Thanks! nice tutorial, I could never figure out why I couldn't get the OS X Client to connect until now.

It works when my firewall in Server Admin is disabled, and I have it set to allow

(continued from abouve)...VPN connections, but whenever I enable the firewall, it can't establish a connection. What do I need to change?

I just posted an update to the story above. It links to an Apple Tech Note that details the ports used in Mac software.

Let me know how this works for you.

Very cool. Thank you for this timely tutorial. It will be nice to have secure access to files stored at my office while attending Macworld in just over a week. I was able to get PPTP to work, but attempting to connect via L2TP says the server is not responding. I set up port forwarding on my router to ping the server, I enabled both VPN protocols, and I do not have the firewall turned on. Not sure what I missed configuring L2TP. Anyway, I'm happy PPTP works, and I was even able to test it using my mobile phone modem connected to my PowerBook via Bluetooth. Thanks again.

Interesting to see how clunky the windows client configuration is, compared to the Mac. Not surprising, just interesting.

Thanks for the timely tutorial, we've been trying to get this running on and off for the past few months. Oddly this tutorial doesn't work for me. The mac to mac side is all fine, but XP just tries to verify the username and password and then fails.

The log file on the server looks roughly like this:

Sat Dec 31 12:18:12 2005 : PPTP incoming call in progress from '151.203.158.130'... Sat Dec 31 12:18:12 2005 : PPTP connection established. Sat Dec 31 12:18:12 2005 : using link 0 Sat Dec 31 12:18:12 2005 : Using interface ppp0 Sat Dec 31 12:18:12 2005 : Connect: ppp0 <--> socket[34:17] Sat Dec 31 12:18:12 2005 : sent [LCP ConfReq id=0x1 ] Sat Dec 31 12:18:15 2005 : sent [LCP ConfReq id=0x1 ] Sat Dec 31 12:18:18 2005 : sent [LCP ConfReq id=0x1 ] Sat Dec 31 12:18:21 2005 : sent [LCP ConfReq id=0x1 ] Sat Dec 31 12:18:24 2005 : sent [LCP ConfReq id=0x1 ] Sat Dec 31 12:18:27 2005 : sent [LCP ConfReq id=0x1 ] Sat Dec 31 12:18:30 2005 : sent [LCP ConfReq id=0x1 ] Sat Dec 31 12:18:33 2005 : sent [LCP ConfReq id=0x1 ] Sat Dec 31 12:18:36 2005 : sent [LCP ConfReq id=0x1 ] Sat Dec 31 12:18:39 2005 : sent [LCP ConfReq id=0x1 ] Sat Dec 31 12:18:42 2005 : LCP: timeout sending Config-Requests Sat Dec 31 12:18:42 2005 : Connection terminated. Sat Dec 31 12:18:42 2005 : PPTP disconnecting... Sat Dec 31 12:18:42 2005 : PPTP disconnected 2005-12-31 12:18:42 EST --> Client with address = 10.0.100.125 has hungup

if anyone has any clue what's going on, we'd really like to know as this has stumped us for months. Thanks again.

thanks smanke, enabling ESP and GRE in the firewall was the trick.

Elliot, From what I gather from the debug info you posted, it looks like your VPN server is behind a NAT of some sort (is 10.0.100.125 the client or the server?).

I was not able to get PPTP working when my VPN server was behind a NAT (only L2TP worked through the NAT). I am not sure why this fails, but from what I have read, it has something to do with the changes made to packets when they pass through the NAT. It may be a limitation of PPTP.

smanke, thanks, the machine has an external address static address, but that is NATted as you guessed. I'll have to look into that more closely.

Hi,

I got my VPN connection to work, I have a OS X 10.4 server and a 10.3 client. But I can't access the network where the 10.4 server is located, I can only access that server. I can't surf the internet either with my client, even though I set the DNS servers and routed the traffic in "Client information".

I routed it like this: 192.168.1.0 255.255.255.0 Private 213.xxx.xx.0 255.255.255.0 Private

Really strange, I'm using PPTP btw.

Hi, thanks for your time. I've been using L2TP succesfully for a year with my server (10.3) behind a USR 8000A-02 broadband router with 500 1701 & 4500 open. A few weeks ago the router was broken. Since then I was using my Airport Base Station as router but I was not able to get L2TP working, 500 1701 or 4500 are forwarded to the server, but if I scan from wan side seems to be all closed. Then I've try with PPTP ( forwarding 1723) and the vpn connection betwen server & client was established but I can't afp or ftp the Server.

Urme,

I'm not sure the problem is in your routing rule. I just posted an update to the end of the story above (under todays date). I think you will want to check your DNS server settings. I think the problem might be recursion as i detail above.

Still, once you connect to the VPN server, you should be able to ping other machines on that same network. If you can't, you might want to remove the rule for the 213.xxx.xxx.0 network and see what happens. Depending on your router config, that could be a problem.

