Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

SL server VPN, MacBook connects, iPhone does not

M

MvR

macrumors newbie
Original poster
Jul 29, 2008
12
0
MacMini running SL server, with VPN (L2PT, shared secret) enabled, behind ADSL router
ADSL router fowardings UDP ports 500, 1701, 4500

Connecting from WAN using MacBookPro works fine, but iPhone does not (L2PT-VPN server did not respond...).

tcpdump for the UDP ports:

Port 500
MacBookPro
Code: 
07:50:13.495475 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp > example.com.isakmp: isakmp: phase 1 I ident
07:50:13.496745 IP example.com.isakmp > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp: isakmp: phase 1 R ident
07:50:13.543424 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp > example.com.isakmp: isakmp: phase 1 I ident
07:50:13.549858 IP example.com.isakmp > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp: isakmp: phase 1 R ident
iPhone
Code: 
07:53:35.397355 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp > example.com.isakmp: isakmp: phase 1 I ident
07:53:35.398597 IP example.com.isakmp > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp: isakmp: phase 1 R ident
07:53:35.515043 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp > example.com.isakmp: isakmp: phase 1 I ident
07:53:35.521166 IP example.com.isakmp > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.isakmp: isakmp: phase 1 R ident

Port 4500
MacBookPro
Code: 
07:51:52.917001 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 1 ? ident[E]
07:51:52.917429 IP example.com.ipsec-msft > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852: NONESP-encap: isakmp: phase 1 ? ident[E]
07:51:52.948202 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 2/others ? inf[E]
07:51:53.954094 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
07:51:53.954993 IP example.com.ipsec-msft > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
07:51:53.989228 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
07:51:53.993554 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852 > example.com.ipsec-msft: UDP-encap: ESP(spi=0x0b1d9f39,seq=0x1), length 116
07:51:54.006707 IP example.com.ipsec-msft > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.36852: UDP-encap: ESP(spi=0x0c0ebfb5,seq=0x1), length 116
...
iPhone
Code: 
07:55:20.336024 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.35211 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 1 ? ident[E]
07:55:23.339436 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.35211 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 1 ? ident[E]
07:55:23.339749 IP example.com.ipsec-msft > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.35211: NONESP-encap: isakmp: phase 1 ? ident
07:55:23.395106 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.35211 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 1 ? ident[E]
07:55:26.388665 IP cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.35211 > example.com.ipsec-msft: NONESP-encap: isakmp: phase 1 ? ident[E]
07:55:26.389039 IP example.com.ipsec-msft > cpe-aaa-bbb-ccc-ddd.lnse1.cha.bigpond.net.au.35211: NONESP-encap: isakmp: phase 1 ? ident
...

There appears to be a difference in the IPSec key exchange. iPhone and server can't agree on how to exchange further info securely?

Am I missing something in the configuration of either devices? Any insight appreciated.
 
M

MvR

macrumors newbie
Original poster
Jul 29, 2008
12
0
.interconnect file or not

The connection works when downloading the .interconnect file from the server to the client computer and double-clicking on it. Manually entering the parameters and shared secret does not, which explains why the iPhone doesn't connect, since the parameters are entered manually.

Can anyone tell me what the difference is? And how to get the missing piece of info into the iPhone as to connect to the SL server?
 
A

Alrescha

macrumors 68020
Jan 1, 2008
2,156
317
MvR said:
Can anyone tell me what the difference is? And how to get the missing piece of info into the iPhone as to connect to the SL server?
Click to expand...

I use the L2TP over IPsec VPN with original iPhone, iPod Touch, and iPad - along with various Mac OS X devices. If the shared secret isn't what you think it is, you'll get the 'not responding' message.

I advise double/triple/quadruple checking the shared secret. If it contains some strange characters you might change it on the off chance that there is some keyboard entry glitch.

A.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom