Update от 16.10.2011. Всё сказанное в статье актуально и для сервиса iCloud Back To My Mac. Если у вас внезапно перестал работать доступ к VPN-серверу на Mac, отключите везде Back To My Mac.
Вчера я упомянул, что на VPN-сервере (Mac OS X) нельзя настроить одновременно L2TP VPN Server и Back To My Mac. Подтвержу это скриншотами.
Back To My Mac выключен:
Соединение устанавливается:
Но если Back To My Mac включен:
То соединение не устанавливается:
Это единственное изменение, которое я проводил.
В документации Apple сказано:
If you wish to enable NAT port forwarding to L2TP VPN servers at private addresses on your AirPort Extreme or Time Capsule network, first ensure that MobileMe is disabled in AirPort Utility. If you configure NAT port forwarding to L2TP VPN servers at private addresses with MobileMe enabled, the setting for port forwarding to the servers will be ignored.”
Если вам нужен и Back to My Mac, и VPN-сервер, то используйте PPTP VPN. Хоть он и менее безопасный, но он работает в такой конфигурации.
Немного деталей. Вот процесс установки соединения без Back To My Mac:
45.599012 109.162.11.133 -> 192.168.98.2 ISAKMP Identity Protection (Main Mode) 45.601468 192.168.98.2 -> 109.162.11.133 ISAKMP Identity Protection (Main Mode) 46.058368 109.162.11.133 -> 192.168.98.2 ISAKMP Identity Protection (Main Mode) 46.069876 192.168.98.2 -> 109.162.11.133 ISAKMP Identity Protection (Main Mode) 46.438942 109.162.11.133 -> 192.168.98.2 ISAKMP Identity Protection (Main Mode) 46.439629 192.168.98.2 -> 109.162.11.133 ISAKMP Identity Protection (Main Mode) 47.738940 109.162.11.133 -> 192.168.98.2 ISAKMP Quick Mode 47.741256 192.168.98.2 -> 109.162.11.133 ISAKMP Quick Mode 47.938956 109.162.11.133 -> 192.168.98.2 ISAKMP Quick Mode 48.177831 109.162.11.133 -> 192.168.98.2 ESP ESP (SPI=0x0c380875) 48.200824 192.168.98.2 -> 109.162.11.133 ESP ESP (SPI=0x0d034052) ... 50.379150 192.168.98.2 -> 109.162.11.133 ESP ESP (SPI=0x0d034052) 50.417807 109.162.11.133 -> 192.168.98.2 ESP ESP (SPI=0x0c380875) 52.650222 192.168.98.2 -> 109.162.11.133 ISAKMP Informational 53.650658 192.168.98.2 -> 109.162.11.133 ISAKMP Informational
А вот – с ним:
5.492165 109.162.11.133 -> 192.168.98.2 ISAKMP Identity Protection (Main Mode) 8.492130 109.162.11.133 -> 192.168.98.2 ISAKMP Identity Protection (Main Mode) 11.475359 109.162.11.133 -> 192.168.98.2 ISAKMP Identity Protection (Main Mode) 14.532159 109.162.11.133 -> 192.168.98.2 ISAKMP Identity Protection (Main Mode)
При включении Back To My Mac производится маппинг портов 5353 и 4500 в запросах NAT-PMP Map UDP Request, поэтому L2TP-сервер не может обслуживать запросы, идущие на порт 4500 (IKE NAT Traversal), и в итоге соединение не устанавливается.
Напоследок приведу трейсы при включении и отключении Back To My Mac.
Включаю Back To My Mac
28.815152 192.168.98.2 -> 109.162.11.133 UDPENCAP NAT-keepalive
33.488924 192.168.98.2 -> 192.168.98.1 NAT-PMP External Address Request
NAT Port Mapping Protocol, External Address Request
Version: 0
Opcode: External Address Request (0)
33.489063 192.168.98.2 -> 192.168.98.1 SSDP M-SEARCH * HTTP/1.1
M-SEARCH * HTTP/1.1\r\n
[Expert Info (Chat/Sequence): M-SEARCH * HTTP/1.1\r\n]
[Message: M-SEARCH * HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: M-SEARCH
Request URI: *
Request Version: HTTP/1.1
Host:239.255.255.250:1900\r\n
ST:urn:schemas-upnp-org:service:WANIPConnection:1\r\n
Man:"ssdp:discover"\r\n
MX:3\r\n
\r\n
33.489094 192.168.98.2 -> 192.168.98.1 NAT-PMP Map UDP Request
NAT Port Mapping Protocol, Map UDP Request
Version: 0
Opcode: Map UDP Request (1)
Reserved: 0
Internal Port: 5353
Requested External Port: 5353
Requested Port Mapping Lifetime: 7200
33.489109 192.168.98.2 -> 192.168.98.1 SSDP M-SEARCH * HTTP/1.1
M-SEARCH * HTTP/1.1\r\n
[Expert Info (Chat/Sequence): M-SEARCH * HTTP/1.1\r\n]
[Message: M-SEARCH * HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: M-SEARCH