Andy,

I'm not sure if this will help, but Apple has added a new feature to the Airport if you are running the latest firmware and running 10.4 on your machines.

Open the Airport Admin Utility and Base Station Options. There is a checkbox to "Enable NAT Port Mapping Protocol." I'm not very familiar with this new feature, but it seems to be Apple's version of UPnP.

It would be interesting to see if this has any effect on your problem. It seems that the cause is unique to the Apple hardware.

If you restrict access based on MAC address, you might want to remove those rules to help troubleshoot the problem.

Please let me know if you resolve the problem. I can see this sort of thing being an issue for others as well.

Smanke, thanks for your answer. I have tried to "Enable NAT Port Mapping Protocol" a few days ago but nothing changed. Yes, my Airport Base Station restrict acces based on MAC Adress but only for Wi-Fi. I think that I will buy a D-Link router....

I have updated the story to further explain the advantages and disadvantages of routing all internet traffic over the VPN connection.

If you travel a lot, or you plan on attending the upcoming MacWorld Expo, please checkout the notes I just added to the end of the article.

I was having the same problem as Elliot outlines (VPN through NAT to an internal VPN server) and when I port forwarded UDP 500 (ISAKMP/IKE for Mac OS X Server VPN service) to my VPN server L2TP works just fine! PPTP still doesn't work but this is a big step forward. Hope that helps, Elliot. And thanks for this really well-written article, Steve!

Finally Ibought a Linksys BEFX41. Now L2TP its working again. I'm quiet sure the Airport Base Station its not compatible with vpn something is wrong with port forwarding

Hello. I'm running a Netgear FVS318 prosafe firewall router with OSX 10.3.9 server VPN. I've tried opening all the ports for the VPN server, and I still can't get the thing to connect. If I try from within my network I'm golden, but once I go on the other side of my firewall it doesn't work. Could it just be a crappy firewall, and should I look into getting a better one? Or am I missing the wrong ports? Here's how I have it so far: 1023: TCP 1701: TCP/UDP 1723: TCP/UDP 500: TCP/UDP 4500: TCP/UDP 10000: UDP

Thanks for all the help!

This is truly a great tutorial. Thank you so much for posting this.

I've go almost everything working just fine on my set-up except for windows XP clients. They are able see see the LAN, but unable to connect to the internet. I believe that I have everything set up correctly. The one thing that I'm a little soft on is the Network Routing Definition and I'm hoping this is what's causing my problem.

I'm using all Private IPs maps thru my router, so my Router IP is 192.168.0.254 with a subnet mask of 255.255.255.0.` All of the network client have IP address from 192.168.0.1 to 192.168.0.100. For the L2TP client, I've set up 192.168.0.230 to 240 and the PPTP clients, 192.168.0.241 to 250. So in the Network Routing Definition, what IP address would I want to place in there?? And, is this what's causing my problem with XP clients?? If not, what should I look at next???

Thanks

Jamie

Tadd,

It looks like you have everything set. Are you trying L2TP or PPTP? As long as you are using L2TP from a Mac, you should be able to connect. PPTP does not seem to work because NAT routers normally don’t allow us to map protocols other than TCP and UDP. PPTP needs GTE and ESP.

Jamie,

You should only have to setup 192.168.0.0 with a 255.255.255.0 subnet and mark it as private. After that, your secure traffic should go through the VPN and the rest should go over your normal internet connection.

I did have someone tell me that they made one other change to the PPTP setup. Go into the Properties on the VPN network connection and click on the Networking tab. Then double click on TCP/IP. Next click Advanced and uncheck the box for Use Default Gateway On Remote Network. From what I understand, this prevents all of the traffic from flowing through the VPN connection.

Let me know if that works for you.

Andy,

Thanks for the update. That's good to know. Hopefully Apple will correct the problem in a future update of the firmware.

Hi Steve, thanks for the quick reply. I did test it using L2TP off of a Mac running 10.4.2 and I still got a timeout error. I do have a couple of windows machines, but that's not critical since I can still SSH into the server with any of the windows boxes if necessary. This netgear firewall has a VPN "wizard" which may be a problem too. Thanks again.

HEy Steve,

Thanks for the reply. I've tried as you suggested. I've got the Network Routing definition set up with 192.168.0.0, mask as 255.255.255.0 and Private. And no go. Still can only seen the LAN, but not the Internet.

I then tried turning off the "Use Default Gateway in Remote Network" setting on the XP. With this done, I can then see the internet, but then I can't see the LAN.

So at this point, using Windows XP I can have the LAN or the WAN, but not both at the same time. On the Mac, I have both, at the same time, no problems.

Any other suggestions?? Or just tell this Windows user to switch, which would be the right thing to do for more reasons then just this.

Thanks again for your reply and any additional help you can give.

