Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: No One Of Consequence
No One Of Consequence Author
User level: Level 1
13 points

L2TP/IPSec VPN doesn't do NAT-T?

I've made an L2TP/IPSec tunnel using System Preferences->Network->VPN on a 10.6.8 client.

When a NAT isn't involved, this tunnel works. When a NAT is involved, it doesn't work.


If I'm interpreting Wireshark correctly, it appears that the Mac negotiates that it _could_ use NAT-T with the other end. But whne push comes to shove, it doesn't actually use NAT-T protocols. The Mac side emits ESP/IP packets (which aren't NAT-friendly), when it really should be encapsulating ESP in port 4500/UDP. Doh!


Digging a little deeper, racoon appears to be the daemon that should do the NAT-T dance. The (no-longer-ships-with-Snow Leopard) man page for racoon.conf, at:


http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/ 10.5/man5/racoon.conf.5.html


indicates that nat_traversal is NOT the default, but there's an option "nat_traversal = force" that looks like it'd be the right option to put in racoon.conf. The problem is that it's difficult to put the directive in the right racoon.conf. There's an /etc/racoon/racoon.conf, but what the GUI does is generate a dynamic racoon.conf in /var/run/racoon/ which /etc/racoon/racoon.conf is configured to source.


Questions:


1) Is there a sane way to tweak what gets written to the dynamic racoon.conf? Some plist to edit, perhaps?

2) Is this any better with Lion? Why on earth isn't NAT-T the default?

3) Anyone know if OpenVPN, SSTP, etc. will be VPN options in the future? (For assorted reasons, I need to avoid 3rd party VPN products, even though they'd almost certainly be less of a pain than IPSec.)

Posted on Dec 3, 2011 2:16 PM

Reply
7 replies
User profile for user: No One Of Consequence
No One Of Consequence Author
User level: Level 1
13 points

Dec 4, 2011 7:50 PM in response to Linc Davis

PPTP isn't an option, unfortunately. It's not considered secure enough by the folks who run the VPN server end of things.


I managed to figure out what part of the GUI plumbing is responsible for the /var/run/racoon/ configuration. It comes from the /System/Library/Extensions/L2TP.ppp/Contents/MacOS/L2TP executable. It does NOT come from /usr/sbin/vpnd (though they share enough code for things to be confusing).


There's no obvious configuration file that lets me get at the options it sets. But, in a stroke of luck, one of the racoon.conf options baked into the executable is a) long and b) unnecessary. The "situation identity_only" directive is pointless if I believe the man page. So, I mv'ed the original L2TP executable asked and used a hex editor to replace "situation identity_only" with "nat_traversal force" (using approrpriate excess padding so everything stays the same size).


Good news: I can get the "nat_traversal force" directive in the dynamic racoon.conf. I didn't break anything by hacking the L2TP binary.


Bad news: Forcing NAT-T with that directive doesn't appear to work. Even with that directive in place, racoon still tries to do ESP/IP even when it shouldn't/can't. <sigh>


Another thing I explored was replacing the old racoon with a more modern racoon, but modern racoon doesn't support the keychain integration AFAICT.

Reply
User profile for user: xolytem
xolytem
User level: Level 1
0 points

Mar 10, 2013 8:46 AM in response to No One Of Consequence

Hey, I am facing a Nat-t problem with os x integrated ipsec client myself, and your post looks interesting to me!

I have read that nat-t(raversal) parameter is a compile time parameter, so modifying the executable was quite a good idea 🙂


I was wondering how did you proceed to modify L2TP.ppp ?


I can edit it using an hex editor, but I can't find a way to locate the nat-t parameter... 😕

Can you help ?

Reply
User profile for user: xolytem
xolytem
User level: Level 1
0 points

Mar 10, 2013 9:29 AM in response to etresoft

Modifying this binary seems to be the only solution, and if any problem occurs, having a backup copy to restore would not imply any os reinstallation...


If I find another solution I would be happy, but it's been almost a week that I am trying to configure a OS X 10.8.2 ipsec connection to a cisco RV180 router... without success.


The only answer I had from cisco was to use a third party client.... it is a shame.


Finding out that os x embeded cisco ipsec client doesn't work with a small business cisco router is quite a shame also (especially without any possibility to tweak client side parameters).


Why calling this vpn client Cisco ipsec ???


I am really disapointed on both sides for now.

Reply
User profile for user: etresoft
etresoft
User level: Level 8
46,330 points

Mar 10, 2013 10:30 AM in response to xolytem

Although this question may seem related to yours, it is really different. I suggest you start your own question. The original poster's VPN was just misconfigured. Considering that most VPN systems are run by corporate IT, about 94% of them are probably misconfigured. Not much you can do about that.


PS: Do NOT modify your binaries

Reply

L2TP/IPSec VPN doesn't do NAT-T?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up