On Dec 17, 2010, at 7:56 AM, LuKreme wrote: > On 16-Dec-2010, at 15:49, Dan Shoop wrote: >> >> On Dec 16, 2010, at 5:09 PM, LuKreme wrote: >>> >>> On 16-Dec-2010, at 06:54, Neil Laubenthal wrote: >>>> On Dec 16, 2010, at 5:43 AM, LuKreme wrote: >>>>> I tell my iPhone to connect to the VNC and I get a message "The L2TP-VPN >>>>> server did not respond. Try reconnecting. If the problem continues, >>>>> verify your settings and contact your Administrator." >>> >>>> Sounds like the request isn't getting the the VPN server. >>> >>> Well, it SOUNDS like that, but it doesn't get to the VPN server even when I >>> am on the local LAN. >> >> And tcpdump or wireshark shows what? What do your log files show? > > The log files shows practically nothing at all.
That "next to nothing" is most telling. > This is from an attempt to connect yesterday: > > 2010-12-10 08:07:48 MST --> Client with address = 10.1.10.205 has > hungup > 2010-12-16 03:39:55 MST terminating on signal 15 This shows the attempt to set up the VPN *is* reaching the server. The hangup occurs because the VPN negotiation doesn't complete. That doesn't occur because the additional phases of VPN negotiation require traffic on ports which isn't reaching the VPN server. While it's missing I'll guess your server didn't receive the ESP and IKE traffic. > I haven't gotten into TCPdump because, frankly, I wouldn't know what to look > for. Traffic. The mere presence on the traffic, and the notation of what ports and protocols are passing are what you care about, not the content of those packets. > I am supposed to be getting a fixed IP from the bozos at comcast today > (probably Tuesday though), so that might improve matters? Not at all. >>> And requests to OTHER services (ssh, http, &c) DO get through. >>> >>>> Does your router need port forwarding as well . . .or is having it in the >>>> DMZ sufficient? >>> >>> DMZ has been sufficient for everything. >> >> But probably not this. It probably only forwards TCP and UDP protocols yet >> you need other IP related protocols to support a VPN. > > Ah… besides TCP and UDP what is there? G-something? (needless to say, I am > completely new to the whole VPN thing, and I don't NEED it, I just thought it > would be cool to have on my iPhone and laptop.) Well what you need depends on what sort of VPN you're setting up. VPN isn't a thing it's a bag of technologies, mostly all different. It's a concept, not an implementation. For L2TP you need /protocol/ (not port) 50, known as ESP (Encapsulating Security Payload, aka IPSec Passthru). And you need UDP ports 500 (IKE Key Exchange), 4500 (IPsec NAT-T) & 1701 (LT2P). Note this is not TCP and may not pass in many "DMZ modes." Your problem is you don't have a router, you have a NAT appliance. Most of these don't pass thru this protocol. For PPTP you need TCP/IP port 1723 and IP protocol 47 (GRE). While many NAT appliances pass and allow redirection of TCP and UDP ports they don't/can't redirect other IP protocols. Likewise many "DMZ" functions only pass TCP and UDP protocols not other IP protocols. >> You may have better luck with PPTP as it passes through routers easier as it >> doesn't require protocols other than TCP/UDP. > > Yeah, been there, tried that. If I disable L2TP and only enable PPTP I get a > lot more logged, but no connection. > > 2010-12-17 05:44:50 MST Incoming call... Address given to client = > 10.1.10.206 > Fri Dec 17 05:44:50 2010 : Directory Services Authentication plugin > initialized > Fri Dec 17 05:44:50 2010 : Directory Services Authorization plugin initialized > Fri Dec 17 05:44:50 2010 : PPTP incoming call in progress from '10.1.10.41'... > Fri Dec 17 05:44:50 2010 : PPTP connection established. > Fri Dec 17 05:44:50 2010 : using link 0 > Fri Dec 17 05:44:50 2010 : Using interface ppp0 > Fri Dec 17 05:44:50 2010 : Connect: ppp0 <--> socket[34:17] > Fri Dec 17 05:44:50 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap > MS-v2> <magic 0xe1fc14b> <pcomp> <accomp>] > Fri Dec 17 05:44:50 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic > 0x3fbc91d8> <pcomp> <accomp>] > Fri Dec 17 05:44:50 2010 : lcp_reqci: returning CONFACK. > Fri Dec 17 05:44:50 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic > 0x3fbc91d8> <pcomp> <accomp>] > Fri Dec 17 05:44:50 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap > MS-v2> <magic 0xe1fc14b> <pcomp> <accomp>] > Fri Dec 17 05:44:50 2010 : sent [LCP EchoReq id=0x0 magic=0xe1fc14b] > Fri Dec 17 05:44:50 2010 : sent [CHAP Challenge id=0x29 > <7e052a7f027c263e3d7008672d333739>, name = "cerebus-2.local"] > Fri Dec 17 05:44:51 2010 : rcvd [LCP EchoReq id=0x0 magic=0x3fbc91d8] > Fri Dec 17 05:44:51 2010 : sent [LCP EchoRep id=0x0 magic=0xe1fc14b] > Fri Dec 17 05:44:51 2010 : rcvd [LCP EchoRep id=0x0 magic=0x3fbc91d8] > Fri Dec 17 05:44:51 2010 : rcvd [CHAP Response id=0x29 <...