[ previous ] [ next ] [ threads ]
 
 From:  "Steve Thomas" <sthomas at consultant dot com>
 To:  nik <nik at ngo dot org dot uk>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] udp/4500 not permitted by firewall
 Date:  Wed, 28 Nov 2007 10:59:15 -0500
I had something similar recently.

Open the port for the whole subnet ("*" destination)
and see if that works.


  ----- Original Message -----
  From: nik
  To: m0n0wall at lists dot m0n0 dot ch
  Subject: [m0n0wall] udp/4500 not permitted by firewall
  Date: Wed, 28 Nov 2007 11:42:56 +0100


  I'm trying to connect to my employers L2TP VPN through my m0n0wall
  server.

  The network normally looks like this:

  { Internet } -- [ADSL router] -- [m0n0wall] -- [laptop]

  and it doesn't work. My L2TP connection instructions say to ensure
  that ports udp/500 and udp/4500 are permitted through the firewall,
  and appropriately NATd. I have two NAT rules in place for udp/500
  and udp/4500, and the associated firewall rules. I also added
  entries for ESP, so the complete relevant firewall rules look like:

  Proto Source Port Destination Port

  ESP * * laptop_ip *
  UDP * 4500 laptop_ip 4500
  UDP * 500 laptop_ip 500

  These rules are at the top of the firewall list, and there are no
  other rules that affect this combination of protocols and ports.

  AIUI, that should work. However, it doesn't. If I try and connect
  by going through m0n0wall a tcpdump shows (laptop IP replaced with
  laptop_ip, server IP replaced with server_ip, and leading
  timestamps removed):

  IP laptop_ip.500 > server_ip.500: isakmp: phase 1 I ident
  IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
  IP laptop_ip.500 > server_ip.500: isakmp: phase 1 I ident
  IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
  IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I
  ident[E]
  IP laptop_ip > server_ip: udp
  IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
  IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
  IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I
  ident[E]
  IP laptop_ip > server_ip: udp
  IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I
  ident[E]
  IP laptop_ip > server_ip: udp
  IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
  IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I
  ident[E]
  IP laptop_ip > server_ip: udp
  IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I
  ident[E]
  IP laptop_ip > server_ip: udp
  IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
  IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I
  ident[E]
  IP laptop_ip > server_ip: udp
  IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I
  ident[E]
  IP laptop_ip > server_ip: udp

  So the initial back and forth over port 500 works, the laptop sends
  various packets to the server on port 4500, but never gets a reply.
  Eventually the L2TP connection times out.

  If I remove m0n0wall, and connect the laptop directly to the ADSL
  router and do the same thing, so the network looks like this:

  { Internet } -- [ADSL router] -- [laptop]

  it works and connects within a few seconds. The relevant tcpdump
  looks like:

  IP laptop_ip.500 > server_ip.500: isakmp: phase 1 I ident
  IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
  IP laptop_ip.500 > server_ip.500: isakmp: phase 1 I ident
  IP server_ip.500 > laptop_ip.500: isakmp: phase 1 R ident
  IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase 1 I
  ident[E]
  IP laptop_ip > server_ip: udp
  IP server_ip.4500 > laptop_ip.4500: NONESP-encap: isakmp: phase 1 R
  ident[E]
  IP server_ip > laptop_ip: udp
  IP server_ip.4500 > laptop_ip.4500: NONESP-encap: isakmp: phase 1 R
  ident[E]
  IP server_ip > laptop_ip: udp
  IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase
  2/others I oakley-quick[E]
  IP server_ip.4500 > laptop_ip.4500: NONESP-encap: isakmp: phase
  2/others R oakley-quick[EC]
  IP laptop_ip.4500 > server_ip.4500: NONESP-encap: isakmp: phase
  2/others I oakley-quick[EC]
  IP server_ip.4500 > laptop_ip.4500: NONESP-encap: isakmp: phase
  2/others R oakley-quick[EC]
  IP laptop_ip.4500 > server_ip.4500: UDP-encap:
  ESP(spi=0xbbaf17ec,seq=0x1), length 100
  IP server_ip.4500 > laptop_ip.4500: UDP-encap:
  ESP(spi=0x0adfcc1d,seq=0x1), length 156
  IP server_ip.4500 > laptop_ip.4500: UDP-encap:
  ESP(spi=0x0adfcc1d,seq=0x2), length 52
  IP laptop_ip.4500 > server_ip.4500: UDP-encap:
  ESP(spi=0xbbaf17ec,seq=0x2), length 60
  IP laptop_ip.4500 > server_ip.4500: UDP-encap:
  ESP(spi=0xbbaf17ec,seq=0x3), length 76

  As you can see, they start out identical, and then differ at line
  7, where the incoming request from the server to the laptop on port
  4500 reaches the laptop. That packet never arrives at the laptop
  if I use m0n0wall.

  Any thoughts? Options I've missed?

  I've tried this on 1.231 and 1.3b5 with the same result.

  N

  ---------------------------------------------------------------------
  To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
  For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch