7 Replies Latest reply: Mar 10, 2013 10:30 AM by etresoft
No One Of Consequence Level 1 (5 points)

I've made an L2TP/IPSec tunnel using System Preferences->Network->VPN on a 10.6.8 client. 

When a NAT isn't involved, this tunnel works.  When a NAT is involved, it doesn't work.


If I'm interpreting Wireshark correctly, it appears that the Mac negotiates that it _could_ use NAT-T with the other end.  But whne push comes to shove, it doesn't actually use NAT-T protocols.  The Mac side emits ESP/IP packets (which aren't NAT-friendly), when it really should be encapsulating ESP in port 4500/UDP.  Doh!


Digging a little deeper, racoon appears to be the daemon that should do the NAT-T dance.  The (no-longer-ships-with-Snow Leopard) man page for racoon.conf, at:


http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/ 10.5/man5/racoon.conf.5.html


indicates that nat_traversal is NOT the default, but there's an option "nat_traversal = force" that looks like it'd be the right option to put in racoon.conf.  The problem is that it's difficult to put the directive in the right racoon.conf.  There's an /etc/racoon/racoon.conf, but what the GUI does is generate a dynamic racoon.conf in /var/run/racoon/ which /etc/racoon/racoon.conf is configured to source. 




1) Is there a sane way to tweak what gets written to the dynamic racoon.conf?  Some plist to edit, perhaps?

2) Is this any better with Lion?  Why on earth isn't NAT-T the default? 

3) Anyone know if OpenVPN, SSTP, etc. will be VPN options in the future?  (For assorted reasons, I need to avoid 3rd party VPN products, even though they'd almost certainly be less of a pain than IPSec.)

  • Linc Davis Level 10 (192,472 points)

    If PPTP is an option, use it instead. It's more reliable than L2TP.

  • No One Of Consequence Level 1 (5 points)

    PPTP isn't an option, unfortunately.  It's not considered secure enough by the folks who run the VPN server end of things. 


    I managed to figure out what part of the GUI plumbing is responsible for the /var/run/racoon/ configuration.  It comes from the /System/Library/Extensions/L2TP.ppp/Contents/MacOS/L2TP executable.  It does NOT come from /usr/sbin/vpnd (though they share enough code for things to be confusing). 


    There's no obvious configuration file that lets me get at the options it sets.   But, in a stroke of luck, one of the racoon.conf options baked into the executable is a) long and b) unnecessary.  The "situation identity_only" directive is pointless if I believe the man page.  So, I mv'ed the original L2TP executable asked and used a hex editor to replace "situation identity_only" with "nat_traversal     force" (using approrpriate excess padding so everything stays the same size).


    Good news:  I can get the "nat_traversal force" directive in the dynamic racoon.conf.  I didn't break anything by hacking the L2TP binary. 


    Bad news: Forcing NAT-T with that directive doesn't appear to work.  Even with that directive in place, racoon still tries to do ESP/IP even when it shouldn't/can't.  <sigh>


    Another thing I explored was replacing the old racoon with a more modern racoon, but modern racoon doesn't support the keychain integration AFAICT.

  • No One Of Consequence Level 1 (5 points)

    Turns out the other end didn't have NAT-T enabled, contrary to what they were telling me and what I could observe from my end.  Once NAT-T was enabled at their end, it started working. 


    Still, I figured out a way to wedge options into the dynamic racoon.conf -- good to know.

  • xolytem Level 1 (0 points)

    Hey, I am facing a Nat-t problem with os x integrated ipsec client myself, and your post looks interesting to me!

    I have read that nat-t(raversal) parameter is a compile time parameter, so modifying the executable was quite a good idea


    I was wondering how did you proceed to modify L2TP.ppp ?


    I can edit it using an hex editor, but I can't find a way to locate the nat-t parameter...

    Can you help ?

  • etresoft Level 7 (27,801 points)

    Do NOT modify your binaries. That will only result in a reinstall of the OS>

  • xolytem Level 1 (0 points)

    Modifying this binary seems to be the only solution, and if any problem occurs, having a backup copy to restore would not imply any os reinstallation...


    If I find another solution I would be happy, but it's been almost a week that I am trying to configure a OS X 10.8.2 ipsec connection to a cisco RV180 router... without success.


    The only answer I had from cisco was to use a third party client.... it is a shame.


    Finding out that os x embeded cisco ipsec client doesn't work with a small business cisco router is quite a shame also (especially without any possibility to tweak client side parameters).


    Why calling this vpn client Cisco ipsec ???


    I am really disapointed on both sides for now.

  • etresoft Level 7 (27,801 points)

    Although this question may seem related to yours, it is really different. I suggest you start your own question. The original poster's VPN was just misconfigured. Considering that most VPN systems are run by corporate IT, about 94% of them are probably misconfigured. Not much you can do about that.


    PS: Do NOT modify your binaries