L2TP VPN only working locally

[uPaymeiFixit]

I've followed this guide to set up a L2TP server, which works over my local network. When I try to connect from outside the subnet however, it does not work. I have ports TCP 1701, UDP 500, and UDP 4500 forwarded.
I know that more information is probably needed, but I'm not sure what. Please let me know if I can provide anything to help troubleshoot.

[uPaymeiFixit]

As it turns out my router was not forwarding those ports correctly. There are two sections and I don't understand the difference between them. Virtual Server and Port Forwarding. I've been using Virtual Server for everything because it seemed like Port Forwarding was not working, but I decided to try using it, and it worked.

[Davespice]

This is a complicated area and you could do with reading up a bit more on TCP/IP and how routers work. In a nutshell though, the router you have at home has an IP address on the internet. All the network devices in your home share this IP address when sending and receiving their traffic through your router.

However when the router receives an incoming request on a particular port number it won’t know what network device in your home that message is for; unless you set up some port forwarding rules. So for example; anything on port 80 should go to this computer, anything on port 1701 goes to the Pi etc. Hope this helps

[uPaymeiFixit]

This is a complicated area and you could do with reading up a bit more on TCP/IP and how routers work. In a nutshell though, the router you have at home has an IP address on the internet. All the network devices in your home share this IP address when sending and receiving their traffic through your router.

However when the router receives an incoming request on a particular port number it won’t know what network device in your home that message is for; unless you set up some port forwarding rules. So for example; anything on port 80 should go to this computer, anything on port 1701 goes to the Pi etc. Hope this helps

This much of it I understand. On my router I just don't understand the difference between Virtual Server and Port Forwarding. I have a DLink DIR-655, and the Virtual Server and Port Forwarding pages look very similar and seem to do the same thing, but I've never been able to get Port Forwarding to actually work, so I've always set everything up (HTTP, SSH, VNC, PPTP, etc) through the Virtual Server and it's worked fine. This is the first time that Port Forwarding has been the answer and Virtual Server has not, so there must be a difference, I just don't know what it is.

[uPaymeiFixit]

I've just noticed that this only works on my android device, and isn't working in Mac.

Here is the /var/log/auth.log while trying to connect externally from my Mac.

Code: Select all

Jul 11 17:01:02 raspberrypi pluto[2204]: packet from 198.228.221.126:51368: received Vendor ID payload [RFC 3947] method set to=109 
Jul 11 17:01:02 raspberrypi pluto[2204]: packet from 198.228.221.126:51368: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 
Jul 11 17:01:02 raspberrypi pluto[2204]: packet from 198.228.221.126:51368: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Jul 11 17:01:02 raspberrypi pluto[2204]: packet from 198.228.221.126:51368: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Jul 11 17:01:02 raspberrypi pluto[2204]: packet from 198.228.221.126:51368: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Jul 11 17:01:02 raspberrypi pluto[2204]: packet from 198.228.221.126:51368: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Jul 11 17:01:02 raspberrypi pluto[2204]: packet from 198.228.221.126:51368: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Jul 11 17:01:02 raspberrypi pluto[2204]: packet from 198.228.221.126:51368: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Jul 11 17:01:02 raspberrypi pluto[2204]: packet from 198.228.221.126:51368: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Jul 11 17:01:02 raspberrypi pluto[2204]: packet from 198.228.221.126:51368: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Jul 11 17:01:02 raspberrypi pluto[2204]: packet from 198.228.221.126:51368: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jul 11 17:01:02 raspberrypi pluto[2204]: packet from 198.228.221.126:51368: received Vendor ID payload [Dead Peer Detection]
Jul 11 17:01:02 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: responding to Main Mode from unknown peer 198.228.221.126
Jul 11 17:01:02 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 11 17:01:02 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 11 17:01:02 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Jul 11 17:01:02 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 11 17:01:02 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 11 17:01:02 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jul 11 17:01:02 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: Main mode peer ID is ID_IPV4_ADDR: '192.168.43.185'
Jul 11 17:01:02 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 11 17:01:02 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: new NAT mapping for #30, was 198.228.221.126:51368, now 198.228.221.126:44334
Jul 11 17:01:02 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 11 17:01:02 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: Dead Peer Detection (RFC 3706): enabled
Jul 11 17:01:03 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
Jul 11 17:01:03 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: the peer proposed: 76.174.184.215/32:17/1701 -> 198.228.221.126/32:17/63904
Jul 11 17:01:03 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #31: responding to Quick Mode proposal {msgid:e199448a}
Jul 11 17:01:03 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #31:     us: 192.168.0.121<192.168.0.121>[+S=C]:17/1701
Jul 11 17:01:03 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #31:   them: 198.228.221.126[192.168.43.185,+S=C]:17/63904
Jul 11 17:01:03 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #31: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 11 17:01:03 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #31: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jul 11 17:01:04 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #31: Dead Peer Detection (RFC 3706): enabled
Jul 11 17:01:04 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #31: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 11 17:01:04 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #31: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x01cacf45 <0xf6b02309 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=198.228.221.126:44334 DPD=enabled}
Jul 11 17:01:05 raspberrypi pluto[2204]: initiate on demand from 192.168.0.121:1701 to 198.228.221.126:56672 proto=17 state: fos_start because: acquire
Jul 11 17:01:23 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: received Delete SA(0x01cacf45) payload: deleting IPSEC State #31
Jul 11 17:01:24 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: received and ignored informational message
Jul 11 17:01:24 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #30: received Delete SA payload: deleting ISAKMP State #30
Jul 11 17:01:24 raspberrypi pluto[2204]: packet from 198.228.221.126:44334: received and ignored informational message
Jul 11 17:01:57 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126 #29: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
Jul 11 17:01:57 raspberrypi pluto[2204]: "L2TP-PSK-NAT"[13] 198.228.221.126: deleting connection "L2TP-PSK-NAT" instance with peer 198.228.221.126 {isakmp=#0/ipsec=#0}

[drgeoff]

The terms "Virtual server" and "Port forwarding" are typically used synonymously. However D-Link (at least for the DIR-655) have both with subtle differences as follows:

Each entry in a Virtual server config can forward a single port and the port number can be remapped from the WAN side to the LAN side. eg 86.52.121.77:81 on the WAN side can be sent to 192.168.1.4:80 on the LAN side.

Each entry in port forwarding config can forward a range of ports but there is no remapping possible. E.g. 86.52.121.77:x (where x is between say 16384 and 16999) can be sent to 192.168.1.4:x.

Many other routers can be configured to both of the above choices in just one config entry.

[uPaymeiFixit]

I've just noticed that this only works on my android device, and isn't working in Mac.
…

Somehow it's magically fixed itself. I left for a few hours and came back to it working. I have no idea how or why... So long as it works I'm happy I guess, but I would still like to understand what may have caused this. It also does not seem to be working in Windows, but I've heard that requires a registry hack.