ATT Microcell (outbound ipsec vpn) won't connect
-
pure ipsec with mobile client support isn't running smoothly on some devices/clients at the moment.. some users managed to get it up and running, but not the the "standard way"..
see links above..
seems you have to wait till the mobile-client-ipsec-part is complete, but it will be worth waiting :)
anyhow, with which configuration are you trying to connect.. (general info & phase definitions)
-
Thanks for the replies Eazydor,
I'm still not sure I'm articulating the problem correctly…The Microcell is simply an IPsec client. It should, in theory, be no different than a laptop host running cisco's VPN client and connecting to a server somewhere on the internet.
However, it will not connect.
-
No reason that shouldn't work. Worst case it may want static port, but I presume it uses NAT-T in which case it would be fine with the default settings (even without NAT-T it would be fine with the defaults as UDP 500 is not rewritten by default). Get a packet capture and see what it's trying to do.
-
Hi,
I have an AT&T microcell and am running 2.0 BETA2 right now. A analysis shows that the device uses UDP encapsulated IPsec (NAT-T). the few ports I've seen it go outbound with are NTP (assume to get better time for GPS), initial HTTPS, then IPsec setup (initial packets on UDP 500 then everything goes to UDP 4500, source and dest).
I made a manual outbound NAT entry to static the UDP 500 and 4500 ports to the microcell.
As cmb suggested, do a tcpdump from the command line and see what it going on. It's going to connect on 500/4500 (source and dest), so if your L2TP server has those assigned, not really sure.
-
Hi,
I have an AT&T microcell and am running 2.0 BETA2 right now.
I made a manual outbound NAT entry to static the UDP 500 and 4500 ports to the microcell.As cmb suggested, do a tcpdump from the command line and see what it going on. It's going to connect on 500/4500 (source and dest), so if your L2TP server has those assigned, not really sure.
If it is use the same source ports as the traditional destinations, wouldn't that be a problem for me since I have ports assigned to my internal VPN server?
In other words, behind PFsense.local is
MyServer.local, running VPN server on ports 500 and 4500 (forwarded by NAT)
Microcell.local, a client going outbound on ports 500 and 4500
(also present)
mylaptop.local, a client that may at times connect to a cisco vpn endpoint, using randomized outbound portsThis is where I get a little out of my league - if the microcell is using the same ports outbound as the myserver is using inbound, does that cause NAT issues?
-
I used the static port mapping because luckily I have a few public IP addresses. My experience with NAT-T is that if the initiator (microcell) sends out traffic on src: 4500 / dst: 4500 and the receiver sees the source as a random high port, it will respond to that port.
Most likely the problem is the initial ISAKMP connection. If you can, try changing the NAT rule for UDP 500 to the microcell temporarily, then reboot the device and then tcpdump on the internal interface to see if you get two way traffic for the initial ISAKMP connection.
Once it goes to phase II, internally you should see traffic on UDP 4500 for both source and destination.
If you change the IKE port back to MyServer.local, reboot the microcell and see what happens. If I had time I'd test myself.
-
This is where I get a little out of my league - if the microcell is using the same ports outbound as the myserver is using inbound, does that cause NAT issues?
No. State comes from 4 things, source and dest IP, source and dest port. Where those are unique it's fine.
-
i don't quite get this with mobile ipsec on 2.0.
how could the macrocell with it's cisco client do ipsec with nat-t, where some posts say, the cisco client i.e. from OSX or iOS don't (yet).
-
i don't quite get this with mobile ipsec on 2.0.
how could the macrocell with it's cisco client do ipsec with nat-t, where some posts say, the cisco client i.e. from OSX or iOS don't (yet).
The Microcell connects outbound to AT&T's VPN network, passing IPsec has no relevance to terminating it.
-
@cmb: sure, my bad. misunderstood whole microcell functionality.
like cmb said, further information is better/required. (Logs (FW&System), Packet Captures, etc..)
doesn't the macrocell support UPnP, as a typical consumer device? (just for testing..)
-
Did you ever come across a resolution to this issue? I too have an AT&T Microcell that just doesn't want to function behind my pfSense.
Update: It seems that my Microcell is now working. Two changes have occurred that may be related: 1) I enabled Traffic Shaping; and 2) I set up an IPSec Site-to-Site VPN.