Jamie

Jamie,

When in doubt, dump Windows. It's always the safest means to an end. :-)

It's odd. I think that somewhere in all of this, the PC just isn't finding the gateway when the VPN is connected. I think there is a way to force this by setting a route at the command line, but I'm not sure of the command.

I have a friend that can do magic with this stuff. I will ask him to take a look at your notes and see if he has any ideas.

Oh dear God, I wish I could get rid of every windows machine in this place. Life would be much easier.

THanks for asking your friend to look at thins for me. Any advice they could give would be much appreciated.

And thanks again for your help.

Jamie

Jamie,

Couple of questions:

1) Do you have DNS servers set up in your "Client Information" section? 2) What method are you using to test access to either the LAN or the Internet?

By default Window XP will have that "Use default gateway on remote network" checked. What this does is make the default route of the Windows machine the VPN tunnel, sending all traffic to the Mac VPN server. So in this configuration you should be able to access the LAN and the Internet over the VPN tunnel. When you uncheck that box on the Windows VPN client setup that allows for split tunneling (only traffic destined for the remote LAN will go over the tunnel), which should also allow your XP box to access the LAN (via the tunnel) and the Internet via the default gateway of the XP machine.

It might be helpful to take a look at the routing table on the XP machine before and after connecting to the VPN server to see what changes. To do this just open a command prompt and type "route print", this should display all routing information. In a default configuration you should see a couple things happen, once connected to the VPN server you should see a route entry for the IP address assigned to XP from the VPN server pointing to the IP address of the server. You should also see an entry for the remote LAN pointing to the assigned IP address in XP. Then you should also see a new entry for the default route (0.0.0.0) also pointing to the assigned IP. You should notice that the new default route has a metric of 1, which should be lower thant the default gateway already in XP (usually 20).

If that all works fine you might want to take a look at the routing info on the VPN server to make sure that's all ok as well.

Hope this helps.

Matt

Hi

I am trying to set up vpn from a remote desktop running OSX10.4 to our office network on 10.4 server. I have set most of it up as described above, but I do not understand what I should enter in the client info part of the server vpn settings.

I have an outside fixed IP address (don't know if that is relevant), broadband line coming through a router, going straight to the server with IP address of 192.168.1.100

The internal network, fed off the server with IP addresses 192.168.2.2 - 192.168.2.127. The allocated addresses for the vpn are 192.168.2.128 - 192.168.2.254 The internal address of the server is 192.168.2.1

Can you please tell me what I put in the three client info fields - 1. DNS servers. 2. Search domains. 3. Network Routing Definition.

I would be most grateful for any help you can give.

Thanks

Richard

Richard,

1. DNS Servers: Put in the DNS server IP addresses that you use on the workstations that are already located on the LAN.

2. Search Domains: I leave this empty.

3. Set that to 192.168.1.0 255.255.255.xxx Private. Where .xxx, replace with the correct subnet for your LAN. I don't recall what it would be if you are only using 192.168.1.1-.127. You should be able to check one of your other workstations to find that, or check your DHCP server for the info.

Then, in the clients VPN clients you want to point them to the outside routable IP that NAT converts the internal 192.168.1.100 address to.

I hope that helps.

Richard,

Correction. I see what your subnet is. You want to use a subnet of 255.255.255.0 where I indicated 255.255.255.xxx. I read through your info too quickly and missed the note that the rest were address for your VPN pool.

Thanks for your help. Unfortunately we still cannot get the connection to work.

Why on earth does this have to be so complicated?

Regards

Another thought - would the router at either end be the problem? Does the firewall need to be disabled on the router, or any other settings changed? I read somewhere about port forwarding. What is that? Thanks for taking the time to read this and any help is appreciated.

Richard,

Assuming you are using a NAT router, you must set up the proper port forwarding in order to get this working.

In the example posted in the story, I explained that these rules were added to my firewall in order to allow access: permit udp any 66.62.25.0 0.0.0.255 eq isakmp permit udp any 66.62.25.0 0.0.0.255 eq non500-isakmp permit esp any 66.62.25.0 0.0.0.255 permit gre any host 66.62.25.22 permit tcp any host 66.62.25.22 eq 1723

If you are using a NAT router, the only ports you can map are for TCP and UDP. You won't be able to do the ESP or GRE, so you won't be able to use PPTP. But if you map the TCP and UDP ports for the OS X VPN server, you will be able to use L2TP Over IPSec.

Note that the example lists permit udp any 66.62.25.0 0.0.0.255 eq isakmp. ISAKMP is really UDP port 500.

I am betting this is what has been keeping your from getting the VPN server functions. Without the port maps, all of the traffic will just bounce off the firewall.

I hsve sll this stuff setup and working, at two sites, now I need to connect both sites using Site-to-site VPN in Tiger Server 10.4.4. When I run the s2svpnadmin and have te firewall rules setup, like the apple document says to do, nothing connects, and services fail on eithr private network.

