Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSec/L2TP passthrough not working after upgrade to 1.2.3

    IPsec
    1
    1
    3814
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kc8apf last edited by

      I use IPSec/L2TP from OS X to connect to my work VPN (no idea what equipment they use on their end).  They use password user authentication and certificate-based machine authentication.

      My network setup uses a cable modem with static IPs for the WAN.  The LAN is NAT'd onto a single IP (the others are currently unused, but will be ear-marked soon.  1:1 isn't practical for this setup.)

      With 1.2.2, I never had a problem.  After upgrading to 1.2.3, the connection always fails before getting to the user authentication phase.  I've tried both automatic outbound NAT and manual NAT with port 500 as a static port.  The firewall logs do not indicate any blocked packets.

      From the following tcpdump on WAN, it seems that the key exchange has happened and NAT-T is being attempted (ESP in UDP on port 4500).  The router appears to be successfully NAT'ing and forwarding the first ESP packet on port 4500, but there is no ESP response from the remote end.  I'm trying to get my work's IT guys to see if there are any indications of a failure on their side.

      Any one have any ideas on how to debug this further?  My knowledge of IPSec is reaching its limit.

      
[1.2.3-RELEASE]                                                                 
[admin@router.home]/root(1): tcpdump -i em0 -vvvv "port 500 or port 4500"
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
05:54:24.994446 IP (tos 0x0, ttl 63, id 18332, offset 0, flags [none], proto UDP (17), length 328) 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp > 216.239.45.129.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 I ident: [|sa]
05:54:25.013386 IP (tos 0x20, ttl 114, id 20155, offset 0, flags [none], proto UDP (17), length 196) 216.239.45.129.isakmp > 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|sa]
05:54:25.041377 IP (tos 0x0, ttl 63, id 64233, offset 0, flags [none], proto UDP (17), length 256) 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp > 216.239.45.129.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 I ident: [|ke]
05:54:25.093634 IP (tos 0x20, ttl 114, id 20433, offset 0, flags [none], proto UDP (17), length 393) 216.239.45.129.isakmp > 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|ke]
05:54:25.166619 IP (tos 0x0, ttl 63, id 29887, offset 0, flags [+], proto UDP (17), length 1500) 173-164-143-193-SFBA.hfc.comcastbusiness.net.37963 > 216.239.45.129.sae-urn: NONESP-encap: isakmp 1.0 msgid  cookie ->: phase 1 I ident[E]: [encrypted id] (len mismatch: isakmp 1732/ip 1468)
05:54:26.490974 IP (tos 0x20, ttl 114, id 25410, offset 0, flags [none], proto UDP (17), length 393) 216.239.45.129.isakmp > 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|ke]
05:54:28.491278 IP (tos 0x20, ttl 114, id 32228, offset 0, flags [none], proto UDP (17), length 393) 216.239.45.129.isakmp > 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|ke]
05:54:32.491160 IP (tos 0x20, ttl 114, id 16491, offset 0, flags [none], proto UDP (17), length 393) 216.239.45.129.isakmp > 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|ke]
05:54:35.495944 IP (tos 0x0, ttl 63, id 60653, offset 0, flags [+], proto UDP (17), length 1500) 173-164-143-193-SFBA.hfc.comcastbusiness.net.37963 > 216.239.45.129.sae-urn: NONESP-encap: isakmp 1.0 msgid  cookie ->: phase 1 I ident[E]: [encrypted id] (len mismatch: isakmp 1732/ip 1468)
05:54:40.492094 IP (tos 0x20, ttl 114, id 11570, offset 0, flags [none], proto UDP (17), length 393) 216.239.45.129.isakmp > 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|ke]
05:54:45.165328 IP (tos 0x0, ttl 63, id 13021, offset 0, flags [+], proto UDP (17), length 1500) 173-164-143-193-SFBA.hfc.comcastbusiness.net.37963 > 216.239.45.129.sae-urn: NONESP-encap: isakmp 1.0 msgid  cookie ->: phase 1 I ident[E]: [encrypted id] (len mismatch: isakmp 1732/ip 1468)
05:54:56.491918 IP (tos 0x20, ttl 114, id 26952, offset 0, flags [none], proto UDP (17), length 393) 216.239.45.129.isakmp > 173-164-143-193-SFBA.hfc.comcastbusiness.net.isakmp: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|ke]
      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy