You can configure Windows to encrypt traffic based on protocol definitions. E.g., Use IPSEC to encrypt all traffic on port 80 between hosts X and hosts Y.
It's possible that such a policy is in place locally on the workstations and/or servers and it's also possible that it's being enforced using GPOs. On Thu, Sep 3, 2015 at 9:53 AM, Robert Webb <rw...@ropeguru.com> wrote: > There is no VPN in the picture here. These are straight workstations on > the network that the packets are coming from. > > According to a pcaket capture in wireshark, these are isakmp packets > reaching out to host names of web sites that are being browsed. So > destinations are sites like twitter, facebook, amazon, cnn, etc.. > > We have further discovered that they seem to be initiated from the Windows > 7 svchost, but we have not been able to find documentation as to how or why > this is ocurring. > > Robert > > > > On Thu, 3 Sep 2015 13:42:21 +0000 > "Bjoern A. Zeeb" <bzeeb-li...@lists.zabbadoz.net> wrote: > >> >> On 03 Sep 2015, at 13:35 , Robert Webb <rw...@ropeguru.com> wrote: >>> >>> We are seeing udp 500 packets being dropped at our firewall from user's >>> browsing sessions. These are users on a 2008 R2 AD setup with Windows 7. >>> >>> Source and destination ports are udp 500 and the the pattern of drops >>> directly correlate to the web browsing activity. We have confirmed this >>> with tcpdump of port 500 and a single host and watching the pattern of >>> traffic as they browse. This also occurs no matter what browser is used. >>> >>> Can anyone shine some light on what may be using udp 500 when web >>> browsing? >>> >> >> The VPN using IPsec UDP-Encap connection that supposedly gets through >> NAT? Have you checked the content with tcpdump? Do you have fragments >> by any chance? >> >> >> > > -- :o@>
