我有一台运行L2TP / IPSec VPN服务器的Mac OS X Server(10.9)机器。 configuration看起来很好,服务器和VPN的主机名都设置为DynDNS主机名。 服务器configuration在具有端口转发function的AirPort Extreme路由器后面,连接到路由器已禁用(桥接)的Arris调制解调器/路由器。 服务器configuration了静态内部IP,路由器也通过DHCP绑定了MAC地址,以保证内部地址一致。
如果我input服务器的内部IP地址(10.0.1.x)并尝试从networking内连接到VPN服务器,一切正常。 但是,如果我input外部主机名(DynDNS名称)并尝试再次从networking内部进行连接,则无法连接。 在networking之外(例如通过LTE),它同样无法连接。
其他服务(SSH,远程桌面等)都可以很好地连接到networking内外。 只有VPN受到影响。 我可以确认服务器可以从SSH和远程桌面(端口22/5900)到达。
我进一步确认,除了其他服务使用的其他端口之外,路由器正在转发端口500(UDP),1701(UDP)和4500(UDP)。
当我尝试连接时,客户端控制台上显示以下内容:
12/16/13 11:13:33.213 PM configd[28]: SCNC: start, triggered by (15822) com.apple.prefe, type L2TP, status 0, trafficClass 0 12/16/13 11:13:33.229 PM pppd[15967]: publish_entry SCDSet() failed: Success! 12/16/13 11:13:33.230 PM pppd[15967]: publish_entry SCDSet() failed: Success! 12/16/13 11:13:33.230 PM pppd[15967]: pppd 2.4.2 (Apple version 727.1.15) started by user, uid 501 12/16/13 11:13:33.231 PM pppd[15967]: L2TP connecting to server 'xxxx' (xxxx)... 12/16/13 11:13:33.232 PM pppd[15967]: IPSec connection started 12/16/13 11:13:33.244 PM racoon[15968]: accepted connection on vpn control socket. 12/16/13 11:13:33.244 PM racoon[15968]: Connecting. 12/16/13 11:13:33.244 PM racoon[15968]: IPSec Phase 1 started (Initiated by me). 12/16/13 11:13:33.245 PM racoon[15968]: IKE Packet: transmit success. (Initiator, Main-Mode message 1). 12/16/13 11:13:33.245 PM racoon[15968]: >>>>> phase change status = Phase 1 started by us 12/16/13 11:13:33.416 PM racoon[15968]: >>>>> phase change status = Phase 1 started by peer 12/16/13 11:13:33.416 PM racoon[15968]: IKE Packet: receive success. (Initiator, Main-Mode message 2). 12/16/13 11:13:33.420 PM racoon[15968]: IKE Packet: transmit success. (Initiator, Main-Mode message 3). 12/16/13 11:13:33.429 PM racoon[15968]: IKE Packet: receive success. (Initiator, Main-Mode message 4). 12/16/13 11:13:33.447 PM racoon[15968]: IKE Packet: transmit success. (Initiator, Main-Mode message 5). 12/16/13 11:13:36.715 PM racoon[15968]: !!! skipped retransmitting frags: frag_flags 1, r->sendbuf->l 112, max 1280 12/16/13 11:13:36.715 PM racoon[15968]: Received retransmitted packet from xxxx[500]. 12/16/13 11:13:36.715 PM racoon[15968]: the packet is retransmitted by xxxx[500]. 12/16/13 11:13:36.745 PM racoon[15968]: IKE Packet: transmit success. (Phase 1 Retransmit). 12/16/13 11:13:39.872 PM racoon[15968]: !!! skipped retransmitting frags: frag_flags 1, r->sendbuf->l 112, max 1280 12/16/13 11:13:39.872 PM racoon[15968]: Received retransmitted packet from xxxx[500]. 12/16/13 11:13:39.873 PM racoon[15968]: the packet is retransmitted by xxxx[500]. 12/16/13 11:13:40.043 PM racoon[15968]: IKE Packet: transmit success. (Phase 1 Retransmit). 