VPN 伺服器沒有響應，沒有任何阻塞流量的跡象

我有一台執行 L2TP/IPSec VPN 伺服器的 Mac OS X Server (10.9) 機器。配置似乎沒問題，伺服器和 VPN 的主機名都設置為 DynDNS 主機名。該伺服器配置在具有埠轉發功能的 AirPort Extreme 路由器後面，連接到禁用路由器（橋接）的 Arris 調製解調器/路由器。伺服器配置有靜態內部 IP，路由器還通過 DHCP 綁定其 MAC 地址，以確保內部地址一致。

如果我輸入伺服器的內部 IP 地址 (10.0.1.x) 並嘗試從網路內連接到 VPN 伺服器，一切正常。但是，如果我輸入外部主機名（DynDNS 名稱）並嘗試再次從網路內部連接，則無法連接。在網路外部（例如通過 LTE）時，它同樣無法連接。

其他服務（SSH、遠端桌面等）在網路內外都可以正常連接。只有 VPN 受到影響。我可以確認可以從 SSH 和遠端桌面（埠 22/5900）訪問伺服器。

我進一步確認路由器除了轉發其他服務使用的其他埠外，還轉發埠 500(UDP)、1701(UDP) 和 4500(UDP)。

當我嘗試連接時，客戶端控制台上會顯示以下內容：

12/16/13 11:13:33.213 PM configd[28]: SCNC: start, triggered by (15822) com.apple.prefe, type L2TP, status 0, trafficClass 0
12/16/13 11:13:33.229 PM pppd[15967]: publish_entry SCDSet() failed: Success!
12/16/13 11:13:33.230 PM pppd[15967]: publish_entry SCDSet() failed: Success!
12/16/13 11:13:33.230 PM pppd[15967]: pppd 2.4.2 (Apple version 727.1.15) started by user, uid 501
12/16/13 11:13:33.231 PM pppd[15967]: L2TP connecting to server 'x.x.x.x' (x.x.x.x)...
12/16/13 11:13:33.232 PM pppd[15967]: IPSec connection started
12/16/13 11:13:33.244 PM racoon[15968]: accepted connection on vpn control socket.
12/16/13 11:13:33.244 PM racoon[15968]: Connecting.
12/16/13 11:13:33.244 PM racoon[15968]: IPSec Phase 1 started (Initiated by me).
12/16/13 11:13:33.245 PM racoon[15968]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
12/16/13 11:13:33.245 PM racoon[15968]: >>>>> phase change status = Phase 1 started by us
12/16/13 11:13:33.416 PM racoon[15968]: >>>>> phase change status = Phase 1 started by peer
12/16/13 11:13:33.416 PM racoon[15968]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
12/16/13 11:13:33.420 PM racoon[15968]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
12/16/13 11:13:33.429 PM racoon[15968]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
12/16/13 11:13:33.447 PM racoon[15968]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).
12/16/13 11:13:36.715 PM racoon[15968]: !!! skipped retransmitting frags: frag_flags 1, r->sendbuf->l 112, max 1280
12/16/13 11:13:36.715 PM racoon[15968]: Received retransmitted packet from x.x.x.x[500].
12/16/13 11:13:36.715 PM racoon[15968]: the packet is retransmitted by x.x.x.x[500].
12/16/13 11:13:36.745 PM racoon[15968]: IKE Packet: transmit success. (Phase 1 Retransmit).
12/16/13 11:13:39.872 PM racoon[15968]: !!! skipped retransmitting frags: frag_flags 1, r->sendbuf->l 112, max 1280
12/16/13 11:13:39.872 PM racoon[15968]: Received retransmitted packet from x.x.x.x[500].
12/16/13 11:13:39.873 PM racoon[15968]: the packet is retransmitted by x.x.x.x[500].
12/16/13 11:13:40.043 PM racoon[15968]: IKE Packet: transmit success. (Phase 1 Retransmit).
12/16/13 11:13:43.170 PM racoon[15968]: !!! skipped retransmitting frags: frag_flags 1, r->sendbuf->l 112, max 1280
12/16/13 11:13:43.170 PM racoon[15968]: Received retransmitted packet from x.x.x.x[500].
12/16/13 11:13:43.170 PM racoon[15968]: the packet is retransmitted by x.x.x.x[500].
12/16/13 11:13:43.335 PM racoon[15968]: IKE Packet: transmit success. (Phase 1 Retransmit).
12/16/13 11:13:55.912 PM racoon[15968]: IKE Packet: transmit success. (Phase 1 Retransmit).
12/16/13 11:13:56.367 PM racoon[15968]: !!! skipped retransmitting frags: frag_flags 1, r->sendbuf->l 112, max 1280
12/16/13 11:13:56.367 PM racoon[15968]: Received retransmitted packet from x.x.x.x[500].
12/16/13 11:13:56.367 PM racoon[15968]: the packet is retransmitted by x.x.x.x[500].
12/16/13 11:14:03.416 PM pppd[15967]: IPSec connection failed
12/16/13 11:14:03.416 PM racoon[15968]: IPSec disconnecting from server x.x.x.x
12/16/13 11:14:03.416 PM racoon[15968]: glob found no matches for path "/var/run/racoon/*.conf"

