Discuss EVDO PCMCIA Cards, ExpressCards, EVDO USB, PDAs, Phones, Coverage and Mobile Broadband Cards.
Discuss Verizon and Sprint Coverage. CradlePoint CTR350, CTR500, PHS300, MBR1000, MBR1200, PHS300. Discuss Improving signal with 3Gstore Antennas and Amplifiers.
|
EVDOforums.com
Discussion forum for EVDO users
|
Our sites Include:
EVDO Info :: EVDO Forums :: EVDO Maps :: EVDO Blog :: 3Gstore.com
To purchase your EVDO Card / Antenna / Amplifier / Router from the EVDO Experts, just contact us!
| View previous topic :: View next topic |
| Author |
Message |
Michael
Site Admin
Joined: 13 Jan 2005
Posts: 5314
Location: Cary, IL
|
 Posted: Tue Feb 21, 2006 2:16 pm Post subject: KR1 VPN to MacOS X Server, Problems |
 |
|
A customer is trying to establish a VPN connection to a Mac OS X Server 10.3.9 (software based VPN). They can establish a VPN except when connected via KR1.
They tried making their local IP the DMZ.
They tried VPN Pass-Through is Enabled for PPTP and IPSec under Advanced/Misc.
They tried enabling the IPSec Virtual Server, setting the Private IP to the one given to me by the KR1 (192.168.0.102) and leaving the default Protocol Type UDP, Private and Public ports 500, Schedule Always.
If they take the KPC650 and plug it directly into the PowerBook, VPN works fine.
Anyone, figure out the correct settings to VPN to a Mac OS X Server from a KR1?
_________________
EVDO :: EVDO News :: EVDO Antennas :: Buy Verizon :: Buy Sprint :: EVDO Amplifier |
|
| Back to top |
|
 |
Mackieman
EVDO Junkie
Joined: 31 Oct 2005
Posts: 491
|
| Posted: Tue Feb 21, 2006 3:54 pm Post subject: |
|
|
What OS is the client running? If possible, a netstat -a dump (or its equivalent in OS X) would be helpful. From what little I know about the firewall that comes with OS X Server, it does some SPI and may see that the client packets are not originated from the router's public MAC address. This may cause the packets to fall off at the remote firewall.
Also, does the client authenticate and then not pass data or does it never authenticate in the first place? |
|
| Back to top |
|
|
rcw3
EVDO User
Joined: 29 Apr 2005
Posts: 47
|
| Posted: Tue Feb 21, 2006 5:40 pm Post subject: |
|
|
| I'm using the KR1 with both a KPC650 (Verizon) and a Novatel S620... I've had no issues with running Cisco VPN (using the Cisco VPN client as well as VPN Tracker) from my Mac over the KR1 to the office. Just to provide a statistical blip that it works with VPN in certain configurations apparently. I did nothing to the config but make sure that it was doing VPN passthrough. |
|
| Back to top |
|
|
Michael
Site Admin
Joined: 13 Jan 2005
Posts: 5314
Location: Cary, IL
|
| Posted: Thu Feb 23, 2006 10:00 am Post subject: |
|
|
Mackieman,
Here are the specifics:
| Quote: | Running MacOS X 10.4.5 on a 15" G4 PowerBook.
Never authenticates - VPN server log never sees the connection attempt.
|
And here is the netstat dump:
| Quote: | [whitney:/applications] netstat -a dump
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.0.100.50555 feeds.feedburner.http SYN_SENT
tcp4 0 0 192.168.0.100.50554 basic-twiddle.ye.http ESTABLISHED
tcp4 0 159 192.168.0.100.50552 basic-linus.cata.http ESTABLISHED
tcp4 0 0 192.168.0.100.50551 216.35.221.77.http SYN_SENT
tcp4 0 0 192.168.0.100.50546 mail.dotmac.info.http ESTABLISHED
tcp4 0 0 192.168.0.100.50545 209.73.219.113.http LAST_ACK
tcp4 0 0 192.168.0.100.50543 69.50.231.2.http CLOSING
tcp4 0 0 192.168.0.100.50541 www.apple.com.http LAST_ACK
tcp4 0 0 192.168.0.100.50540 klx.com.http LAST_ACK
tcp4 0 265 192.168.0.100.50539 support.apple.co.http ESTABLISHED
tcp4 0 0 192.168.0.100.50535 latte.alt-it.com.http ESTABLISHED
tcp4 0 0 192.168.0.100.50533 9.70-85-155.reve.http ESTABLISHED
tcp4 0 0 192.168.0.100.50531 drysdale.simplec.http LAST_ACK
tcp4 0 0 192.168.0.100.50529 deplume.com.http LAST_ACK
