Блог Олега Сердюкова

Несовместимость L2TP VPN-сервера и Back To My Mac на одной системе

Update от 16.10.2011. Всё сказанное в статье актуально и для сервиса iCloud Back To My Mac. Если у вас внезапно перестал работать доступ к VPN-серверу на Mac, отключите везде Back To My Mac.

Вчера я упомянул, что на VPN-сервере (Mac OS X) нельзя настроить одновременно L2TP VPN Server и Back To My Mac. Подтвержу это скриншотами.

Back To My Mac выключен:

Соединение устанавливается:

Но если Back To My Mac включен:

То соединение не устанавливается:

Это единственное изменение, которое я проводил.

В документации Apple сказано:

If you wish to enable NAT port forwarding to L2TP VPN servers at private addresses on your AirPort Extreme or Time Capsule network, first ensure that MobileMe is disabled in AirPort Utility. If you configure NAT port forwarding to L2TP VPN servers at private addresses with MobileMe enabled, the setting for port forwarding to the servers will be ignored.”

Если вам нужен и Back to My Mac, и VPN-сервер, то используйте PPTP VPN. Хоть он и менее безопасный, но он работает в такой конфигурации.

Немного деталей. Вот процесс установки соединения без Back To My Mac:

45.599012 109.162.11.133 -> 192.168.98.2 ISAKMP Identity Protection (Main Mode)
45.601468 192.168.98.2 -> 109.162.11.133 ISAKMP Identity Protection (Main Mode)
46.058368 109.162.11.133 -> 192.168.98.2 ISAKMP Identity Protection (Main Mode)
46.069876 192.168.98.2 -> 109.162.11.133 ISAKMP Identity Protection (Main Mode)
46.438942 109.162.11.133 -> 192.168.98.2 ISAKMP Identity Protection (Main Mode)
46.439629 192.168.98.2 -> 109.162.11.133 ISAKMP Identity Protection (Main Mode)
47.738940 109.162.11.133 -> 192.168.98.2 ISAKMP Quick Mode
47.741256 192.168.98.2 -> 109.162.11.133 ISAKMP Quick Mode
47.938956 109.162.11.133 -> 192.168.98.2 ISAKMP Quick Mode
48.177831 109.162.11.133 -> 192.168.98.2 ESP ESP (SPI=0x0c380875)
48.200824 192.168.98.2 -> 109.162.11.133 ESP ESP (SPI=0x0d034052)
...
50.379150 192.168.98.2 -> 109.162.11.133 ESP ESP (SPI=0x0d034052)
50.417807 109.162.11.133 -> 192.168.98.2 ESP ESP (SPI=0x0c380875)
52.650222 192.168.98.2 -> 109.162.11.133 ISAKMP Informational
53.650658 192.168.98.2 -> 109.162.11.133 ISAKMP Informational

А вот - с ним:

 5.492165 109.162.11.133 -> 192.168.98.2 ISAKMP Identity Protection (Main Mode)
 8.492130 109.162.11.133 -> 192.168.98.2 ISAKMP Identity Protection (Main Mode)
11.475359 109.162.11.133 -> 192.168.98.2 ISAKMP Identity Protection (Main Mode)
14.532159 109.162.11.133 -> 192.168.98.2 ISAKMP Identity Protection (Main Mode)

При включении Back To My Mac производится маппинг портов 5353 и 4500 в запросах NAT-PMP Map UDP Request, поэтому L2TP-сервер не может обслуживать запросы, идущие на порт 4500 (IKE NAT Traversal), и в итоге соединение не устанавливается.

Напоследок приведу трейсы при включении и отключении Back To My Mac.

Включаю Back To My Mac

 28.815152 192.168.98.2 -> 109.162.11.133 UDPENCAP NAT-keepalive
 33.488924 192.168.98.2 -> 192.168.98.1 NAT-PMP External Address Request
	NAT Port Mapping Protocol, External Address Request
	    Version: 0
	    Opcode: External Address Request (0)

 33.489063 192.168.98.2 -> 192.168.98.1 SSDP M-SEARCH * HTTP/1.1
	 M-SEARCH * HTTP/1.1\r\n
	     [Expert Info (Chat/Sequence): M-SEARCH * HTTP/1.1\r\n]
	         [Message: M-SEARCH * HTTP/1.1\r\n]
	         [Severity level: Chat]
	         [Group: Sequence]
	     Request Method: M-SEARCH
	     Request URI: *
	     Request Version: HTTP/1.1
	 Host:239.255.255.250:1900\r\n
	 ST:urn:schemas-upnp-org:service:WANIPConnection:1\r\n
	 Man:"ssdp:discover"\r\n
	 MX:3\r\n
	 \r\n

 33.489094 192.168.98.2 -> 192.168.98.1 NAT-PMP Map UDP Request
	NAT Port Mapping Protocol, Map UDP Request
	    Version: 0
	    Opcode: Map UDP Request (1)
	    Reserved: 0
	    Internal Port: 5353
	    Requested External Port: 5353
	    Requested Port Mapping Lifetime: 7200

 33.489109 192.168.98.2 -> 192.168.98.1 SSDP M-SEARCH * HTTP/1.1
	 M-SEARCH * HTTP/1.1\r\n
	     [Expert Info (Chat/Sequence): M-SEARCH * HTTP/1.1\r\n]
	         [Message: M-SEARCH * HTTP/1.1\r\n]
	         [Severity level: Chat]
	         [Group: Sequence]
	     Request Method: M-SEARCH
	     Request URI: *
	     Request Version: HTTP/1.1
	 Host:239.255.255.250:1900\r\n
	 ST:urn:schemas-upnp-org:service:WANPPPConnection:1\r\n
	 Man:"ssdp:discover"\r\n
	 MX:3\r\n
	 \r\n

