IPSec/L2TP passthrough not working after upgrade to 1.2.3



  • I use IPSec/L2TP from OS X to connect to my work VPN (no idea what equipment they use on their end).  They use password user authentication and certificate-based machine authentication.

    My network setup uses a cable modem with static IPs for the WAN.  The LAN is NAT'd onto a single IP (the others are currently unused, but will be ear-marked soon.  1:1 isn't practical for this setup.)

    With 1.2.2, I never had a problem.  After upgrading to 1.2.3, the connection always fails before getting to the user authentication phase.  I've tried both automatic outbound NAT and manual NAT with port 500 as a static port.  The firewall logs do not indicate any blocked packets.

    From the following tcpdump on WAN, it seems that the key exchange has happened and NAT-T is being attempted (ESP in UDP on port 4500).  The router appears to be successfully NAT'ing and forwarding the first ESP packet on port 4500, but there is no ESP response from the remote end.  I'm trying to get my work's IT guys to see if there are any indications of a failure on their side.

    Any one have any ideas on how to debug this further?  My knowledge of IPSec is reaching its limit.

    
    [1.2.3-RELEASE]                                                                 
    [admin@router.home]/root(1): tcpdump -i em0 -vvvv "port 500 or port 4500"
    tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
    05:54:24.994446 IP (tos 0x0, ttl 63, id 18332, offset 0, flags [none], proto UDP (17), length 328) 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp > 216.239.45.129.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 I ident: [|sa]
    05:54:25.013386 IP (tos 0x20, ttl 114, id 20155, offset 0, flags [none], proto UDP (17), length 196) 216.239.45.129.isakmp > 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|sa]
    05:54:25.041377 IP (tos 0x0, ttl 63, id 64233, offset 0, flags [none], proto UDP (17), length 256) 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp > 216.239.45.129.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 I ident: [|ke]
    05:54:25.093634 IP (tos 0x20, ttl 114, id 20433, offset 0, flags [none], proto UDP (17), length 393) 216.239.45.129.isakmp > 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|ke]
    05:54:25.166619 IP (tos 0x0, ttl 63, id 29887, offset 0, flags [+], proto UDP (17), length 1500) 173-164-143-193-SFBA.hfc.comcastbusiness.net.37963 > 216.239.45.129.sae-urn: NONESP-encap: isakmp 1.0 msgid  cookie ->: phase 1 I ident[E]: [encrypted id] (len mismatch: isakmp 1732/ip 1468)
    05:54:26.490974 IP (tos 0x20, ttl 114, id 25410, offset 0, flags [none], proto UDP (17), length 393) 216.239.45.129.isakmp > 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|ke]
    05:54:28.491278 IP (tos 0x20, ttl 114, id 32228, offset 0, flags [none], proto UDP (17), length 393) 216.239.45.129.isakmp > 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|ke]
    05:54:32.491160 IP (tos 0x20, ttl 114, id 16491, offset 0, flags [none], proto UDP (17), length 393) 216.239.45.129.isakmp > 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|ke]
    05:54:35.495944 IP (tos 0x0, ttl 63, id 60653, offset 0, flags [+], proto UDP (17), length 1500) 173-164-143-193-SFBA.hfc.comcastbusiness.net.37963 > 216.239.45.129.sae-urn: NONESP-encap: isakmp 1.0 msgid  cookie ->: phase 1 I ident[E]: [encrypted id] (len mismatch: isakmp 1732/ip 1468)
    05:54:40.492094 IP (tos 0x20, ttl 114, id 11570, offset 0, flags [none], proto UDP (17), length 393) 216.239.45.129.isakmp > 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|ke]
    05:54:45.165328 IP (tos 0x0, ttl 63, id 13021, offset 0, flags [+], proto UDP (17), length 1500) 173-164-143-193-SFBA.hfc.comcastbusiness.net.37963 > 216.239.45.129.sae-urn: NONESP-encap: isakmp 1.0 msgid  cookie ->: phase 1 I ident[E]: [encrypted id] (len mismatch: isakmp 1732/ip 1468)
    05:54:56.491918 IP (tos 0x20, ttl 114, id 26952, offset 0, flags [none], proto UDP (17), length 393) 216.239.45.129.isakmp > 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|ke]
    
    

Log in to reply