Precisely. On Thu, Sep 3, 2015 at 10:14 AM, Chuck Anderson <c...@wpi.edu> wrote:
> Sounds like Opportunistic Encryption. > > https://en.wikipedia.org/wiki/Opportunistic_encryption#Windows_OS > > On Thu, Sep 03, 2015 at 09:53:46AM -0400, Robert Webb wrote: > > There is no VPN in the picture here. These are straight workstations > > on the network that the packets are coming from. > > > > According to a pcaket capture in wireshark, these are isakmp packets > > reaching out to host names of web sites that are being browsed. So > > destinations are sites like twitter, facebook, amazon, cnn, etc.. > > > > We have further discovered that they seem to be initiated from the > > Windows 7 svchost, but we have not been able to find documentation > > as to how or why this is ocurring. > > > > Robert > > > > > > On Thu, 3 Sep 2015 13:42:21 +0000 > > "Bjoern A. Zeeb" <bzeeb-li...@lists.zabbadoz.net> wrote: > > > > > >>On 03 Sep 2015, at 13:35 , Robert Webb <rw...@ropeguru.com> wrote: > > >> > > >>We are seeing udp 500 packets being dropped at our firewall from > > >>user's browsing sessions. These are users on a 2008 R2 AD setup > > >>with Windows 7. > > >> > > >>Source and destination ports are udp 500 and the the pattern of > > >>drops directly correlate to the web browsing activity. We have > > >>confirmed this with tcpdump of port 500 and a single host and > > >>watching the pattern of traffic as they browse. This also occurs > > >>no matter what browser is used. > > >> > > >>Can anyone shine some light on what may be using udp 500 when > > >>web browsing? > > > > > >The VPN using IPsec UDP-Encap connection that supposedly gets > > >through NAT? Have you checked the content with tcpdump? Do you > > >have fragments by any chance? > -- :o@>