>, name = "kreme"] > Fri Dec 17 05:44:51 2010 : sent [CHAP Success id=0x29 "S=... M=Access > granted"] > Fri Dec 17 05:44:51 2010 : CHAP peer authentication succeeded for kreme > Fri Dec 17 05:44:51 2010 : DSAccessControl plugin: User 'kreme' authorized > for access > Fri Dec 17 05:44:51 2010 : sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>] > Fri Dec 17 05:44:51 2010 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 > 0.0.0.0> <ms-dns3 0.0.0.0>] > Fri Dec 17 05:44:51 2010 : sent [IPCP TermAck id=0x1] > Fri Dec 17 05:44:51 2010 : rcvd [IPV6CP ConfReq id=0x1 <addr > fe80::4de0:1b24:6e40:bb74>] > Fri Dec 17 05:44:51 2010 : Unsupported protocol 0x8057 received > Fri Dec 17 05:44:51 2010 : sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a > 4d e0 1b 24 6e 40 bb 74] > Fri Dec 17 05:44:51 2010 : rcvd [LCP ProtRej id=0x2 80 fd 01 01 00 0a 12 06 > 01 00 00 40] > Fri Dec 17 05:44:51 2010 : MPPE required but peer negotiation failed > Fri Dec 17 05:44:51 2010 : sent [LCP TermReq id=0x3 "MPPE required but peer > negotiation failed"] > Fri Dec 17 05:44:51 2010 : Connection terminated. > Fri Dec 17 05:44:51 2010 : Connect time 0.1 minutes. > Fri Dec 17 05:44:51 2010 : Sent 0 bytes, received 0 bytes. > Fri Dec 17 05:44:51 2010 : PPTP disconnecting... > Fri Dec 17 05:44:51 2010 : PPTP disconnected > 2010-12-17 05:44:51 MST --> Client with address = 10.1.10.206 has > hungup > Which again shows that you failed to complete establishing the VPN because certain traffic didn't reach the server. Here you didn't receive the GRE traffic. >> Also many routers capture all VPN traffic thinking that they should be >> hanling it, and some have specific configurations you need to enable to >> allow it to pass VPN traffic. Have you checked the latter? > > There's nothing about VPN in the comcast router (which I *have* to use, it's > some SMC 4-port router/Cable modem). Well then you're probably screwed. I'll guess that comcast has an AUP that says you can't run servers of certain traffic. Requiring use of their hw helps enforce this. > I do have "Disable Smart Packet Detection" set as that caused endless > problems. I have no static routes, port maps, MAC locking, web site blocking, > or anything else enabled on the comcast router. It connects to my Mac Pro via > a dumb 1000bT switch. the ONLY thing enabled on the comcast router is the > DHCP server, and that will be turned off as soon as the static IP is > implemented. Once that is done, the Comcast hardware will be put into > 'bridge' mode where it will pass the fixed IP along and be, I believe, > completely invisible. Um, no. DHCP can be used on both sides of the router. The router may still have a static address which it get's assigned via DHCP. This is common as IP addresses get leased. Likewise on the LAN side you may still have or need DHCP for the server to get its IP address from the "router". And even with a static address this doesn't imply that bridging is permitted. If you can get real bridging operating (as opposed to the fake bridging where the router just disables NAT and DHCP) then this may all suddenly work once that occurs. But I wouldn't count on it. > Googling around, it appears that this is a somewhat common problem in 10.6 > *and* it is also a common problem with Comcast Business. People have posted > they've solved it, but have given no details. Yes, well people also have problem tying their shoes but they solve that too. It means nothing that others have the issue. They are likely clueless. Fortunately there's google and no dearth of instruction for what needs open... if only your [fake] "router" permits you to do so. -d ------------------------------------------------------------------------ Dan Shoop [email protected] GoogleVoice: 1-646-402-5293 aim: iWiring twitter: @colonelmode _______________________________________________ MacOSX-admin mailing list [email protected] http://www.omnigroup.com/mailman/listinfo/macosx-admin
