Home Apple VPN tcpdump assistance required

VPN tcpdump assistance required

Posted on by 2 Comments ↓

I’m still battling L2TP VPN connection issues, and at the suggestion of one of my readers I’ve done a series of TCPDUMP runs and they all boil down to the one below.

tcpdump: listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes
20:24:27.580117 IP (tos 0x0, ttl 64, id 17897, offset 0, flags [none], length: 188) 192.168.23.2.isakmp > vpn.office.com.isakmp: isakmp 1.0 msgid cookie ->: phase 1 I ident: [|sa]
20:24:27.803567 IP (tos 0x0, ttl 59, id 0, offset 0, flags [none], length: 164) vpn.office.com.isakmp > 192.168.23.2.isakmp: isakmp 1.0 msgid cookie ->: phase 1 R ident: [|sa]
20:24:28.094352 IP (tos 0x0, ttl 64, id 17898, offset 0, flags [none], length: 276) 192.168.23.2.isakmp > vpn.office.com.isakmp: isakmp 1.0 msgid cookie ->: phase 1 I ident: [|ke]
20:24:28.653665 IP (tos 0x0, ttl 59, id 0, offset 0, flags [none], length: 256) vpn.office.com.isakmp > 192.168.23.2.isakmp: isakmp 1.0 msgid cookie ->: phase 1 R ident: [|ke]
20:24:29.290106 IP (tos 0x0, ttl 64, id 17901, offset 0, flags [none], length: 1428) 192.168.23.2.ipsec-msft > vpn.office.com.ipsec-msft: UDP, length: 1400
20:24:30.224387 IP (tos 0x0, ttl 59, id 0, offset 0, flags [none], length: 1420) vpn.office.com.ipsec-msft > 192.168.23.2.ipsec-msft: UDP, length: 1392
20:24:30.657375 IP (tos 0x0, ttl 64, id 17903, offset 0, flags [none], length: 100) 192.168.23.2.ipsec-msft > vpn.office.com.ipsec-msft: UDP, length: 72
20:24:32.667205 IP (tos 0x0, ttl 64, id 17906, offset 0, flags [none], length: 1428) 192.168.23.2.ipsec-msft > vpn.office.com.ipsec-msft: UDP, length: 1400
20:24:34.824612 IP (tos 0x0, ttl 59, id 0, offset 0, flags [none], length: 1420) vpn.office.com.ipsec-msft > 192.168.23.2.ipsec-msft: UDP, length: 1392
20:24:35.829802 IP (tos 0x0, ttl 64, id 17910, offset 0, flags [none], length: 1428) 192.168.23.2.ipsec-msft > vpn.office.com.ipsec-msft: UDP, length: 1400
20:24:36.504857 IP (tos 0x0, ttl 59, id 0, offset 0, flags [none], length: 1420) vpn.office.com.ipsec-msft > 192.168.23.2.ipsec-msft: UDP, length: 1392
20:24:38.556036 IP (tos 0x0, ttl 64, id 17914, offset 0, flags [none], length: 1428) 192.168.23.2.ipsec-msft > vpn.office.com.ipsec-msft: UDP, length: 1400
20:24:41.270765 IP (tos 0x0, ttl 64, id 17918, offset 0, flags [none], length: 1428) 192.168.23.2.ipsec-msft > vpn.office.com.ipsec-msft: UDP, length: 1400
20:24:44.272501 IP (tos 0x0, ttl 64, id 17922, offset 0, flags [none], length: 1428) 192.168.23.2.ipsec-msft > vpn.office.com.ipsec-msft: UDP, length: 1400
20:24:47.276414 IP (tos 0x0, ttl 64, id 17926, offset 0, flags [none], length: 1428) 192.168.23.2.ipsec-msft > vpn.office.com.ipsec-msft: UDP, length: 1400
20:24:50.277506 IP (tos 0x0, ttl 64, id 17930, offset 0, flags [none], length: 1428) 192.168.23.2.ipsec-msft > vpn.office.com.ipsec-msft: UDP, length: 1400
20:24:53.285464 IP (tos 0x0, ttl 64, id 17934, offset 0, flags [none], length: 1428) 192.168.23.2.ipsec-msft > vpn.office.com.ipsec-msft: UDP, length: 1400
20:24:56.287335 IP (tos 0x0, ttl 64, id 17938, offset 0, flags [none], length: 1428) 192.168.23.2.ipsec-msft > vpn.office.com.ipsec-msft: UDP, length: 1400
20:24:59.290376 IP (tos 0x0, ttl 64, id 17942, offset 0, flags [none], length: 1428) 192.168.23.2.ipsec-msft > vpn.office.com.ipsec-msft: UDP, length: 1400

So if the there are any brainier geeks out there that can point to the problem, I’d be grateful.

2 comments on “VPN tcpdump assistance required

  1. At a guess I’d say its your MTU. Your Maximum Transimission Unit is the max size of a packet allowed through your router / firewall. In this case looks like 1400. What VPN does is then encapsulate this backet with another about 8 bytes, bringing this to 1408 or so, and this is getting chopped off. Increasing your MTU to I think 1512 is the standard size would help.
    Also, set your firewall / VPN to allow fragmented packets. It depends on what hardware / software you are using. If you want to send me a mail with details I might be able to help further.

  2. At a guess I’d say its your MTU. Your Maximum Transimission Unit is the max size of a packet allowed through your router / firewall. In this case looks like 1400. What VPN does is then encapsulate this backet with another about 8 bytes, bringing this to 1408 or so, and this is getting chopped off. Increasing your MTU to I think 1512 is the standard size would help.
    Also, set your firewall / VPN to allow fragmented packets. It depends on what hardware / software you are using. If you want to send me a mail with details I might be able to help further.

Comments are closed.