SL server VPN, MacBook connects, iPhone does not

Discussion in 'Mac OS X Server, Xserve, and Networking' started by MvR, Oct 11, 2010.

  1. MvR macrumors newbie

    Joined:
    Jul 29, 2008
    #1
    MacMini running SL server, with VPN (L2PT, shared secret) enabled, behind ADSL router
    ADSL router fowardings UDP ports 500, 1701, 4500

    Connecting from WAN using MacBookPro works fine, but iPhone does not (L2PT-VPN server did not respond...).

    tcpdump for the UDP ports:

    Port 500
    MacBookPro
    Code:
    07:50:13.495475 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp > example.com.isakmp: isakmp: phase 1 I ident
    07:50:13.496745 IP example.com.isakmp > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp: isakmp: phase 1 R ident
    07:50:13.543424 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp > example.com.isakmp: isakmp: phase 1 I ident
    07:50:13.549858 IP example.com.isakmp > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp: isakmp: phase 1 R ident
    iPhone
    Code:
    07:53:35.397355 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp > example.com.isakmp: isakmp: phase 1 I ident
    07:53:35.398597 IP example.com.isakmp > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp: isakmp: phase 1 R ident
    07:53:35.515043 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp > example.com.isakmp: isakmp: phase 1 I ident
    07:53:35.521166 IP example.com.isakmp > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp: isakmp: phase 1 R ident
    Port 4500
    MacBookPro
    Code:
    07:51:52.917001 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 1 ? ident[E]
    07:51:52.917429 IP example.com.ipsec-msft > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852: NONESP-encap: isakmp: phase 1 ? ident[E]
    07:51:52.948202 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 2/others ? inf[E]
    07:51:53.954094 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
    07:51:53.954993 IP example.com.ipsec-msft > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
    07:51:53.989228 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
    07:51:53.993554 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852 > example.com.ipsec-msft: UDP-encap: ESP(spi=0x0b1d9f39,seq=0x1), length 116
    07:51:54.006707 IP example.com.ipsec-msft > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852: UDP-encap: ESP(spi=0x0c0ebfb5,seq=0x1), length 116
    ...
    iPhone
    Code:
    07:55:20.336024 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.35211 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 1 ? ident[E]
    07:55:23.339436 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.35211 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 1 ? ident[E]
    07:55:23.339749 IP example.com.ipsec-msft > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.35211: NONESP-encap: isakmp: phase 1 ? ident
    07:55:23.395106 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.35211 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 1 ? ident[E]
    07:55:26.388665 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.35211 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 1 ? ident[E]
    07:55:26.389039 IP example.com.ipsec-msft > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.35211: NONESP-encap: isakmp: phase 1 ? ident
    ...
    There appears to be a difference in the IPSec key exchange. iPhone and server can't agree on how to exchange further info securely?

    Am I missing something in the configuration of either devices? Any insight appreciated.
     
  2. MvR thread starter macrumors newbie

    Joined:
    Jul 29, 2008
    #2
    .interconnect file or not

    The connection works when downloading the .interconnect file from the server to the client computer and double-clicking on it. Manually entering the parameters and shared secret does not, which explains why the iPhone doesn't connect, since the parameters are entered manually.

    Can anyone tell me what the difference is? And how to get the missing piece of info into the iPhone as to connect to the SL server?
     
  3. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #3
    I use the L2TP over IPsec VPN with original iPhone, iPod Touch, and iPad - along with various Mac OS X devices. If the shared secret isn't what you think it is, you'll get the 'not responding' message.

    I advise double/triple/quadruple checking the shared secret. If it contains some strange characters you might change it on the off chance that there is some keyboard entry glitch.

    A.
     

Share This Page