12/16/13 11:13:43.170 PM racoon[15968]: !!! skipped retransmitting frags: frag_flags 1, r->sendbuf->l 112, max 1280 12/16/13 11:13:43.170 PM racoon[15968]: Received retransmitted packet from xxxx[500]. 12/16/13 11:13:43.170 PM racoon[15968]: the packet is retransmitted by xxxx[500]. 12/16/13 11:13:43.335 PM racoon[15968]: IKE Packet: transmit success. (Phase 1 Retransmit). 12/16/13 11:13:55.912 PM racoon[15968]: IKE Packet: transmit success. (Phase 1 Retransmit). 12/16/13 11:13:56.367 PM racoon[15968]: !!! skipped retransmitting frags: frag_flags 1, r->sendbuf->l 112, max 1280 12/16/13 11:13:56.367 PM racoon[15968]: Received retransmitted packet from xxxx[500]. 12/16/13 11:13:56.367 PM racoon[15968]: the packet is retransmitted by xxxx[500]. 12/16/13 11:14:03.416 PM pppd[15967]: IPSec connection failed 12/16/13 11:14:03.416 PM racoon[15968]: IPSec disconnecting from server xxxx 12/16/13 11:14:03.416 PM racoon[15968]: glob found no matches for path "/var/run/racoon/*.conf" 而这在服务器的控制台上:
12/16/13 11:13:33.404 PM racoon[216]: IPSec Phase 1 started (Initiated by peer). 12/16/13 11:13:33.404 PM racoon[216]: IKE Packet: receive success. (Responder, Main-Mode message 1). 12/16/13 11:13:33.404 PM racoon[216]: >>>>> phase change status = Phase 1 started by us 12/16/13 11:13:33.404 PM racoon[216]: IKE Packet: transmit success. (Responder, Main-Mode message 2). 12/16/13 11:13:33.541 PM racoon[216]: IKE Packet: receive success. (Responder, Main-Mode message 3). 12/16/13 11:13:33.559 PM racoon[216]: IKE Packet: transmit success. (Responder, Main-Mode message 4). 12/16/13 11:13:33.566 PM racoon[216]: Connecting. 12/16/13 11:13:36.697 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit). 12/16/13 11:13:36.697 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit). 12/16/13 11:13:39.989 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit). 12/16/13 11:13:43.286 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit). 12/16/13 11:13:56.484 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit). 12/16/13 11:14:06.392 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit). 12/16/13 11:14:12.978 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit). 12/16/13 11:14:32.767 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit). 12/16/13 11:14:39.390 PM racoon[216]: IKEv1 Phase 1: maximum retransmits. (Phase 1 Maximum Retransmits). 12/16/13 11:14:39.390 PM racoon[216]: Phase 1 negotiation failed due to time up. 45b24df5cc9713e7:9b427f72231ccb59
我注意到的一件事情是客户端在11:14:03失败,而服务器不断地重新传输数据包30秒,直到超时。 这种情况下的客户端是Mac OS X,但iOS客户端的行为类似。
我应该在这里寻找哪些疑难解答步骤?
好的,原来这是最新版本的Mac OS X Server中的一个“bug”。 从我所能find的情况来看,如果源端口不是UDP 4500,IKE守护进程racoon将不会接受连接。通过NAT的大多数连接都会随机化源端口,这意味着它不会连接。 守护进程的旧版本没有这个限制。 如果直接连接到服务器的IP,来自networking内部的连接不会随机化端口,但显然会发生环回和外部连接,从而导致故障。
那么快速解决scheme就是用OS 10.8中的旧版本replaceracoon二进制文件 ,当然,通过将racoon.new命名为racoon.old (或者racoon.new会更加正确?:D)来备份旧的。
苹果似乎意识到这个问题,希望他们会发出一个修复; 同时,还原二元作品。