From: Harry G. <ha...@hg...> - 2006-02-27 05:48:26
|
I used to have a road warrior VPN working using IPSecuritas , but when I upgraded to OS/X Tiger it stopped working. I have had IPCop 1.4 net to net VPNs working the whole time. I've been struggling with the problem for months and am happy to report I finally circumvented it. First the circumvention, and then an explanation. Solution: Go to the Firewall->External Access web page and add an entry for UDP port 500. Explanation: Apparently Apple didn't follow the standard for NAT-Traversal packets in OS/X Tiger. The IPSec standard is that IPSec without NAT-T starts a session with UDP packets with both source and destination ports of 500 and then switches to IP protocol 47 for the rest of the session. For NAT-T sessions, all traffic has a destination port of 4500 and any source port. Apple does NAT-T with a destination port of 500, instead of 4500. Since the packets are NATed, the source port can and will be anything. This is described as the Apple floating port 500 problem on the net. IPCop's iptables chains follow the standard: UDP packets with both source and destination ports of 500 are let through, as well as packets with a destination port of 4500 with any source port. This means that Apple's NAT-T UDP packets with any source port, floating port, and a destination port of 500 are logged and then dropped before OpenS/WAN sees them. Adding the External Access rule for destination port 500 UDP packets circumvents the problem, by allowing destination port 500 UDP packets through to OpenS/WAN. Harry |