ATT Microcell (outbound ipsec vpn) won't connect



  • Hey folks,
    I've been enjoying the 2.x beta tree for months now - really great work, have loved watching it progress!

    I've got an issue that I suspect is not 2.x specific, but since I am running the June 25th snapshot I thought I should post here.

    I've got AT&T's new "microcell", basically a small 3G base station for GSM phones that converts the GSM to voip and sends it out over one's internet connect. Mine won't connect to AT&T's servers.

    I've learned that they are essentially an IPsec VPN client. I can connect to work via cisco's VPN client all the time, so it should be possable. I am running an OpenVPN server on my PF box and forward the traditional IPsec ports to an L2TP server behind my PF box. I've seen posts on AT&T's site suggesting that some have had luck forwarding 500 and 4500 to the device, however that's not an option since I already have them going to my VPN server…and frankly if this thing is just a client, it shouldn't need forwarded ports, right?

    So, in thinking about this gizmo as a VPN client, can anyone think of something in a (basically) default install of PFsense 2.x that would prohibit it from making a connection to the server? I did enable static ports in my outbound nat to no affect....

    Looking forward to some creative suggestions, thanks!



  • what do you wanna do?

    IPSec, L2TP/IPsec and Open-VPN are all different services.

    500&4500 are usually for doing IPSec over NAT-Traversal (IPSec encapsulated in UDP)

    OpenVPN is a SSL-VPN, which i think, isn't supported by your Microcell.

    L2TP is just responsible for tunneling, confidentiality is part of IPSec.

    Regarding pfSense Beta:
    Mobile Client support for IPSec isn't stable right now..
    L2TP provides just authentication, no IPSec inside.

    http://forum.pfsense.org/index.php?topic=24752
    http://redmine.pfsense.org/issues/576



  • @eazydor:

    what do you wanna do?

    Sorry, I wasnt clear.

    The macrocell, as I understand it, is just an IPsec VPN client, and it won't connect

    I added the fact that I'm running both an l2tp/ipsec VPN server behind the firewall and an OpenVPN server at the firewall as extra info…



  • pure ipsec with mobile client support isn't running smoothly on some devices/clients at the moment.. some users managed to get it up and running, but not the the "standard way"..

    see links above..

    seems you have to wait till the mobile-client-ipsec-part is complete, but it will be worth waiting :)

    anyhow, with which configuration are you trying to connect.. (general info & phase definitions)



  • Thanks for the replies Eazydor,
    I'm still not sure I'm articulating the problem correctly…

    The Microcell is simply an IPsec client. It should, in theory, be no different than a laptop host running cisco's VPN client and connecting to a server somewhere on the internet.

    However, it will not connect.



  • No reason that shouldn't work. Worst case it may want static port, but I presume it uses NAT-T in which case it would be fine with the default settings (even without NAT-T it would be fine with the defaults as UDP 500 is not rewritten by default). Get a packet capture and see what it's trying to do.



  • Hi,

    I have an AT&T microcell and am running 2.0 BETA2 right now. A analysis shows that the device uses UDP encapsulated IPsec (NAT-T). the few ports I've seen it go outbound with are NTP (assume to get better time for GPS), initial HTTPS, then IPsec setup (initial packets on UDP 500 then everything goes to UDP 4500, source and dest).

    I made a manual outbound NAT entry to static the UDP 500 and 4500 ports to the microcell.

    As cmb suggested, do a tcpdump from the command line and see what it going on. It's going to connect on 500/4500 (source and dest), so if your L2TP server has those assigned, not really sure.



  • @gadams999:

    Hi,

    I have an AT&T microcell and am running 2.0 BETA2 right now.
    I made a manual outbound NAT entry to static the UDP 500 and 4500 ports to the microcell.

    As cmb suggested, do a tcpdump from the command line and see what it going on. It's going to connect on 500/4500 (source and dest), so if your L2TP server has those assigned, not really sure.

    If it is use the same source ports as the traditional destinations, wouldn't that be a problem for me since I have ports assigned to my internal VPN server?

    In other words, behind PFsense.local is
    MyServer.local, running VPN server on ports 500 and 4500 (forwarded by NAT)
    Microcell.local, a client going outbound on ports 500 and 4500
    (also present)
    mylaptop.local, a client that may at times connect to a cisco vpn endpoint, using randomized outbound ports

    This is where I get a little out of my league - if the microcell is using the same ports outbound as the myserver is using inbound, does that cause NAT issues?



  • I used the static port mapping because luckily I have a few public IP addresses. My experience with NAT-T is that if the initiator (microcell) sends out traffic on src: 4500 / dst: 4500 and the receiver sees the source as a random high port, it will respond to that port.

    Most likely the problem is the initial ISAKMP connection. If you can, try changing the NAT rule for UDP 500 to the microcell temporarily, then reboot the device and then tcpdump on the internal interface to see if you get two way traffic for the initial ISAKMP connection.

    Once it goes to phase II, internally you should see traffic on UDP 4500 for both source and destination.

    If you change the IKE port back to MyServer.local, reboot the microcell and see what happens. If I had time I'd test myself.



  • @SpaceBass:

    This is where I get a little out of my league - if the microcell is using the same ports outbound as the myserver is using inbound, does that cause NAT issues?

    No. State comes from 4 things, source and dest IP, source and dest port. Where those are unique it's fine.



  • i don't quite get this with mobile ipsec on 2.0.

    how could the macrocell with it's cisco client do ipsec with nat-t, where some posts say, the cisco client i.e. from OSX or iOS don't (yet).



  • @eazydor:

    i don't quite get this with mobile ipsec on 2.0.

    how could the macrocell with it's cisco client do ipsec with nat-t, where some posts say, the cisco client i.e. from OSX or iOS don't (yet).

    The Microcell connects outbound to AT&T's VPN network, passing IPsec has no relevance to terminating it.



  • @cmb: sure, my bad. misunderstood whole microcell functionality.

    like cmb said, further information is better/required. (Logs (FW&System), Packet Captures, etc..)

    doesn't the macrocell support UPnP, as a typical consumer device? (just for testing..)



  • @SpaceBass-

    Did you ever come across a resolution to this issue?  I too have an AT&T Microcell that just doesn't want to function behind my pfSense.

    Update: It seems that my Microcell is now working.  Two changes have occurred that may be related: 1) I enabled Traffic Shaping; and 2) I set up an IPSec Site-to-Site VPN.


Log in to reply