L2TP/IPSEC issue - Any generic pointers would be great

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

L2TP/IPSEC issue - Any generic pointers would be great

Ted Wynnychenko
Hello

This may be off topic, since I don't think it's an openbsd issue, but
(honestly) I have run out of ideas about where to go next.

There aren't going to be many "specifics," since I don't know what details
or outputs might be useful at this point.

 

Here is my story (oh, this is just a home/personal situation).

 

I have a openbsd 5.1 server as a firewall/ipsec server.  This one also is
able to accept L2TP (from my ipad) connections, and is running npppd.

I have a second openbsd 5.1 server as a second firewall/ipsec server.

 

When I set this up (over a year ago), everything worked great.  The ipsec
endpoints talk to each other, the tunnel comes up like magic, and I am able
to backup data at a remote location without even thinking about.

At the same time, I got npppd working, and was able to connect with my ipad
when I wasn't at home to access "stuff" that I wanted to.  I don't need to
do this often.

 

Well, 4-6 months ago, everything was good.  The "static" IPSEC tunnel was
working, and I could connect with the ipad.

 

About 3 weeks ago I wanted to connect with the ipad and L2TP and no joy
("server not responding" that ipad says).


And here is where I start getting lost.

 

First, during this entire time, the "static" IPSEC tunnel has been rock
stable (with the occasional dropout because my internet service provider
drops my connection at one end or the other, but the "static" tunnel always
comes back up when the connection is restored - maybe 5 or 10 minutes a day,
usually at night).

 

When trying to connect with the ipad, most (> 95%) of the time, the
connection is unsuccessful.  But, occasionally, the ipad connects.  NO
changes to configuration of the openbsd server, or changes to configuration
of the ipad.  It just happens.  This may last for 3 minutes, or 5 minutes,
or 7 minutes; but then it's gone.


During these "connections," the tablet may or may not be able to access
something on the internal/protected network.  I have not seen a pattern so
far, given the infrequent and limited connection opportunities.

 

But, (to repeat) the "static" IPSEC tunnel is up the whole time.

 

So, I tried this with a second ipad - same thing - most of the time it does
not work; rarely, it works for a few minutes.

I tried with an old laptop I have - using L2TP/IPSEC to establish a VPN; no
success - I only tried with the laptop a dozen or so times, however.

I tried from different locations, in different states, and different cities;
same issue, most of the time no, rarely yes (Oh, by the way, almost all of
these locations had been used in the past - prior to 6 months ago, and the
ipad connected fine).

 

Now, if I am at home, and try to connect to the now "local" IPSEC/L2TP
server (from its internal interface) with the tablet, everything works fine,
every time.  Also, I can reliably access the network, and the network sees
the traffic as coming from the L2TP server, and the associated VPN IP
address.

 

So, I used my meager knowledge to explore this issue - and here is where I
REALLY get lost.

 

Using tcpdump, I watch the L2TP/IPSEC server's external interface (so, I am
looking at traffic before it hits PF or anything else - right?).   Well,
when the connections fail, there is NO traffic from the tablet getting to
the external interface.   At the same time, I can ssh into the server, and I
can see that traffic using tcpdump fine (connecting from the same
location/IP address that the ipad is trying to connect).

 

On those rare occasions when the ipad is able to connect, I see packets
coming in on the external interface for isakmpd, and then the established
tunnel.

 

During all of this, the "static" IPSEC tunnel is up and working.

 

I have no idea where to go with this, or what to try.

I feel like this is not related to the openbsd server, since when the tablet
fails to connect, there is no traffic on the external interface.

But, in that case, the failure is upstream (somewhere in the route between
the tablet and the server).  But, why would the other IPSEC tunnel be fine?

If my ISP was filtering traffic, both shouldn't work, right?

The variety of locations that I have tried to connect from and (mostly)
failed, would seem to suggest the problem is near the "end" of the route
back to the IPSEC/L2TP server, but that makes no sense to me either, since
the "static" tunnel is rock solid.

 

I am sorry for the long, rambling email.  I wanted to thoroughly explain my
issue, and since I don't really know what might have be important, I
included the whole story.

 

If this is not an openbsd issue (which (frankly) I don't think it is), sorry
for the noise.

 

But, if anyone has a friendly (or, for that matter, and unfriendly)
suggestion of what I could try, please let me know.

 

Thanks.

Bye - ted

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]

Reply | Threaded
Open this post in threaded view
|

Re: L2TP/IPSEC issue - Any generic pointers would be great

Maxim Bourmistrov-5
I'd start isakmpd in foreground mode(read verbose mode) and see what it prints out, while iPad tries to connect to it.


