Mac OS X L2TP VPN to Cisco IOS

Just spent a couple of hours trying to get a Mac OS X laptop connected to a Cisco IOS IPSEC/L2TP server. The existing configuration worked fine for windows and linux servers but the Mac just refused to establish a connection. The Cisco logs contained the usual cryptic message.

Dec 16 16:53:47.955: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local=, remote=,.
    local_proxy= (type=1),.
    remote_proxy= (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Transport-UDP),.
    lifedur= 0s and 0kb,.
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x800
Dec 16 16:53:47.955: Crypto mapdb : proxy_match
    src addr     :
    dst addr     :
    protocol     : 17
    src port     : 1701
    dst port     : 49561
Dec 16 16:53:47.955: map_db_find_best did not find matching map
Dec 16 16:53:47.955: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address A.B.C.D

After much googling I discovered that the problem was dst port: 49561 . Unlike most other L2TP clients the Mac uses a random source port for the L2TP part of the connection. Most others use 1701 for source and destination.

So relaxing this

ip access-list extended L2TP
 permit udp host eq 1701 any eq 1701

to this

ip access-list extended L2TP
 permit udp host eq 1701 any

solved the problem.

It would now normally be the time for me to rant about how IPSEC has to be one of the most badly implemented protocols by all vendors and how getting two different implementations to talk to each other always takes a minimum of 2 hours even if you’ve done it before but it would just be too exhausting.

Melbourne Cup Dip2

To quote Justaan:

This is what we call the Melbourne Cup Network Effect

Melbourne Cup network effect

It seems it really is the race that stops the nation. This is a graph of Bulletproof’s outbound web traffic for today. That’s a 37% drop in outbound traffic just after 3pm.

Make sure you take note of my l33t gimp skills!

Firefox 3 and

There is currently a bug in firefox 3 which causes it to crash with an XError BadAloc when you go to any page hosted on howtoforge.

This seems to be related to the image at I suggest you don’t click on that link đŸ™‚

Apparently this image is 10,000 pixels wide. It looks like this is probably a GTK issue since the same problem happended when I opened the image with evince!

I tried writing a greasemonkey script to get around this problem but it loads too late to avert the crash. So iptables to the rescue.

iptables -I OUTPUT -d -m string –algo bm –to 70 –string “GET /themes/htf_glass/images/bg_header_bottom_left15.png” -j DROP

    -I OUTPUT  # Match packets levaing my laptop
    -d   # Only packets going to howtoforge
    -m string  # Invoke the string matcher
    --algo bm  # Pick a matching algorithm
    --to 70  # Only check the first 70 bytes of each packet
    --string "GET /themes/htf_glass/images/bg_header_bottom_left15.png"  
    -j DROP # Drop the sucker

Ubuntu, VLANs and Bridges

Bridge and VLAN support has improved dramatically under Ubuntu and probably Debian as well since I last looked into it. once upon a time to create a bridge linked to a VLAN interface you would have to do horrible things like.

auto eth0
ifconfig eth0 inet manual
    pre-up /sbin/vconfig set_name_type VLAN_PLUS_VID_NO_PAD || true

auto vlan7
iface vlan7 inet manual
    pre-up /sbin/vconfig add eth0 7 || true
    post-down /sbin/vconfig rem vlan7 || true

auto br0
    pre-up brctl addbr br0
    pre-up brctl addif br0 vlan7
    post-down brctl delbr br0

Now the bridge-utils and vlan packages provide hooks into the ifup and ifdown commands so you can simply do

auto br-vlan4
iface br-vlan4 inet static
    vlan-raw-device eth1
    bridge_ports vlan4
    bridge_maxwait 0
    bridge_fd 0
    bridge_stp off

Which will automagically

  • Bring up eth1
  • Create vlan4 bound to the eth1 interface
  • Bring up vlan4
  • Create the br0 with vlan4 attached
  • Give eth1 the same HW address as br0
  • Bring up br0 with the IP address