L2TP VPN not connecting

So you are setting up the tunnel (paritally) but a response packet from the client to finalize the tunnel to use is being munged or dropped/blocked, and so the session fails.

First lets look at a 'working' L2tp/IPSEC connection from 10.5. Here is mine.

Sun Jul 5 16:16:36 2009 : L2TP incoming call in progress from '12.119.255.255'...
Sun Jul 5 16:16:36 2009 : L2TP received SCCRQ
Sun Jul 5 16:16:36 2009 : L2TP sent SCCRP
Sun Jul 5 16:16:36 2009 : L2TP received SCCCN
Sun Jul 5 16:16:36 2009 : L2TP received ICRQ
Sun Jul 5 16:16:36 2009 : L2TP sent ICRP
Sun Jul 5 16:16:36 2009 : L2TP received ICCN
Sun Jul 5 16:16:36 2009 : L2TP connection established.
Sun Jul 5 16:16:36 2009 : using link 0
Sun Jul 5 16:16:36 2009 : Using interface ppp0
Sun Jul 5 16:16:36 2009 : Connect: ppp0 <--> socket\[34:18]
Sun Jul 5 16:16:36 2009 : sent \[LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x308870df> <pcomp> <accomp>]
Sun Jul 5 16:16:36 2009 : rcvd \[LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xe137092c> <pcomp> <accomp>]
Sun Jul 5 16:16:36 2009 : lcp_reqci: returning CONFACK.
Sun Jul 5 16:16:36 2009 : sent \[LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xe137092c> <pcomp> <accomp>]
Sun Jul 5 16:16:36 2009 : rcvd \[LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x308870df> <pcomp> <accomp>]
Sun Jul 5 16:16:36 2009 : sent \[LCP EchoReq id=0x0 magic=0x308870df]
Sun Jul 5 16:16:36 2009 : sent \[CHAP Challenge id=0x8b <7005cb4dc4b1bdcfe452fa7612fe23af>, name = "rmscomputersystems.com"]
Sun Jul 5 16:16:36 2009 : rcvd \[LCP EchoReq id=0x0 magic=0xe137092c]
Sun Jul 5 16:16:36 2009 : sent \[LCP EchoRep id=0x0 magic=0x308870df]
Sun Jul 5 16:16:36 2009 : rcvd \[LCP EchoRep id=0x0 magic=0xe137092c]
Sun Jul 5 16:16:36 2009 : rcvd \[CHAP Response id=0x8b <e9d8602dbdf8e54ddead506ab56dc5370000000000000000dc5471041999389180638d93a1250a af52896c5d52b8f
87200>, name = "userid"]
Sun Jul 5 16:16:36 2009 : DSAuth plugin: Could not retrieve key agent account information.
Sun Jul 5 16:16:36 2009 : sent \[CHAP Success id=0x8b "S=A17170CF2FCD1362718FC891EBD4C52D8E07B5FD M=Access granted"]
Sun Jul 5 16:16:36 2009 : CHAP peer authentication succeeded for userID
Sun Jul 5 16:16:37 2009 : DSAccessControl plugin: User 'userID' authorized for access

So the steps you completed were:
L2TP SCCRQ (start control connection request); The Client asks the server to use a specific tunnel #.

Next is L2TP SCCRP (start control connection reply); The server, across that agreed new tunnel, tells the client what ACTUAL tunnel to use.

But the next message should be from the client ot agree to the new tunnel #, L2TP SCCCN (tunnel establishment confirm).

So the server is either not getting the response, which should be the 'fault' of the firewall/NAT or the Server is not actually able to pass the SCCRP properly, which again is either NAT's fault or the Firewall.

The next few conversations would have established the session info to be secured.

L2TP ICRQ (incoming call request)
L2TP ICRP (incoming call reply)
L2TP ICCN (incoming call connected)

Alright the L2TP lesson is over, now we need to fix 😉 You are going to have to recheck that firewall. We cannot assume it is still setup properly for L2TP, so we need to assume it is NOT setup properly. You need the following forwarded to the VPN server's ip;

Port 500 UDP
Port 4500 UDP
Port 1701 UDP
and
protocol 50 (ESP) <-- this is a protocol, not TCP or UDP port 50.
For grins and giggles, add protocol 51 (AH) (Authentication Header) to this list of forwarded to the VPN service.

Let's see what that does.

OK We need to see your ipfw list. You are using the Mac Firewall? Send your ipfw list like this `sudo ipfw -aSt list`

Question: Does L2TP work for internal clients?

The answer to that will move me in one of two directions.

I am confused. VPN has no direct routing built into it. Even if you set the network routing definition wrong for your network, the connection to the VPN service would still work.

I think we need to go back to a simpler set of questions... I was pulling on a thread I thought would get to the answer but there may be others that are more important.

Q1: How many NIC's in the server?
Q2: Is this the Mac Pro you are 'advertising' in your tagline?
Q3: Are you 'attached' to using 10.0.0.0/8 for DNS/DHCP or can it change?
Q4: Is your external IP static, pseudo-static, or fairly dynamic?
Q5: Is this 10.5 or 10.6 server?
Q6: Was this a fresh install of above or upgrade (ever).

Apologies for the apparent back-pedaling but I think that this will put us on much better footing.

OK can you do the following: unplug your connection to the internet (Modem off, whatever it takes to protect you from the next step) and then shut off NAT and the Firewall, then try to connect to PPTP and L2TP via an internal client. It HAS to be that firewall...

I don't see anything extremely wrong with your firewall (except for a repeated line 12326 which is not be allowed but that is it). It possibly is the 'order' of the lines, which is important, lower numbered lines would be triggered more often. If I had another NIC I would try out your firewall config to help out. Also another choice would be to add protocol 51 'by hand', like this

`ipfw add 012332 allow ah from any to any`

hmm, can you get that from the vpnd.log? Some of those are expected as the routing tables are changing when a connection is starting up.

For your edification. the reason I asked you to run sudo ipfw -det list` (or similar)

so that shows (via the -t option) the number of packets that matched a specific rule. There aren't many that are matching your rules.

1 416 57510 set 0 allow udp from any 626 to any dst-port 626
10 65111 10462733 set 0 divert 8668 ip from any to any via en0
1000 4378 1044949 set 0 allow ip from any to any via lo0
12300 129626 20309681 set 0 allow tcp from any to any established
12301 64 4096 set 0 allow tcp from any to any out
12302 1 64 set 0 allow tcp from any to any dst-port 22
12303 623 81651 set 0 allow udp from any to any out keep-state
12306 78 4992 set 0 allow tcp from any to any dst-port 311
12310 115 3328 set 0 allow igmp from any to any
12312 62791 11224534 set 0 allow gre from any to any
12328 441 54956 set 0 allow udp from any to any in keep-state
65535 245 28640 set31 allow ip from any to any


So GRE is matching (that is for PPTP or IPSec), but the other ports are NOT matching so they are being 'caught into other rules' this is the reason for the above suggestion. I am expecting that this will work and that the firewall will have to be rebuilt.

Good Luck.
Peter

Contacting me offline would be fine.

The comment about working was in reference to that I am thinking that by disabling the firewall the connectivity will work. For the firewall, it will reset fine and be built back up easily enough. I find that most will end up locking a site down too far (not exactly a bad thing) and then we can tone it down and get it into the Goldilocks zone. A tool I use to watch my firewall is waterroof http://www.hanynet.com/waterroof/.

Peter