On 15 jan 2013, at 20:35, Ted Wynnychenko <[hidden email]> wrote:

> Hello
>
> This may be off topic, since I don't think it's an openbsd issue, but
> (honestly) I have run out of ideas about where to go next.
>
> There aren't going to be many "specifics," since I don't know what details
> or outputs might be useful at this point.
>
>
>
> Here is my story (oh, this is just a home/personal situation).
>
>
>
> I have a openbsd 5.1 server as a firewall/ipsec server.  This one also is
> able to accept L2TP (from my ipad) connections, and is running npppd.
>
> I have a second openbsd 5.1 server as a second firewall/ipsec server.
>
>
>
> When I set this up (over a year ago), everything worked great.  The ipsec
> endpoints talk to each other, the tunnel comes up like magic, and I am able
> to backup data at a remote location without even thinking about.
>
> At the same time, I got npppd working, and was able to connect with my ipad
> when I wasn't at home to access "stuff" that I wanted to.  I don't need to
> do this often.
>
>
>
> Well, 4-6 months ago, everything was good.  The "static" IPSEC tunnel was
> working, and I could connect with the ipad.
>
>
>
> About 3 weeks ago I wanted to connect with the ipad and L2TP and no joy
> ("server not responding" that ipad says).
>
>
> And here is where I start getting lost.
>
>
>
> First, during this entire time, the "static" IPSEC tunnel has been rock
> stable (with the occasional dropout because my internet service provider
> drops my connection at one end or the other, but the "static" tunnel always
> comes back up when the connection is restored - maybe 5 or 10 minutes a day,
> usually at night).
>
>
>
> When trying to connect with the ipad, most (> 95%) of the time, the
> connection is unsuccessful.  But, occasionally, the ipad connects.  NO
> changes to configuration of the openbsd server, or changes to configuration
> of the ipad.  It just happens.  This may last for 3 minutes, or 5 minutes,
> or 7 minutes; but then it's gone.
>
>
> During these "connections," the tablet may or may not be able to access
> something on the internal/protected network.  I have not seen a pattern so
> far, given the infrequent and limited connection opportunities.
>
>
>
> But, (to repeat) the "static" IPSEC tunnel is up the whole time.
>
>
>
> So, I tried this with a second ipad - same thing - most of the time it does
> not work; rarely, it works for a few minutes.
>
> I tried with an old laptop I have - using L2TP/IPSEC to establish a VPN; no
> success - I only tried with the laptop a dozen or so times, however.
>
> I tried from different locations, in different states, and different cities;
> same issue, most of the time no, rarely yes (Oh, by the way, almost all of
> these locations had been used in the past - prior to 6 months ago, and the
> ipad connected fine).
>
>
>
> Now, if I am at home, and try to connect to the now "local" IPSEC/L2TP
> server (from its internal interface) with the tablet, everything works fine,
> every time.  Also, I can reliably access the network, and the network sees
> the traffic as coming from the L2TP server, and the associated VPN IP
> address.
>
>
>
> So, I used my meager knowledge to explore this issue - and here is where I
> REALLY get lost.
>
>
>
> Using tcpdump, I watch the L2TP/IPSEC server's external interface (so, I am
> looking at traffic before it hits PF or anything else - right?).   Well,
> when the connections fail, there is NO traffic from the tablet getting to
> the external interface.   At the same time, I can ssh into the server, and I
> can see that traffic using tcpdump fine (connecting from the same
> location/IP address that the ipad is trying to connect).
>
>
>
> On those rare occasions when the ipad is able to connect, I see packets
> coming in on the external interface for isakmpd, and then the established
> tunnel.
>
>
>
> During all of this, the "static" IPSEC tunnel is up and working.
>
>
>
> I have no idea where to go with this, or what to try.
>
> I feel like this is not related to the openbsd server, since when the tablet
> fails to connect, there is no traffic on the external interface.
>
> But, in that case, the failure is upstream (somewhere in the route between
> the tablet and the server).  But, why would the other IPSEC tunnel be fine?
>
> If my ISP was filtering traffic, both shouldn't work, right?
>
> The variety of locations that I have tried to connect from and (mostly)
> failed, would seem to suggest the problem is near the "end" of the route
> back to the IPSEC/L2TP server, but that makes no sense to me either, since
> the "static" tunnel is rock solid.
>
>
>
> I am sorry for the long, rambling email.  I wanted to thoroughly explain my
> issue, and since I don't really know what might have be important, I
> included the whole story.
>
>
>
> If this is not an openbsd issue (which (frankly) I don't think it is), sorry
> for the noise.
>
>
>
> But, if anyone has a friendly (or, for that matter, and unfriendly)
> suggestion of what I could try, please let me know.
>
>
>
> Thanks.
>
> Bye - ted
>
> [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]