In Hopes of not having you repeat yourself in some steps, would you be so kind as to run through a successful Site-to-Site Setup using s2svpnadmin like discribed in this document. http://images.apple.com/server/pdfs/Network_Servic...

the steps are on pages 112-116 I believe.

Thanks for any help Lawrence

Lawrence (Twintails),

That was a very interesting question. I had never looked into a site to site VPN using OSX Server. I took a look at the PDF in your link, and the documentation looks good. I am tempted to try, but there are other alternatives that might be easier.

If both sites are using small office broadband gear, I suggest linking the VPN using routers that can act as VPN endpoints. I have had a lot of luck setting things up that way. Plus, when you use the routers for the VPN, you don't need to worry about the port mapping as you do with OSX Server.

As for the software VPN solution, I am guessing there is a problem with the portmap. Even if you are using clients to connect to the VPN server, it is possible that a site to site link will not be possible using two broadband or small office routers. I suspect that the site to site link is less tolerant of the fact the home routers will not let you map protocols other than TCP and UDP. The docs in that PDF instruct you to open up firewall ports for ESP. That can't be done on any of the home routers I have seen. As I say, this is only a guess. I have seen similar issues in the past.

I am planning to do a review of the Linksys RV082 in the near future. It's more expensive (just under $300), but it does all kinds of cool VPN stuff including site to site as well as having its own built in PPTP server.

Something like that might be better for your needs.

I know this advice won't solve your problem, but i hope it helps.

I found a nifty program that helps configure port forwading on OS X Server. Its Called The NATural. It makes configuring port forwading a breeze...well for me anway. I was able to get VNC & VPN through the NAT.

WEBSITE http://www.jamiegriffin.com/gdog/thenatural/index....

Using NAT with VPN is complicated when OSX is doing DHCP, DNS, FIREWALL, NAT & VPN services. The NAT service is lacking functions. Hence you need a 3rd party product...or just edit /etc/nat/natd.plist

Basically I had to convert the Cisco NAT & Firewall to OS X NAT & Firewall. I did it...but I it was no cakewalk.

Hello,

Brilliant tutorial, thanks very much for this.

I had the same problem as Urme - I could connect to my Server, but not to other servers on the LAN. I got the solution from the Apple discussions forum (thanks Leif): You need to turn on IP forwarding on the server. At least, it solved the problem for me.

Eric

Lucky you Eric I have been trying to get this working for three months, with 10.4 server and 10.4 client and getting absolutely nowhere. I have followed all instructions to the letter. Have done the port forwarding from the nat router, but that changed nothing!!!!

Any further suggestions please

Richard

I have posted an update to the end of the story to include the NAT fix that Urme and Eric have described.

Thank you all for your feedback.

hi there, i have this situation. i am (mac tiger)behind a nat router and want a vpn connection to a os x server (10.3.?) which also is behind a nat router. i followed your instructions but tried it over pptp because easier to set up. i made a port redirect on the router (server side) to 192.168.1.99 port:1723 tcp. i have a dynamic ip at no-ip.com which works correctly on the router. client information>dns servers: 192.168.1.99 (server ip) routing definition: 192.168.1.0 255.255.255.0 i cannot connect to the vpn server. do you have an idea or tip for me. thank you very much

uwe,

From what I can tell, PPTP will not work through home NAT routers because there is no way to port map the ESP and GRE protocols. If you switch to L2TP, you should be all set. Its really no more difficult if you are using the Mac client.

ok, good to know. but i did read that l2tp will not work with a connection between 2 routers. is this right, or does it only not work with l2tp and ipsec.

uwe,

I don't think that's the case. I would give it a shot. Good luck!

Hi Smanke, cool topic! Unfortunately I still can't get this thing working =( I've read through and checked all that's on offer as solutions with other people but still no luck......

New to OSX Server (Tiger), not new to OSX but have previous Windows Server 2003 experience and just finding my way in OSX Server with tutorials on the web. Wanted to get remote access working first so that I can jump in from anywhere to toy around with the G4.

I have configured DNS for the server so that when I ping by name, the correct IP comes back so I guess that I have this bit configured properly:

DNS SETTINGS Zone name: foo.co.uk Server Name : spongebob

Server IP address 192.168.1.2 (static - In network prefs I have manual setting: IP Address: 192.168.1.2, Subnet Mask: 255.255.255.0, Router: 192.168.1.1, DSN Servers ???.???.???.??? (ISP DNS), Search Domains: foo.co.uk (Tiger server's fully qualified DNS Name))

Name Servers: spongebob.foo.co.uk

NAT SETTINGS: NAT switched on

DHCP SETTINGS: DHCP switched off (since VPN has own subnet range?)

VPN SETTINGS: VPN switched on

L2TP: Enabled, Starting IP Address: 192.168.1.20, Ending IP Address: 192.168.1.30, PPP Authentication: MS-CHAPv2, IPSec Authentication: Shared secred (yeah I did put one in!), Certificate: No Certificate.

