On Jan 11, 2011, at 8:52 PM, Levan, Jerry wrote: > > On Jan 11, 2011, at 7:23 PM, Dan Shoop wrote: > >> >> >>> ---- >>> Now the news on VPN, I hope that someone can give me some guidance >>> here... >>> >>> As I wrote earlier I had the VPN going on my mac mini (client) for >>> about 3 weeks and then Jan 3 it would no longer connect from outside >>> of my net. >>> >>> [times passes with much anxiety] >>> >>> Today I pulled the ethernet cable out of the router ( Airport Extreme Dual >>> band BaseStation ) and >>> plugged it directly into my server ie I made a direct connection from the >>> cable >>> modem into the server. >>> >>> I noted the new IP that the server got when I rebooted with the new >>> configuration >>> and adjusted the configuration file for the vpnd and did the same for my >>> iPhone. >>> >>> I fired up the iPhone VPN and it ***connected*** without any problems. >> >> Which, as was suggested to you earlier, means you're NAT appliance (it's not >> a router, it's not routing any traffic, it's at best a gateway) isn't >> passing all the required IP protocols. > > Ok, then why *did* it work for three weeks
Who can say? You can't. I can't. We have no evidence or facts from which to work. What we can discuss is what's happening now. With a packet trace. It will be pretty obvious, but wouldn't it just be easier to properly enable passthru? >>> The progress of the connection in system.log came up with no problem...I >>> was watching with >>> a tail -f... >>> >>> This seems to point the finger at the AEBS. I have done hard resets of the >>> router and >>> rentered all of the data by hand a couple of times. >>> >>> I have tripled checked that I am forwarding the udp ports 500, 4500, 1701 >>> several >>> times. >> >> And sa I've repeatedly pointed out to you that you need more than just TCP >> and UDP traffic passed. There are other IP protocols that must pass thru. >> >> Seriously it's not like there's a dearth of information in the googlesphere >> on this. >> >>> Note I *can* connect ok if I am attached to my home net so I think the >>> base configuration is fine. >> >> No that doesn't prove that at all since it doesn't need to route through the >> ABS. > > No, but it shows that the configuration is correct on both the client and > server. :sigh: You're missing something extremely fundamental. In this case the configuration that's problematic is on your gateway. That's "configuration" is part of the configuration. >> >>> It seems like one of the three ports in the router is somehow stuck shut. >> >> :laughing: >> >>> Does anyone have any suggestions? >> >> Plenty, but you keep ignoring them. This is a simple thing you just aren't >> getting. >> > OK, > > Now pay attention Dan. Look, I'm trying to help, honestly, and you're ignoring everything I say about the fundamentals which are the source of your difficulties and woolly thinking. If you want assistance don't get snippy. > I did a netstat and lsof to see if udp port 500 was in use or being listened > to. > Nothing showed, I had unloaded vpn and raccoon earlier. Doesn't prove much. > I redirected port 501 on the router to 500 on the server. > > I started a simple udp server on the server ( a mac mini) It listens > to udp port 500 and displays the contents of the payload when a datagram > arrives on port 500 of the server. > > I sent a datagram from my iPhone over the 3G network to the wan address of > the router, port 501. > > The datagram made it through the router and arrived at port 500 and the > udpserver > displayed the correct contents. OK, proving very little, other than that you can pass port 501 traffic. This doesn't help us here. > So plain data can be sent across the internet and arrive at my server when I > have > port 501 on the router mapped to 500 on my server. Yes, but this is just UDP traffic. > Ok, then I remapped the ports on the router. This time I mapped udp *500* port > on the router to port 500 on the server and restarted the updserver again > listening > on port 500. > > Sending a datagram from the iPhone over the 3G network to the external wan > address port 500 > does not cause the payload to be displayed. Proving that you have a problem, little more. Port 501 and port 500 are different, hence getting different results is not deterministic. > Thus sending a datagram, no special protocol involved, to port 500 of the > wan side of > the AEBS will not be delivered to the target machine. > > So, plain data makes it through port 501 but not port 500, what could the > problem be? > > Help me here, the only things I can think of are: > The key words here are that these are the only things /you/ can think of. I can think of a lot more and there's likely more possible issues that that too. You're having some common woolly thinking which is getting in your way of seeing the real picture. > 1) Some mal-configuration of the router, but there is not a lot to configure > and other > than recent trouble with ports 500 and 4500 it has been working like a > champ. You have no real router, you're running NAT off a ABS. That's a gateway, but it isn't routing for any IP addresses on the local side. The local side is using NAT and RFC1918 addresses. The gateway must translate address and TCP/UDP port traffic. VPNs require more than TCP/UDP traffic. You'd need to determine what's happening on the ABS in terms of traffic, but that's not possible. We just know that it's not passing through. One possible reason is that since the ABS understands "pass VPN traffic" concepts and is a stateful device, that in order for it to open up the port 500 it must first be in the right state. Since your simple UDP packet test doesn't successfully create the correct state, it's not a valid test for assuring VPN traffic is being passed properly in a stateful system. Think of it this way, you have to "knock" properly first. > 2) There is a defect in the router. No, that's your hypothesis. > I have reset the router several times and reentered > the configuration data from scratch to no avail. The only step left that I > can think > of is to try and reinstall the firmware. Which, if it's not a defect in the ABS, isn't going to change anything if you reflash it. You can just say it's still "broken" and can't prove if it is or isn't. So you don't have anything deterministic here. More likely it is working properly but there's another issue. > You keep saying that somehow the protocols are not being handled properly by > the AEBS. If this is the case then why did the VPN work properly from the time > I set it up until it failed in early Jan, nearly 3 weeks of every day use. Again, since you can't specifically tell us what /was/ happening then, is moot and not going to be of any use to us. We have to go with what's happening now, otherwise we can just say elves did it, it's just as useful. > Can you think of any reason for the failure of port 500 to deliver *anything* > ? Yes. Several techncial ones just for your equipment. And then there's the issue that since you're AUP likely states you're not allowed to run servers on your DSL/Cable circuit that your ISP won't pass certain ports. But more likely you're missing required protocols needed to start/establish the remaining connections. What IP protocols and what TCP/IP and UDP/IP ports are open? What is the IP address of your gateway? What does an external port scan reveal? (Though this may also not be deterministic since your ISP is likely to stop port scans.) -d ------------------------------------------------------------------------ Dan Shoop [email protected] GoogleVoice: 1-646-402-5293 aim: iWiring twitter: @colonelmode _______________________________________________ MacOSX-admin mailing list [email protected] http://www.omnigroup.com/mailman/listinfo/macosx-admin
