L2TP with IPsec VPN failing on some networks

My Peplink Balance One (FW 8.2.1) has a L2TP with IPsec VPN set up.

The clients are using macOS’s built in VPN client in System Preferences / Network.

It works great, when connecting from most networks.

However, when I try to connect from one specific network (a university) the VPN connection never establishes. If I get off the school WiFi and tether to my phone as a hotspot (Verizon) then it works fine.

So it seems like the university probably has some sort of firewall that is blocking my VPN? That would not surprise me.

However, the mystery is this exact same L2TP VPN network worked fine, when the Server was running on macOS rather than Peplink.

So, my question is: are there any obvious differences between a L2TP / iPsec VPN server running on Peplink vs. the exact same VPN configuration running on macOS? Perhaps they use different default ports?

Any ideas how to debug this? I don’t see any messages in the Peplink log.

This suggests that for L2TP you need ports 500 (UDP), 1701 (UDP), and 4500 (UDP) for macOS server’s VPN.

Does Peplink use anything different?

I managed to capture error logging from the macOS ‘raccoon’ process trying to set up a VPN with the Peplink router.

In this log, A.A.A.A is my remote IP address, and B.B.B.B is the address of my Peplink.

[...]
IPSec Phase 2 established (Initiated by me).
===
IPsec-SA established (add): satype=3 spi=0xc477265c mode=1
IPsec-SA established (add): ESP/Transport A.A.A.A[500]->B.B.B.B[500] spi=3296142940(0xc477265c)
>>>>> phase change status = Phase 2 established
vpn control writing 20 bytes
===
Dropping com.apple.security.LegacyAPICounts as it isn't used in any transform (not in the config or budgeted?)
Dropping com.apple.security.LegacyAPICounts as it isn't used in any transform (not in the config or budgeted?)
Dropping com.apple.security.LegacyAPICounts as it isn't used in any transform (not in the config or budgeted?)
Dropping com.apple.security.LegacyAPICounts as it isn't used in any transform (not in the config or budgeted?)
DatabaseSession::Close
DbClose of handle 140543612981885
0x7fd2dc209370 free /Library/Keychains/System.keychain buffer 0x7fd2e0008000
Thread registered with com.apple.SecurityServer
0x7fd2dc208d00 detach module 0x7fd2dc208990(AppleDL)
Dropping com.apple.security.LegacyAPICounts as it isn't used in any transform (not in the config or budgeted?)
Dropping com.apple.security.LegacyAPICounts as it isn't used in any transform (not in the config or budgeted?)
0x7fd2dc208990 module AppleDL(Apple built-in DL) final unload
0x7fd2dc70f490 detach module 0x7fd2dc7334a0(AppleCSPDL)
0x7fd2dc70be40 detach module 0x7fd2dc7334a0(AppleCSPDL)
0x7fd2dc7334a0 module AppleCSPDL(Apple built-in CSPDL) final unload
caught rtm:2, need update interface address list
configuring default isakmp port.
26 addrs are configured successfully
vpn_control socket closed by peer.
received disconnect all command.
IPSec disconnecting from server B.B.B.B
in ike_session_purgephXbydstaddrwop... purging Phase 2 structures
New Phase 2
state changed to: IKEv1 info
Compute IV for Phase 2
hash(sha2_512)
encryption(aes)
hmac(hmac_sha2_512)
Begin encryption.
encryption(aes)
pad length = 12
About to encrypt 96 bytes 

encryption(aes)
Encrypted.
124 bytes from A.A.A.A[500] to B.B.B.B[500]
sockname A.A.A.A[500]
send packet from A.A.A.A[500]
send packet to B.B.B.B[500]

1 times of 124 bytes message will be sent to B.B.B.B[500]
sendto Information delete.
IV freed
Phase 2 sa expired A.A.A.A-B.B.B.B
state changed to: Phase 2 expired
in ike_session_purgephXbydstaddrwop... purging Phase 1 and related Phase 2 structures
IPsec-SA needs to be purged: ESP A.A.A.A[500]->B.B.B.B[500] spi=167772160(0xa000000)
New Phase 2
state changed to: IKEv1 info
Compute IV for Phase 2
hash(sha2_512)
encryption(aes)
hmac(hmac_sha2_512)
Begin encryption.
encryption(aes)
pad length = 16
About to encrypt 112 bytes 

encryption(aes)
Encrypted.
140 bytes from A.A.A.A[500] to B.B.B.B[500]
sockname A.A.A.A[500]
send packet from A.A.A.A[500]
send packet to B.B.B.B[500]

1 times of 140 bytes message will be sent to B.B.B.B[500]
sendto Information delete.
IV freed
ISAKMP-SA expired A.A.A.A[500]-B.B.B.B[500] spi:cf535c2e3e206ac1:ca6782ebd853f95d
state changed to: Phase 1 expired
no ph1bind replacement found. NULL ph1.
vpncontrol_close_comm.

On the Peplink side, there were no logged events that I could see. Is there any way to get more detailed VPN logging from the Peplink?

You may want to try to do a packet capture on either end of the connection to see if anything is being blocked.

most universities will use a proxy server that may or may not play nicely. Some universities disallow VPN tunnels due to the security implications - they cannot see the traffic inside the tunnel. Often times these tunnels are used to circumvent security policies.

but, since it works with a server instead of the router as the tunnel endpoint - network blockages are less likely.

I didn’t see in your logs any kind of connection using port 4500, and I think there should be. It looks like port 500 is good, but the phase 2 stuff should be using 4500, I think.

Peplink handles 4500 “behind the scenes”, so you may want to search the forums for UDP 4500. Good luck - I am interested in what you find out.

1 Like

An update on this topic.

I’m no longer having this issue. My VPN connections from the university work fine.

What’s different?

  • I upgraded my Balance One from firmware 8.4 to 8.5
  • I upgraded my macBook to the latest macOS (Sonoma 14.6.1)
  • (possibly) the university made some changes in their firewall settings?