PPTP: Enabled, no 40-bit encryption keys, Starting IP address: 192.168.1.40, Ending IP address: 192.168.1.49

Client Information Settings: DNS Servers: 192.168.1.2, Search Domains: foo.co.uk Network Routing Definition: Network Address: 192.168.1.0, Network Mask: 255.255.255.0, Network Type: Private (to not channel everything through the VPN)

I've got a D-Link Router where I have forwarded PPTP (1723) and L2TP (1701) to 192.168.1.2 on the respective ports.

I then created a test user (VPNUser) and even added them to the dialup group (this would be dialin access with Windows - not too sure about this bit) and created a VPN from the server (I don't know whether it's possible to establish a VPN from inside the network but this does work on Windows sometimes......btw I also tried from a friend's OSX Mac from outside and still did not work!). I also tried PPTP config too.....still does not work.

Now..2 questions arise!

Am I going nuts because all the settings are correct and the router is shagged?

or......have I missed out on something vital?????

Oh yeah....did the update to 10.4.3 which killed my internet connection but recreating the manual settings seemed to fix it?!??!! Got lucky with that one....

You help would be mostly appreciated......I'm the only one in a Windows support team championing the Mac flag!

~Groovy~

Hi sorry, forgot to add, it's a D-Link DG604-T Wireless ADSL Router and here's the ports that are open:

1023: TCP 1701: TCP/UDP 1723: TCP/UDP 500: TCP/UDP 4500: TCP/UDP 10000: UDP

I think it could be the router that's to blame. Tried port scanning and only Telnet and Web ports say they're open....

This is really wierd though, because Windows servers don't have a problem with PPTP behind NAT as far as I know.

Alixir,

I can't see anything wrong in your config. After your first post, I was going to suggest that you open up UDP port 500, but thanks to your second post I see you have done that.

I know that another user was using an Apple Airport as a router and for whatever reason, he was unable to get his VPN configuration working. When he replaced the Airport with another router the problem was resolved. It's possible that your D-Link is the problem. I can't really say. And I would hate to suggest that you replace hardware when I can't be sure that will fix it.

One other idea comes to mind. Your router should allow you to specify one internal IP address as a DMZ. If you make your VPN server the DMZ address, you should be able to bypass all of the port mapping as the DMZ should fully expose all of that servers ports. It would be interesting to see if that helps.

Good luck! And let us know how it works out for you. It's difficult to tell if the router is the culprit some times.

My L2TP VPN wouldn't work until I opened port 1701 (L2TP) on both TCP and UDP, on my Linksys WRT54GS router's firewall. The Apple tech note ("Well Known" TCP and UDP Ports Used By Apple Software Products) mentioned in the article has port 1701 only under UDP.

Just wondering if the starting and ending IP addresses for L2TP are meant to be internal IP addresses or are they external? Do I have to own those IPs? The machines on the LAN all have manually assigned addresses in the 192.168.0.xxx range. Can I use 192.168.1.xxx for the starting and ending IPs?

Cheers, Ben

We have OS X server. We want to use VPN. What would your suggestion be. Buy a Linksys VPN router for BOTH ends of our connection? Since we haven't bought anything yet, this is the PERFECT time to ask. Thanks in advance for your help. Graham

Graham,

As much as I love the OS X VPN, I would suggest the Linksys VPN router. Its a hardware VPN solution, so it should be more stable. That is what I use most of the time.

I like to have th OS X VPN as a backup. I keep it ready for action at all times. It works well for me when I am on the road and need secure access to my network.

If you go with the Linksys RV082, you will have the best of both worlds. It will do a network to network VPN, and has a PPTP server built in so you can access your network via a software tunnel from your Mac or XP laptop.

I need to get my review of the RV082 finished, but I have been very impressed with it. It is a more expensive VPN router, but it really is worth the money. If you want a cheaper VPN router, Linksys offers those as well.

Good luck!

Ben,

You want to assign internal addresses, so you are on the right track. Just use a range from your 192.168.0.xxx pool.

Keep in mind that you will need to make sure the subnet on the other end of the VPN tunnel does not use 192.168.0.xxx IP addresses as well. Anything other than those will work, but the same subnet cannot be on both sides of the tunnel.

francois,

Thanks for the tip. I have added the note to the main article.

Thanks SO much for the advice smanke, would the Linksys RV042 work for our purposes. Noticed there is NO internal PPTP server. Would we need this? Sorry if the answer is obvious, and thanks again for your advice! Graham

Graham,

I haven't had the chance to play with that model. From what I have read, I believe its the same router as the RV082 except that it has less ethernet ports and a slightly slower processor. It may actually have a PPTP built-in. That part is not clear.

Since your main goal is to connect 2 office between routers, the RV042 should be perfect. If you do get it, let me know what you think of it (and whether or not it has a PPTP server built in).

