[ previous ] [ next ] [ threads ]
 
 From:  nik <nik at ngo dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  udp/4500 not permitted by firewall
 Date:  Wed, 28 Nov 2007 11:42:56 +0100
I'm trying to connect to my employers L2TP VPN through my m0n0wall server.

The network normally looks like this:

   { Internet } -- [ADSL router] -- [m0n0wall] -- [laptop]

and it doesn't work.  My L2TP connection instructions say to ensure that 
ports udp/500 and udp/4500 are permitted through the firewall, and 
appropriately NATd.  I have two NAT rules in place for udp/500 and 
udp/4500, and the associated firewall rules.  I also added entries for 
ESP, so the complete relevant firewall rules look like:

   Proto   Source   Port   Destination   Port

   ESP     *           *   laptop_ip        *
   UDP     *        4500   laptop_ip     4500
   UDP     *         500   laptop_ip      500

These rules are at the top of the firewall list, and there are no other 
rules that affect this combination of protocols and ports.

AIUI, that should work.  However, it doesn't.  If I try and connect by 
going through m0n0wall a tcpdump shows (laptop IP replaced with 
laptop_ip, server IP replaced with server_ip, and leading timestamps 
removed):

IP laptop_ip.500 > server_ip.500: isakmp: phase 1 I ident
IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
IP laptop_ip.500 > server_ip.500: isakmp: phase 1 I ident
IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I ident[E]
IP laptop_ip > server_ip: udp
IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I ident[E]
IP laptop_ip > server_ip: udp
IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I ident[E]
IP laptop_ip > server_ip: udp
IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I ident[E]
IP laptop_ip > server_ip: udp
IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I ident[E]
IP laptop_ip > server_ip: udp
IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I ident[E]
IP laptop_ip > server_ip: udp
IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I ident[E]
IP laptop_ip > server_ip: udp

So the initial back and forth over port 500 works, the laptop sends 
various packets to the server on port 4500, but never gets a reply. 
Eventually the L2TP connection times out.

If I remove m0n0wall, and connect the laptop directly to the ADSL router 
and do the same thing, so the network looks like this:

   { Internet } -- [ADSL router] -- [laptop]

it works and connects within a few seconds.  The relevant tcpdump looks 
like:

IP laptop_ip.500 > server_ip.500: isakmp: phase 1 I ident
IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
IP laptop_ip.500 > server_ip.500: isakmp: phase 1 I ident
IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I ident[E]
IP laptop_ip > server_ip: udp
IP server_ip.4500 > laptop_ip.4500: NONESP-encap: isakmp: phase 1 R ident[E]
IP server_ip > laptop_ip: udp
IP server_ip.4500 > laptop_ip.4500: NONESP-encap: isakmp: phase 1 R ident[E]
IP server_ip > laptop_ip: udp
IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 2/others 
I oakley-quick[E]
IP server_ip.4500 > laptop_ip.4500: NONESP-encap: isakmp: phase 2/others 
R oakley-quick[EC]
IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 2/others 
I oakley-quick[EC]
IP server_ip.4500 > laptop_ip.4500: NONESP-encap: isakmp: phase 2/others 
R oakley-quick[EC]
IP laptop_ip.4500 > server_ip.4500: UDP-encap: 
ESP(spi=0xbbaf17ec,seq=0x1), length 100
IP server_ip.4500 > laptop_ip.4500: UDP-encap: 
ESP(spi=0x0adfcc1d,seq=0x1), length 156
IP server_ip.4500 > laptop_ip.4500: UDP-encap: 
ESP(spi=0x0adfcc1d,seq=0x2), length 52
IP laptop_ip.4500 > server_ip.4500: UDP-encap: 
ESP(spi=0xbbaf17ec,seq=0x2), length 60
IP laptop_ip.4500 > server_ip.4500: UDP-encap: 
ESP(spi=0xbbaf17ec,seq=0x3), length 76

As you can see, they start out identical, and then differ at line 7, 
where the incoming request from the server to the laptop on port 4500 
reaches the laptop.  That packet never arrives at the laptop if I use 
m0n0wall.

Any thoughts?  Options I've missed?

I've tried this on 1.231 and 1.3b5 with the same result.

N