Back to My Mac interferes with IPSec based VPN

Apparently a few weeks ago my home VPN stopped accepting incoming connections.  I discovered this last week when I was on vacation and tried to remote into my home network, only to discover that it would not work.

I was understandably confused because I hadn’t changed my configurations at all.  And having something like this break is a bit scary, precisely because it is so difficult to get a router set up and configured just the way you want it.

Anyway, when I got home, I decided to begin troubleshooting.

One thing I noticed was that UPnP was mapping ports 4500 and 4501 to computers on my network.  But why?  I ignored this for a bit and played around with uninstalling and reinstalling openswan (an IPSec implementation).  Oddly, it worked after I reinstalled it, but stopped working a few minutes afterwards.

This led me back to try and figure out what was going on with those ports.  I eventually figured out with an IP scanner (AngryIP) that the machines mapping the ports were my Mac’s.  That nailed it down.  I discovered that port 4500, used by IPSec, was getting remapped via UPnP for the Back to My Mac service.  I care more about my VPN than I do that feature, so I blocked that port from being remappable on the UPnP side.

I guess Apple isn’t exactly worrying about this sort of scenario for most users, but I think it’s a bit presumptuous to lock down that port when it has a very common alternate usage.

This entry was posted in Apple, Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s