Will do. I'm actually looking into using an SSH tunnel to securely connect to a machine. I'm sure it's not AS secure as VPN but it's easier (only slightly mind you) than setting up a VPN. What is your opinion on this?

And I WILL indeed let you know if we DO end up getting an RV042.

Thanks Gp

Graham,

Thanks!

I have only played with SSL tunneling a little bit. There is a really cool new point to point VPN tool coming out soon from this site: http://hamachi.cc/

The XP client is really kick ass. The Mac client is still pre release, but looks encouraging. They have yet to finish the GUI for it. Once we have the GUI, it will be a really nice alternative. I haven’t heard of a solution that works like Hamachi. Its beyond my ability to explain here, but I encourage everyone to check it out!

First off, thanks a ton for this article. Can't begin to tell you how helpful it was in setting this up.

A comment and a question:

Question -- when setting up the VPN client on XP I never actually have to put in the shared secret at any point. Security-wise, how much should that scare the s**t out of me?

Comment: I had a problem initially seeing the whole LAN when connecting through a wireless router from home (straight through the cable modem was no problem). No amount of IP forwarding helped (server, router, etc.), but simply changing the home router to a 192.168.2.x ip scheme knocked it out no problem (both scheme's were 192.168.1.x -- when VPN'd in could only see the VPN server, nothing else). Hope that helps anyone experiencing that.

Thanks again.

jrose,

I'm glad this has helped!

The shared secret is only necessary when you are connecting using L2TP. Windows is connecting using PPTP so it doesn't need a shared secret.

Secondly, I think I see why you couldn't see the other machines on the network when you initially connected to the VPN. You can't have the same virtual set of addresses on both sides of the VPN tunnel. If the IPs on the VPN network are 192.168.1.x, then the IPs on the remote client must be anything other than 192.168.1.x (in your case 192.168.2.x). That should explain why changing the subnet solved the routing issue.

You are right, that could solve some problems for anyone seeing a similar issue.

Great article. I was able to set up VPN access to a server behind a NAT firewall, using L2TP. I did have to open ports 500, 1701, and 4500 (all UDP). I haven't been able to access anything else on the remote network, though (can't even ping). I have NAT turned on on the server, and have tried sending all traffic through the VPN, but that doesn't make any difference. Both networks have different IP address ranges.

Brian,

In one case, I needed to open up another port with this rule in my Cisco's ACL: permit udp any 66.62.25.0 0.0.0.255 eq non500-isakmp.

The problem is that will only work on a Cisco. If you are using a broadband router, I'm not sure what port number would take the place of "non500-isakmp."

I only have one other idea. Have you checked to make sure your firewall is disabled on the Mac server?

That's 500/UDP, which I have open. Something must be missing somewhere. time to bug an Apple rep, I guess...

http://www.networksorcery.com/enp/protocol/isakmp....

(Sorry, I left this out: the firewall is disabled.)

i need to setup a vpn to connect 5 databses/servers, where several clients connect to. they use mac's, what kind of hardware would you advise me to use for the vpn router as the software is already in the mac server an mac clients.

Hi - sorry to bother all but am new to Mac let alone OSX 10.4 Server.

I have gone through all this and got L2TP running fine, but really need PPTP.

I ave set everything up, however in the overview section on VPN it says PPTP is "Enabled but not running".

I have tried everything but to no avail - is there some other step to kick PPTP into gear?

mijkel71,

If you are trying to connect one server to another from different sides of the VPN, I would suggest a router to router VPN. And , if you go that far, you could just use the Mac's VPN client to access the VPN via the router, if you get the right VPN router.

I suggest the VPN router over the Mac VPN server because, while I have read that the Mac VPN server can do network to network VPN connections, it is difficult. I have never attempted it.

I think you can do what you need with a Linksys RV082 on either end. You can also do it with a full blown Cisco router, but that is well beyond my scope.

From the sound of what you are trying to do, I would suggest you contact a consultant for help. It will be the simplest solution and it will get you up and running quickly. I can provide you the contact info for someone that I recommend, if you like. He can do amazing things with these routers and he has never found a VPN issue he could not solve.

anikan,

Is it possible that you checked the box to activate PPTP but didn't specify a pool of IP addresses to use for logged in clients? That is the only reason I can think of for that message.

You should also check the log for more information. Odds are that it will give you some sort of explanation when the server is first activated. Keep in mind that you might need to refresh the log view unless you are using the Console application.

It might be a good idea to take a look at the system log file using the Console app. If you have never used it before, it allows you to read and search all of the log files on the machine. Just choose System.log from the logs list, or even the VPN log listed under /var/log/ppp/vpnd.log.

That should provide further information.

hi Smanke thx for your info, last question do these linksys rv082 work fine with macintosh, as far as you know

mijkel71,

The RV082's built-in PPTP server works great with the Mac's built-in VPN server. The only down side is that it is limited to 5 accounts. I am guessing they did that so they could up-sell another model to anyone needing more accounts.

