Just spent a couple of hours trying to get a Mac OS X laptop connected to a Cisco IOS IPSEC/L2TP server. The existing configuration worked fine for windows and linux servers but the Mac just refused to establish a connection. The Cisco logs contained the usual cryptic message.
Dec 16 16:53:47.955: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 184.108.40.206, remote= 220.127.116.11,.
local_proxy= 18.104.22.168/255.255.255.255/17/1701 (type=1),.
remote_proxy= 22.214.171.124/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport-UDP),.
lifedur= 0s and 0kb,.
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x800
Dec 16 16:53:47.955: Crypto mapdb : proxy_match
src addr : 126.96.36.199
dst addr : 188.8.131.52
protocol : 17
src port : 1701
dst port : 49561
Dec 16 16:53:47.955: map_db_find_best did not find matching map
Dec 16 16:53:47.955: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address A.B.C.D
After much googling I discovered that the problem was dst port: 49561 . Unlike most other L2TP clients the Mac uses a random source port for the L2TP part of the connection. Most others use 1701 for source and destination.
So relaxing this
ip access-list extended L2TP
permit udp host 184.108.40.206 eq 1701 any eq 1701
ip access-list extended L2TP
permit udp host 220.127.116.11 eq 1701 any
solved the problem.
It would now normally be the time for me to rant about how IPSEC has to be one of the most badly implemented protocols by all vendors and how getting two different implementations to talk to each other always takes a minimum of 2 hours even if you’ve done it before but it would just be too exhausting.
To quote Justaan:
This is what we call the Melbourne Cup Network Effect
It seems it really is the race that stops the nation. This is a graph of Bulletproof’s outbound web traffic for today. That’s a 37% drop in outbound traffic just after 3pm.
Make sure you take note of my l33t gimp skills!
Pia posting about Software freedom day, software freedom day online shop is up, reminded me about something I’ve been meaning to post for a while.
When you send in the address to get your team’s t-shirts and goodies, make sure you get it right!
Last year I helped pack all the goodies that we sent overseas, this was sometime in August if I remember correctly. We needed to put a return address on the packages so I offered the use of Bulletproof’s address.
6 months later the following turned up on our doorstep.
Notice the use of hemp rope and wax seal. This box has been through a lot!
Being Technical Guru for linux.conf.au 2007 was one of the most amazing experiences I’ve had in recent years. It was a lot of hard work but it was totally worth it. Having a room burst into applause at the penguin dinner when you say your the network guy is pretty unbelievable.
I went up to the Hunter for a week to recover from the conference and as usual after linux.conf.au I did a lot of thinking as to whether it was time to try something new. This time change won out at the end of the day and after 6 years at Bulletproof I decided it was time to move on.
At the beginning of March I started as Director of Engineering at Vquence. Since we are a video company it was decided that we each needed to have our own video on the web.
The past three weeks have been so hectic that Bulletproof already seems a lifetime ago. I’ve been involved in everything from setting up the new office and the corporate infrastructure to product development.
Joining a startup right at the beginning is always an amazing experience. With just a few people on the ground you always get pulled in a few million directions and there is always a new challenge just another five minutes away. I definitely recommend anyone else to jump at the opportunity if it ever presents itself.
Matt came to me with an interesting problem at Bulletproof this week. We have a dedicated hosting customer who talks to an external application for e-commerce. The IP for this was going to change but they needed to do to some testing before the switch. As usual with most enterprise applications, the hostname was hard coded. 🙁
Matt suggested we do some DNS poisoning or do some transparent proxying using squid or similar. While these would have worked they required firewall changes through three levels of firewalls and extra infrastructure.
So I turned to an evil solution, iptables. 🙂 Most people use DNAT on the inbound connection from the Internet to their internal private network to port forward to internal servers, or perform one-to-one NAT mappings. There is nothing stopping you using it the other way around.
Lets say that every time someone browses to http://bulletproof.net we want them to hit http://inodes.org instead. All you need to do is use DNAT to translate one IP address into the other.
animal:~ johnf$ host bulletproof.net
bulletproof.net has address 18.104.22.168
animal:~ johnf$ host inodes.org
inodes.org has address 22.214.171.124
animal:~ johnf$ sudo iptables -t nat -A PREROUTING -d 126.96.36.199 -j DNAT –to 188.8.131.52
Now for some testing, a ping looks normal
animal:~johnf$ ping www.bulletproof.net
PING www.bulletproof.net.au (184.108.40.206) 56(84) bytes of data.
64 bytes from 220.127.116.11: icmp_seq=1 ttl=241 time=198 ms
but a tcpdump looks like
animal:~johnf$ sudo tcpdump -ni eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:35:25.099510 IP 18.104.22.168 > 22.214.171.124: icmp 64: echo request seq 1
16:35:25.301712 IP 126.96.36.199 > 188.8.131.52: icmp 64: echo reply seq 1
Of course if anyone needs to try and debug this they are going to have a really fun time working out what is going on. 🙂
If you want to test this yourself you can do it on your own machine using the OUTPUT chain instead of PREROUTING.