I'd start isakmpd in foreground mode(read verbose mode) and see what it prints out, while iPad tries to connect to it.
On 15 jan 2013, at 20:35, Ted Wynnychenko <[email protected]> wrote: > Hello > > This may be off topic, since I don't think it's an openbsd issue, but > (honestly) I have run out of ideas about where to go next. > > There aren't going to be many "specifics," since I don't know what details > or outputs might be useful at this point. > > > > Here is my story (oh, this is just a home/personal situation). > > > > I have a openbsd 5.1 server as a firewall/ipsec server. This one also is > able to accept L2TP (from my ipad) connections, and is running npppd. > > I have a second openbsd 5.1 server as a second firewall/ipsec server. > > > > When I set this up (over a year ago), everything worked great. The ipsec > endpoints talk to each other, the tunnel comes up like magic, and I am able > to backup data at a remote location without even thinking about. > > At the same time, I got npppd working, and was able to connect with my ipad > when I wasn't at home to access "stuff" that I wanted to. I don't need to > do this often. > > > > Well, 4-6 months ago, everything was good. The "static" IPSEC tunnel was > working, and I could connect with the ipad. > > > > About 3 weeks ago I wanted to connect with the ipad and L2TP and no joy > ("server not responding" that ipad says). > > > And here is where I start getting lost. > > > > First, during this entire time, the "static" IPSEC tunnel has been rock > stable (with the occasional dropout because my internet service provider > drops my connection at one end or the other, but the "static" tunnel always > comes back up when the connection is restored - maybe 5 or 10 minutes a day, > usually at night). > > > > When trying to connect with the ipad, most (> 95%) of the time, the > connection is unsuccessful. But, occasionally, the ipad connects. NO > changes to configuration of the openbsd server, or changes to configuration > of the ipad. It just happens. This may last for 3 minutes, or 5 minutes, > or 7 minutes; but then it's gone. > > > During these "connections," the tablet may or may not be able to access > something on the internal/protected network. I have not seen a pattern so > far, given the infrequent and limited connection opportunities. > > > > But, (to repeat) the "static" IPSEC tunnel is up the whole time. > > > > So, I tried this with a second ipad - same thing - most of the time it does > not work; rarely, it works for a few minutes. > > I tried with an old laptop I have - using L2TP/IPSEC to establish a VPN; no > success - I only tried with the laptop a dozen or so times, however. > > I tried from different locations, in different states, and different cities; > same issue, most of the time no, rarely yes (Oh, by the way, almost all of > these locations had been used in the past - prior to 6 months ago, and the > ipad connected fine). > > > > Now, if I am at home, and try to connect to the now "local" IPSEC/L2TP > server (from its internal interface) with the tablet, everything works fine, > every time. Also, I can reliably access the network, and the network sees > the traffic as coming from the L2TP server, and the associated VPN IP > address. > > > > So, I used my meager knowledge to explore this issue - and here is where I > REALLY get lost. > > > > Using tcpdump, I watch the L2TP/IPSEC server's external interface (so, I am > looking at traffic before it hits PF or anything else - right?). Well, > when the connections fail, there is NO traffic from the tablet getting to > the external interface. At the same time, I can ssh into the server, and I > can see that traffic using tcpdump fine (connecting from the same > location/IP address that the ipad is trying to connect). > > > > On those rare occasions when the ipad is able to connect, I see packets > coming in on the external interface for isakmpd, and then the established > tunnel. > > > > During all of this, the "static" IPSEC tunnel is up and working. > > > > I have no idea where to go with this, or what to try. > > I feel like this is not related to the openbsd server, since when the tablet > fails to connect, there is no traffic on the external interface. > > But, in that case, the failure is upstream (somewhere in the route between > the tablet and the server). But, why would the other IPSEC tunnel be fine? > > If my ISP was filtering traffic, both shouldn't work, right? > > The variety of locations that I have tried to connect from and (mostly) > failed, would seem to suggest the problem is near the "end" of the route > back to the IPSEC/L2TP server, but that makes no sense to me either, since > the "static" tunnel is rock solid. > > > > I am sorry for the long, rambling email. I wanted to thoroughly explain my > issue, and since I don't really know what might have be important, I > included the whole story. > > > > If this is not an openbsd issue (which (frankly) I don't think it is), sorry > for the noise. > > > > But, if anyone has a friendly (or, for that matter, and unfriendly) > suggestion of what I could try, please let me know. > > > > Thanks. > > Bye - ted > > [demime 1.01d removed an attachment of type application/x-pkcs7-signature > which had a name of smime.p7s]