 33.489134 192.168.98.2 -> 192.168.98.1 NAT-PMP Map UDP Request
	NAT Port Mapping Protocol, Map UDP Request
	    Version: 0
	    Opcode: Map UDP Request (1)
	    Reserved: 0
	    Internal Port: 4500
	    Requested External Port: 4500
	    Requested Port Mapping Lifetime: 7200

 33.489148 192.168.98.2 -> 192.168.98.1 SSDP M-SEARCH * HTTP/1.1
	 M-SEARCH * HTTP/1.1\r\n
	     [Expert Info (Chat/Sequence): M-SEARCH * HTTP/1.1\r\n]
	         [Message: M-SEARCH * HTTP/1.1\r\n]
	         [Severity level: Chat]
	         [Group: Sequence]
	     Request Method: M-SEARCH
	     Request URI: *
	     Request Version: HTTP/1.1
	 Host:239.255.255.250:1900\r\n
	 ST:urn:schemas-upnp-org:service:WANIPConnection:1\r\n
	 Man:"ssdp:discover"\r\n
	 MX:3\r\n
	 \r\n

 33.493555 192.168.98.1 -> 192.168.98.2 ICMP Destination unreachable (Port unreachable)
 33.493559 192.168.98.1 -> 192.168.98.2 ICMP Destination unreachable (Port unreachable)
 33.493723 192.168.98.1 -> 192.168.98.2 ICMP Destination unreachable (Port unreachable)
 	Destination port: ssdp (1900)

 33.493962 192.168.98.1 -> 192.168.98.2 NAT-PMP External Address Response
    Version: 0
    Opcode: External Address Response (128)
    Result Code: Success (0)
    Seconds Since Start of Epoch: 13283
    External IP Address: 111.222.111.222 (111.222.111.222)

 33.502106 192.168.98.1 -> 192.168.98.2 NAT-PMP Map UDP Response
	 Version: 0
	 Opcode: Map UDP Response (129)
	 Result Code: Success (0)
	 Seconds Since Start of Epoch: 13283
	 Internal Port: 5353
	 Mapped External Port: 32773
	 Port Mapping Lifetime: 7200

 33.510384 192.168.98.1 -> 192.168.98.2 NAT-PMP Map UDP Response
	 Version: 0
	 Opcode: Map UDP Response (129)
	 Result Code: Success (0)
	 Seconds Since Start of Epoch: 13283
	 Internal Port: 4500
	 Mapped External Port: 32774
	 Port Mapping Lifetime: 7200

Отключаю Back To My Mac

  3.936568 192.168.98.2 -> 192.168.98.1 NAT-PMP Map UDP Request
	  Version: 0
	  Opcode: Map UDP Request (1)
	  Reserved: 0
	  Internal Port: 4500
	  Requested External Port: 32774
	  Requested Port Mapping Lifetime: 0

  3.936664 192.168.98.2 -> 192.168.98.1 SSDP M-SEARCH * HTTP/1.1
	  M-SEARCH * HTTP/1.1\r\n
	      [Expert Info (Chat/Sequence): M-SEARCH * HTTP/1.1\r\n]
	          [Message: M-SEARCH * HTTP/1.1\r\n]
	          [Severity level: Chat]
	          [Group: Sequence]
	      Request Method: M-SEARCH
	      Request URI: *
	      Request Version: HTTP/1.1
	  Host:239.255.255.250:1900\r\n
	  ST:urn:schemas-upnp-org:service:WANPPPConnection:1\r\n
	  Man:"ssdp:discover"\r\n
	  MX:3\r\n
	  \r\n

  3.938951 192.168.98.1 -> 192.168.98.2 ICMP Destination unreachable (Port unreachable)
	Destination port: ssdp (1900)
  3.943055 192.168.98.1 -> 192.168.98.2 NAT-PMP Map UDP Response
	  Version: 0
	  Opcode: Map UDP Response (129)
	  Result Code: Success (0)
	  Seconds Since Start of Epoch: 13310
	  Internal Port: 4500
	  Mapped External Port: 32774
	  Port Mapping Lifetime: 0

  6.038227 192.168.98.2 -> 192.168.98.1 NAT-PMP Map UDP Request
	  Version: 0
	  Opcode: Map UDP Request (1)
	  Reserved: 0
	  Internal Port: 5353
	  Requested External Port: 32773
	  Requested Port Mapping Lifetime: 0

  6.038303 192.168.98.2 -> 192.168.98.1 SSDP M-SEARCH * HTTP/1.1
	  M-SEARCH * HTTP/1.1\r\n
	      [Expert Info (Chat/Sequence): M-SEARCH * HTTP/1.1\r\n]
	          [Message: M-SEARCH * HTTP/1.1\r\n]
	          [Severity level: Chat]
	          [Group: Sequence]
	      Request Method: M-SEARCH
	      Request URI: *
	      Request Version: HTTP/1.1
	  Host:239.255.255.250:1900\r\n
	  ST:urn:schemas-upnp-org:service:WANIPConnection:1\r\n
	  Man:"ssdp:discover"\r\n
	  MX:3\r\n
	  \r\n

  6.040599 192.168.98.1 -> 192.168.98.2 ICMP Destination unreachable (Port unreachable)
  	Destination port: ssdp (1900)

  6.043605 192.168.98.1 -> 192.168.98.2 NAT-PMP Map UDP Response
	  Version: 0
	  Opcode: Map UDP Response (129)
	  Result Code: Success (0)
	  Seconds Since Start of Epoch: 13310
	  Internal Port: 5353
	  Mapped External Port: 32773
	  Port Mapping Lifetime: 0

Comments