L2TP/IPSec VPN doesn't do NAT-T?

Question

L2TP/IPSec VPN doesn't do NAT-T?

I've made an L2TP/IPSec tunnel using System Preferences->Network->VPN on a 10.6.8 client.

When a NAT isn't involved, this tunnel works. When a NAT is involved, it doesn't work.

If I'm interpreting Wireshark correctly, it appears that the Mac negotiates that it _could_ use NAT-T with the other end. But whne push comes to shove, it doesn't actually use NAT-T protocols. The Mac side emits ESP/IP packets (which aren't NAT-friendly), when it really should be encapsulating ESP in port 4500/UDP. Doh!

Digging a little deeper, racoon appears to be the daemon that should do the NAT-T dance. The (no-longer-ships-with-Snow Leopard) man page for racoon.conf, at:

http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/ 10.5/man5/racoon.conf.5.html

indicates that nat_traversal is NOT the default, but there's an option "nat_traversal = force" that looks like it'd be the right option to put in racoon.conf. The problem is that it's difficult to put the directive in the right racoon.conf. There's an /etc/racoon/racoon.conf, but what the GUI does is generate a dynamic racoon.conf in /var/run/racoon/ which /etc/racoon/racoon.conf is configured to source.

Questions:

1) Is there a sane way to tweak what gets written to the dynamic racoon.conf? Some plist to edit, perhaps?

2) Is this any better with Lion? Why on earth isn't NAT-T the default?

3) Anyone know if OpenVPN, SSTP, etc. will be VPN options in the future? (For assorted reasons, I need to avoid 3rd party VPN products, even though they'd almost certainly be less of a pain than IPSec.)

Posted on Dec 3, 2011 2:16 PM

Reply

Answer 1

Linc Davis

Level 10

209,739 points

Dec 3, 2011 4:01 PM in response to No One Of Consequence

If PPTP is an option, use it instead. It's more reliable than L2TP.

Reply

Answer 2

Dec 4, 2011 7:50 PM in response to Linc Davis

PPTP isn't an option, unfortunately. It's not considered secure enough by the folks who run the VPN server end of things.

I managed to figure out what part of the GUI plumbing is responsible for the /var/run/racoon/ configuration. It comes from the /System/Library/Extensions/L2TP.ppp/Contents/MacOS/L2TP executable. It does NOT come from /usr/sbin/vpnd (though they share enough code for things to be confusing).

There's no obvious configuration file that lets me get at the options it sets. But, in a stroke of luck, one of the racoon.conf options baked into the executable is a) long and b) unnecessary. The "situation identity_only" directive is pointless if I believe the man page. So, I mv'ed the original L2TP executable asked and used a hex editor to replace "situation identity_only" with "nat_traversal force" (using approrpriate excess padding so everything stays the same size).

Good news: I can get the "nat_traversal force" directive in the dynamic racoon.conf. I didn't break anything by hacking the L2TP binary.

Bad news: Forcing NAT-T with that directive doesn't appear to work. Even with that directive in place, racoon still tries to do ESP/IP even when it shouldn't/can't. <sigh>

Another thing I explored was replacing the old racoon with a more modern racoon, but modern racoon doesn't support the keychain integration AFAICT.

Reply

Answer 3

Dec 5, 2011 6:18 PM in response to No One Of Consequence

Turns out the other end didn't have NAT-T enabled, contrary to what they were telling me and what I could observe from my end. Once NAT-T was enabled at their end, it started working.

Still, I figured out a way to wedge options into the dynamic racoon.conf -- good to know.

Reply

Answer 4

xolytem

Level 1

0 points

Mar 10, 2013 8:46 AM in response to No One Of Consequence

Hey, I am facing a Nat-t problem with os x integrated ipsec client myself, and your post looks interesting to me!

I have read that nat-t(raversal) parameter is a compile time parameter, so modifying the executable was quite a good idea 🙂

I was wondering how did you proceed to modify L2TP.ppp ?

I can edit it using an hex editor, but I can't find a way to locate the nat-t parameter... 😕

Can you help ?

Reply

Answer 5

etresoft

Level 9

56,070 points

Mar 10, 2013 9:12 AM in response to xolytem

Do NOT modify your binaries. That will only result in a reinstall of the OS>

Reply

Answer 6

xolytem

Level 1

0 points

Mar 10, 2013 9:29 AM in response to etresoft

Modifying this binary seems to be the only solution, and if any problem occurs, having a backup copy to restore would not imply any os reinstallation...

If I find another solution I would be happy, but it's been almost a week that I am trying to configure a OS X 10.8.2 ipsec connection to a cisco RV180 router... without success.

The only answer I had from cisco was to use a third party client.... it is a shame.

Finding out that os x embeded cisco ipsec client doesn't work with a small business cisco router is quite a shame also (especially without any possibility to tweak client side parameters).

Why calling this vpn client Cisco ipsec ???

I am really disapointed on both sides for now.

Reply

Answer 7

etresoft

Level 9

56,070 points

Mar 10, 2013 10:30 AM in response to xolytem

Although this question may seem related to yours, it is really different. I suggest you start your own question. The original poster's VPN was just misconfigured. Considering that most VPN systems are run by corporate IT, about 94% of them are probably misconfigured. Not much you can do about that.

PS: Do NOT modify your binaries

Reply