > destinations are sites like twitter, facebook, amazon, cnn, etc.. > > We have further discovered that they seem to be initiated from the > Windows 7 svchost, but we have not been able to find documentation > as to how or why this is ocurring. > > Robert > > > On Thu, 3 Sep 2015 13:42:21 +0000 > "Bjoern A. Zeeb" <bzeeb-li...@lists.zabbadoz.net> wrote: > > > >>On 03 Sep 2015, at 13:35 , Robert Webb <rw...@ropeguru.com> wrote: > >> > >>We are seeing udp 500 packets being dropped at our firewall from > >>user's browsing sessions. These are users on a 2008 R2 AD setup > >>with Windows 7. > >> > >>Source and destination ports are udp 500 and the the pattern of > >>drops directly correlate to the web browsing activity. We have > >>confirmed this with tcpdump of port 500 and a single host and > >>watching the pattern of traffic as they browse. This also occurs > >>no matter what browser is used. > >> > >>Can anyone shine some light on what may be using udp 500 when > >>web browsing? > > > >The VPN using IPsec UDP-Encap connection that supposedly gets > >through NAT? Have you checked the content with tcpdump? Do you > >have fragments by any chance?