這在伺服器的控制台上：

12/16/13 11:13:33.404 PM racoon[216]: IPSec Phase 1 started (Initiated by peer).
12/16/13 11:13:33.404 PM racoon[216]: IKE Packet: receive success. (Responder, Main-Mode message 1).
12/16/13 11:13:33.404 PM racoon[216]: >>>>> phase change status = Phase 1 started by us
12/16/13 11:13:33.404 PM racoon[216]: IKE Packet: transmit success. (Responder, Main-Mode message 2).
12/16/13 11:13:33.541 PM racoon[216]: IKE Packet: receive success. (Responder, Main-Mode message 3).
12/16/13 11:13:33.559 PM racoon[216]: IKE Packet: transmit success. (Responder, Main-Mode message 4).
12/16/13 11:13:33.566 PM racoon[216]: Connecting.
12/16/13 11:13:36.697 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit).
12/16/13 11:13:36.697 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit).
12/16/13 11:13:39.989 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit).
12/16/13 11:13:43.286 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit).
12/16/13 11:13:56.484 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit).
12/16/13 11:14:06.392 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit).
12/16/13 11:14:12.978 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit).
12/16/13 11:14:32.767 PM racoon[216]: IKE Packet: transmit success. (Phase 1 Retransmit).
12/16/13 11:14:39.390 PM racoon[216]: IKEv1 Phase 1: maximum retransmits. (Phase 1 Maximum Retransmits).
12/16/13 11:14:39.390 PM racoon[216]: Phase 1 negotiation failed due to time up. 45b24df5cc9713e7:9b427f72231ccb59

我注意到的一件事是客戶端在 11:14:03 失敗，而伺服器繼續重新傳輸數據包 30 秒，一直到超時。本例中的客戶端是 Mac OS X，但 iOS 客戶端的行為類似。

我應該在這裡尋找哪些故障排除步驟？

好的，事實證明這是最新版本的 Mac OS X Server 中的一個“錯誤”。據我所知，racoon如果源埠不是 UDP 4500，他的 IKE 守護程序將不接受連接。大多數通過 NAT 的連接都會隨機化源埠，這意味著它不會連接。舊版本的守護程序沒有這個限制。如果直接連接到伺服器的 IP，來自網路內部的連接不會隨機化埠，但環回和外部連接顯然會導致失敗。

那麼，快速的解決方案是**用 OS 10.8 中的舊版本****替換racoon**二進製文件，當然通過命名來備份舊版本racoon.old（或者racoon.new更正確？：D）。

蘋果似乎確實意識到了這個問題，並希望他們會發布修復程序；同時，還原二進製作品。

引用自：https://serverfault.com/questions/561824