tcp4 0 0 192.168.0.100.50528 mynah.eff.org.http ESTABLISHED
tcp4 0 0 192.168.0.100.50525 i7.cnn.net.http LAST_ACK
tcp4 0 0 192.168.0.100.50524 mail.messagingen.imaps ESTABLISHED
tcp4 0 0 192.168.0.100.50515 122.2o7.net.http CLOSING
tcp4 0 0 192.168.0.100.50512 i7.cnn.net.http LAST_ACK
tcp4 0 0 192.168.0.100.50508 i7.cnn.net.http LAST_ACK |
_________________
EVDO :: EVDO News :: EVDO Antennas :: Buy Verizon :: Buy Sprint :: EVDO Amplifier |
|
| Back to top |
|
|
Mackieman
EVDO Junkie
Joined: 31 Oct 2005
Posts: 491
|
| Posted: Thu Feb 23, 2006 10:27 am Post subject: |
|
|
| I should clarify that I need the netstat -a dump while the connection attempt is in progress. Also, if the server never sees the connection attempt there may be firewall issues with that server. |
|
| Back to top |
|
|
kwhitney
EVDO Newbie
Joined: 30 Jan 2006
Posts: 5
|
| Posted: Thu Feb 23, 2006 12:16 pm Post subject: |
|
|
I'm Michael's customer, Mackieman. Here's a TCPdump during an attempted VPN connection:
tcpdump://en1@localhost;options=-n -p -t
IP 192.168.0.100.49207 > 192.168.0.1.192: UDP, length: 4
IP 192.168.0.1 > 192.168.0.100: icmp 40: 192.168.0.1 udp port 192 unreachable
IP 192.168.0.100.5353 > 224.0.0.251.5353: 0*- [0q] 15/0/2[|domain]
IP 192.168.0.100.49208 > 192.168.0.1.53: 48305+ A? vpn.msrc.org. (30)
IP 192.168.0.100.5353 > 224.0.0.251.5353: 0 [1a] [6q] PTR? _daap._tcp.local. PTR? _raop._tcp.local.[|domain]
IP 192.168.0.1.53 > 192.168.0.100.49208: 48305 1/2/2 A 65.114.175.101 (133)
arp who-has 192.168.0.100 tell 192.168.0.1
arp reply 192.168.0.100 is-at 00:14:51:d9:b7:69
IP 192.168.0.100.500 > 65.114.175.101.500: isakmp: phase 1 I ident
IP 65.114.175.101.500 > 192.168.0.100.500: isakmp: phase 1 R ident
IP 192.168.0.100.500 > 65.114.175.101.500: isakmp: phase 1 I ident
IP 65.114.175.101.500 > 192.168.0.100.500: isakmp: phase 1 R ident
IP 192.168.0.100.4500 > 65.114.175.101.4500: UDP, length: 72
IP 65.114.175.101.500 > 192.168.0.100.500: isakmp: phase 1 R ident
IP 192.168.0.1 > 224.0.0.1: igmp query v3
IP 65.114.175.101.500 > 192.168.0.100.500: isakmp: phase 1 R ident
IP 192.168.0.100.49211 > 239.255.255.253.427: UDP, length: 49
IP 65.114.175.101.500 > 192.168.0.100.500: isakmp: phase 1 R ident
IP 192.168.0.100.4500 > 65.114.175.101.4500: UDP, length: 72
IP 65.114.175.101.500 > 192.168.0.100.500: isakmp: phase 1 R ident
IP 192.168.0.100 > 224.0.0.251: igmp v2 report 224.0.0.251
IP 192.168.0.100.49211 > 239.255.255.253.427: UDP, length: 49
IP 65.114.175.101.500 > 192.168.0.100.500: isakmp: phase 1 R ident
IP 192.168.0.100 > 239.255.255.253: igmp v2 report 239.255.255.253
IP 65.114.175.101.500 > 192.168.0.100.500: isakmp: phase 1 R ident
IP 192.168.0.100.4500 > 65.114.175.101.4500: UDP, length: 72
IP 65.114.175.101.500 > 192.168.0.100.500: isakmp: phase 1 R ident
IP 65.114.175.101.500 > 192.168.0.100.500: isakmp: phase 1 R ident
IP 65.114.175.101.500 > 192.168.0.100.500: isakmp: phase 1 R ident
IP 192.168.0.100.4500 > 65.114.175.101.4500: UDP, length: 72
IP 65.114.175.101.500 > 192.168.0.100.500: isakmp: phase 1 R ident
IP 192.168.0.100.4500 > 65.114.175.101.4500: UDP, length: 72
IP 192.168.0.100.4500 > 65.114.175.101.4500: UDP, length: 72
IP 192.168.0.100.5353 > 224.0.0.251.5353: 0*- [0q] 6/0/0 (Cache flush) TXT[|domain]
IP 192.168.0.100.5353 > 224.0.0.251.5353: 0 [1a] [6q] PTR? _daap._tcp.local. PTR? _raop._tcp.local.[|domain]
... then it times out. Any ideas? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Buy from the 3G Experts @ 3Gstore.com
CradlePoint MBR1200 $269.99
Sprint MiFi $59.99
CTR500 $179.99
MBR1000 $189.99
CTR350 $89.99
PHS300 $159.99
Sprint 598U - Free
Sprint Rev A ExpressCard: Merlin EX720 - Free
Purchase an EVDO Booster Antenna
Purchase an EVDO Amplifier
Your Mac EVDO Experts
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