Request URI: *
Request Version: HTTP/1.1
Host:239.255.255.250:1900\r\n
ST:urn:schemas-upnp-org:service:WANPPPConnection:1\r\n
Man:"ssdp:discover"\r\n
MX:3\r\n
\r\n
33.489134 192.168.98.2 -> 192.168.98.1 NAT-PMP Map UDP Request
NAT Port Mapping Protocol, Map UDP Request
Version: 0
Opcode: Map UDP Request (1)
Reserved: 0
Internal Port: 4500
Requested External Port: 4500
Requested Port Mapping Lifetime: 7200
33.489148 192.168.98.2 -> 192.168.98.1 SSDP M-SEARCH * HTTP/1.1
M-SEARCH * HTTP/1.1\r\n
[Expert Info (Chat/Sequence): M-SEARCH * HTTP/1.1\r\n]
[Message: M-SEARCH * HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: M-SEARCH
Request URI: *
Request Version: HTTP/1.1
Host:239.255.255.250:1900\r\n
ST:urn:schemas-upnp-org:service:WANIPConnection:1\r\n
Man:"ssdp:discover"\r\n
MX:3\r\n
\r\n
33.493555 192.168.98.1 -> 192.168.98.2 ICMP Destination unreachable (Port unreachable)
33.493559 192.168.98.1 -> 192.168.98.2 ICMP Destination unreachable (Port unreachable)
33.493723 192.168.98.1 -> 192.168.98.2 ICMP Destination unreachable (Port unreachable)
Destination port: ssdp (1900)
33.493962 192.168.98.1 -> 192.168.98.2 NAT-PMP External Address Response
Version: 0
Opcode: External Address Response (128)
Result Code: Success (0)
Seconds Since Start of Epoch: 13283
External IP Address: 111.222.111.222 (111.222.111.222)
33.502106 192.168.98.1 -> 192.168.98.2 NAT-PMP Map UDP Response
Version: 0
Opcode: Map UDP Response (129)
Result Code: Success (0)
Seconds Since Start of Epoch: 13283
Internal Port: 5353
Mapped External Port: 32773
Port Mapping Lifetime: 7200
33.510384 192.168.98.1 -> 192.168.98.2 NAT-PMP Map UDP Response
Version: 0
Opcode: Map UDP Response (129)
Result Code: Success (0)
Seconds Since Start of Epoch: 13283
Internal Port: 4500
Mapped External Port: 32774
Port Mapping Lifetime: 7200
Отключаю Back To My Mac
3.936568 192.168.98.2 -> 192.168.98.1 NAT-PMP Map UDP Request
Version: 0
Opcode: Map UDP Request (1)
Reserved: 0
Internal Port: 4500
Requested External Port: 32774
Requested Port Mapping Lifetime: 0
3.936664 192.168.98.2 -> 192.168.98.1 SSDP M-SEARCH * HTTP/1.1
M-SEARCH * HTTP/1.1\r\n
[Expert Info (Chat/Sequence): M-SEARCH * HTTP/1.1\r\n]
[Message: M-SEARCH * HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: M-SEARCH
Request URI: *
Request Version: HTTP/1.1
Host:239.255.255.250:1900\r\n
ST:urn:schemas-upnp-org:service:WANPPPConnection:1\r\n
Man:"ssdp:discover"\r\n
MX:3\r\n
\r\n
3.938951 192.168.98.1 -> 192.168.98.2 ICMP Destination unreachable (Port unreachable)
Destination port: ssdp (1900)
3.943055 192.168.98.1 -> 192.168.98.2 NAT-PMP Map UDP Response
Version: 0
Opcode: Map UDP Response (129)
Result Code: Success (0)
Seconds Since Start of Epoch: 13310
Internal Port: 4500
Mapped External Port: 32774
Port Mapping Lifetime: 0
6.038227 192.168.98.2 -> 192.168.98.1 NAT-PMP Map UDP Request
Version: 0
Opcode: Map UDP Request (1)
Reserved: 0
Internal Port: 5353
Requested External Port: 32773
Requested Port Mapping Lifetime: 0
6.038303 192.168.98.2 -> 192.168.98.1 SSDP M-SEARCH * HTTP/1.1
M-SEARCH * HTTP/1.1\r\n
[Expert Info (Chat/Sequence): M-SEARCH * HTTP/1.1\r\n]
[Message: M-SEARCH * HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: M-SEARCH
Request URI: *
Request Version: HTTP/1.1
Host:239.255.255.250:1900\r\n
ST:urn:schemas-upnp-org:service:WANIPConnection:1\r\n
Man:"ssdp:discover"\r\n
MX:3\r\n
\r\n
6.040599 192.168.98.1 -> 192.168.98.2 ICMP Destination unreachable (Port unreachable)
Destination port: ssdp (1900)
6.043605 192.168.98.1 -> 192.168.98.2 NAT-PMP Map UDP Response
Version: 0
Opcode: Map UDP Response (129)
Result Code: Success (0)
Seconds Since Start of Epoch: 13310
Internal Port: 5353
Mapped External Port: 32773
Port Mapping Lifetime: 0
Pingback: Tweets that mention Несовместимость L2TP VPN и Back To My Mac на сервере | The Apple Geek -- Topsy.com