On Jan 11, 2011, at 7:23 PM, Dan Shoop wrote: > > >> ---- >> Now the news on VPN, I hope that someone can give me some guidance >> here... >> >> As I wrote earlier I had the VPN going on my mac mini (client) for >> about 3 weeks and then Jan 3 it would no longer connect from outside >> of my net. >> >> [times passes with much anxiety] >> >> Today I pulled the ethernet cable out of the router ( Airport Extreme Dual >> band BaseStation ) and >> plugged it directly into my server ie I made a direct connection from the >> cable >> modem into the server. >> >> I noted the new IP that the server got when I rebooted with the new >> configuration >> and adjusted the configuration file for the vpnd and did the same for my >> iPhone. >> >> I fired up the iPhone VPN and it ***connected*** without any problems. > > Which, as was suggested to you earlier, means you're NAT appliance (it's not > a router, it's not routing any traffic, it's at best a gateway) isn't passing > all the required IP protocols.
Ok, then why *did* it work for three weeks > >> The progress of the connection in system.log came up with no problem...I was >> watching with >> a tail -f... >> >> This seems to point the finger at the AEBS. I have done hard resets of the >> router and >> rentered all of the data by hand a couple of times. >> >> I have tripled checked that I am forwarding the udp ports 500, 4500, 1701 >> several >> times. > > And sa I've repeatedly pointed out to you that you need more than just TCP > and UDP traffic passed. There are other IP protocols that must pass thru. > > Seriously it's not like there's a dearth of information in the googlesphere > on this. > >> Note I *can* connect ok if I am attached to my home net so I think the >> base configuration is fine. > > No that doesn't prove that at all since it doesn't need to route through the > ABS. No, but it shows that the configuration is correct on both the client and server. > >> It seems like one of the three ports in the router is somehow stuck shut. > > :laughing: > >> Does anyone have any suggestions? > > Plenty, but you keep ignoring them. This is a simple thing you just aren't > getting. > OK, Now pay attention Dan. I did a netstat and lsof to see if udp port 500 was in use or being listened to. Nothing showed, I had unloaded vpn and raccoon earlier. I redirected port 501 on the router to 500 on the server. I started a simple udp server on the server ( a mac mini) It listens to udp port 500 and displays the contents of the payload when a datagram arrives on port 500 of the server. I sent a datagram from my iPhone over the 3G network to the wan address of the router, port 501. The datagram made it through the router and arrived at port 500 and the udpserver displayed the correct contents. So plain data can be sent across the internet and arrive at my server when I have port 501 on the router mapped to 500 on my server. Ok, then I remapped the ports on the router. This time I mapped udp *500* port on the router to port 500 on the server and restarted the updserver again listening on port 500. Sending a datagram from the iPhone over the 3G network to the external wan address port 500 does not cause the payload to be displayed. Thus sending a datagram, no special protocol involved, to port 500 of the wan side of the AEBS will not be delivered to the target machine. So, plain data makes it through port 501 but not port 500, what could the problem be? Help me here, the only things I can think of are: 1) Some mal-configuration of the router, but there is not a lot to configure and other than recent trouble with ports 500 and 4500 it has been working like a champ. 2) There is a defect in the router. I have reset the router several times and reentered the configuration data from scratch to no avail. The only step left that I can think of is to try and reinstall the firmware. You keep saying that somehow the protocols are not being handled properly by the AEBS. If this is the case then why did the VPN work properly from the time I set it up until it failed in early Jan, nearly 3 weeks of every day use. Can you think of any reason for the failure of port 500 to deliver *anything* ? Jerry > > -d > > ------------------------------------------------------------------------ > Dan Shoop > [email protected] > GoogleVoice: 1-646-402-5293 > aim: iWiring > twitter: @colonelmode > > > _______________________________________________ MacOSX-admin mailing list [email protected] http://www.omnigroup.com/mailman/listinfo/macosx-admin