Those 5 accounts are separate from the accounts used to create router to router tunnels.

I ran across a cool new trick in the Mac VPN client the other day. I did a post about it yesterday.

If anyone has an interest in connecting to multiple VPN servers at the same time, check out this post: http://maclive.net/sid/186

smanke,

these 5 accoutns are 5 accoutn we can use on 1 vpn tunnel as i saw this model can support up to 50 vpns, , so this means 50 vpn's with 5 accoutns each or max 5 account on the complete router

mijkel71,

I believe that 45 of the accounts can be router to router. If you set up 5 computer to router accounts (in this case Mac client to router) that would take up 5 of the accounts. If all 5 are logged in at the same time, you will have 5 separate tunnels. If no one is logged in, no tunnels are active as the tunnels are initiated by the client computer in this situation.

So, based on your question, it is 5 accounts for the entire router. But keep in mind this is only for the routers built in PPTP server. You still have a lot of other VPN options in this router. They include router to router VPNs as well as Linksys QuickVPN clients from Windows users. None of those count against you 5 users max on the PPTP server. There are just a lot of VPN options in this router!

Hope that helps.

Smanke, fantastic article. Thank you. I am using the VPN server in OSX Tiger Server - but I have the same problem as may folks here. I can see the server - but cannot see any of the other machines on the network. Strangely enough I see other machines on the network in ARD - so my guess is that there is something wrong with my Firewall setup. On February 6, 2006 at 10:52 AM you replied to a post from Richard about firewall rules. Would it be possible for you to put this explanation in a notation or help file that relates to how one might set up these sorts of rules using the Tiger Server firewall setup? I didn't really understand the shorthand you were using. eg. "eq". I assume that this means equal? but I may be wrong and I can't realate your instructions to how I would set rules in the software firewall. Would one need to set up a new address group, and then apply settings to just those? I feel I am tantalisingly close to solving my issue... thanks in anticipation.

Great tutorial! Now I have my Macbook AND my XP Tablet connecting the way it should! Now if only you could do a tutorial that would fix my mail server issues, I would be all set! =)

The instructions for Windows client are longer than for setting up the SERVER. hahahahahaaaaaa....

Mark,

I just added an update to the story explaining the firewall rules in more clear English.

The update is interleaved in the post, just below the firewall rules you mentioned. If you are having trouble with the VPN server, i recommend disabling your firewall temporarily in order to narrow down the cause of the issue. If you disable the firewall (assuming its the Apple firewall), and the problem is gone, then you know where you issue lies for sure. I the problem persists with the firewall disabled, then there must be some other issue.

I hope that helps!

I've used your instructions above on my OS X Serve behind a netrgear RP614v1 Router and it does'nt work for Mac or PC clients.

I setup exactly the same on my friends OS X Server behind a Netgear WGT834 and all works fine.

QED the type of Router is very, very important. Eeven if I fporward ports 1701, 1723, 50, 500 and 4500 to my server it still does not wotk on the Netgar RP614v4 even though it has VPN pass-through.

On this basis, can you recommend a usable Netgear or D-Link router please, and what specifically we should look for in the spec's of a Router to make this as seemless as possible.

Even then, I assume we should 'always' port forward 1701, 1723, 500, 4500?

redleader,

I don't have much experience with Netgear routers. Most of the broadband routers i work with are from Linksys.

I have heard other reports of some models having spotty support for VPN. The only question I have is whether or not you are using the latest firmware for your router. It's been my experience that most up to date routers work alright.

I don't have a specific list of routers that work. Maybe some of the other readers can post the models they have gotten working.

If you have port mapped 1701, 1723, 500, 4500, you should be in good shape. And, since you said you have your friends machine working correctly, it sounds like you have your config right. Its the router that is giving you the issue. As long as your router does NAT, can portmap, and supports VPN pass through, you should be good to go.

Sorry I can't be of more help.

Thanks smacke for all the advice you are giving everyone.

I have a problem connecting my 10.4 laptop at home to my os x server 10.4 at work. I am connected via airport at home which I read could be part of the problem. With L2TP I get nothing (cant connect) and i checked all the logs on the server and it is not even receiving the request.

With PPTP the connection is made but gets terminated...
Here is the server log:

2006-06-17 12:48:50 PDT Incoming call... Address given to client = 192.168.2.128
Sat Jun 17 12:48:50 2006 : Directory Services Authentication plugin initialized
Sat Jun 17 12:48:50 2006 : Directory Services Authorization plugin initialized
Sat Jun 17 12:48:50 2006 : PPTP incoming call in progress from '67.49.116.245'...
Sat Jun 17 12:48:50 2006 : PPTP connection established.
Sat Jun 17 12:48:50 2006 : using link 0
Sat Jun 17 12:48:50 2006 : Using interface ppp0
Sat Jun 17 12:48:50 2006 : Connect: ppp0 <--> socket[34:17]
Sat Jun 17 12:48:50 2006 : sent [LCP ConfReq id=0x1 ]
Sat Jun 17 12:48:53 2006 : sent [LCP ConfReq id=0x1 ]
Sat Jun 17 12:48:56 2006 : sent [LCP ConfReq id=0x1 ]
Sat Jun 17 12:48:59 2006 : sent [LCP ConfReq id=0x1 ]
Sat Jun 17 12:49:02 2006 : sent [LCP ConfReq id=0x1 ]
Sat Jun 17 12:49:05 2006 : sent [LCP ConfReq id=0x1 ]
Sat Jun 17 12:49:08 2006 : sent [LCP ConfReq id=0x1 ]
Sat Jun 17 12:49:11 2006 : sent [LCP ConfReq id=0x1 ]
Sat Jun 17 12:49:14 2006 : sent [LCP ConfReq id=0x1 ]
Sat Jun 17 12:49:17 2006 : sent [LCP ConfReq id=0x1 ]
Sat Jun 17 12:49:20 2006 : LCP: timeout sending Config-Requests
Sat Jun 17 12:49:20 2006 : Connection terminated.
Sat Jun 17 12:49:20 2006 : PPTP disconnecting...
Sat Jun 17 12:49:20 2006 : PPTP disconnected
2006-06-17 12:49:20 PDT --> Client with address = 192.168.2.128 has hungup

---- END LOG ----

So it looks like the client (me) does a bunch of ConfReq (whatever that is) that get ingored then the client "hans up"...

I have tried all the advice so far...

Thanks for any help!
Nick

nick,

I'm getting the impression that there might be a firewall issue. It looks like the negotiation is never completing, so the connection times out and shuts down. I would check for any router level firewall rules that might be getting in the way, and check the firewall on OS X server.

It looks to me that your home subnet is 192.168.2.x. You should also be sure that the subnet the server sits on it not the same. That has been the cause of problems for most of the people i have heard from.

Sorry I can't be of more help. I am betting there is a firewall issue here, or something in the NAT is giving you trouble.

I think you are right about the firewall issue...

I enabled GRE and now I get the following in the firewall log:

Jun 17 18:58:44 lymabean ipfw: 65534 Deny TCP 69.45.170.37:4118 69.45.147.226:445 in via en0
Jun 17 18:58:47 lymabean ipfw: 65534 Deny TCP 69.45.170.37:4118 69.45.147.226:445 in via en0

It almost works!!!
If I could figure out how to tweak the firwall rule that is blocking the final connection it think it would work!

nick,

Cool! You're almost there. Did you enable ESP also?

Does enabling port 445 get you any further? I don't know that its necessary, but looking at your log, it seems that's where it is now being blocked.

Hello everyone,

I have a problem. We have a RV042 and have been able to set uo gategay to gateway, Quick VPN and the Built in PPtP (but only for windows not mac). I was olso able both VPN sevices on the Xserve running version 10.4.6.

The problem we have is that we experiance internet connection slowdon and failure when the L2TP over Ipsec is active. I have these ports forwad to the Xserve TCP 1723, UDC 1701, UDC 500 abd UDC 4500 on the RVO42. I aslo have the NAT service enable in the Xserve

Our Service provider gave us a Netopia moem/router but we disable the router functionand use it as a stright router. They said that they detected a problem with the IP configuration on the Modem or Router and suggesting using a diferent modem.

Does anyone have any ideas ?

FILI

Hi,

On the previous post I ment to say that we disable the Netopia's router funtion and use it just as a modem.

I also just found out that we do not need to have the NAT service running on the server in order to establish a tunnel. Ther is a funtion on the route of One to one NAT but it is disabled.

FILI

FILI,

You seems to have a unique reconfiguration in that you are doing PPTP at the router and L2TP on the Mac VPN server.

Are you saying that you have a slowdown when you have L2TP is active on the Mac? I am wondering if that is because the router is trying take deal with the PPTP traffic itself and has also been port mapped to send PPTP to the Mac server. If you have port mapped 1723 to the Mac, this could be a problem.

If the Mac is not doing PPTP and the router is, you should not point GRE (protocol 47) or PPTP 1723 to the Mac. Let the router deal with them.

BTW, I really hate those Netopia routers. Some providers foist those on customers and they really aren't capable of the configurations people often need.

I have a new Netgear WGT624v3 router. By 'NEW" I mean a recent piece of hardware and firmware, as opposed to my old Netgear RP614v1.

I'm a happy chap now, all is working fine.
Thank you for this page, it's brilliant!

Steve,

The PPtP on the router is working only for windows so I disable it and are using the PPtP on the Xserve for both windows and macs. I do have the quick VPN active on the router and router to router tunnels active. We want to give the remote users as many options as possible. This configuration works fine until I activete the the port fowarding applications to make the L2TP on the Xserve work. The reason that we want to use L2TP is for security purposes. But it seams that we would have to stick to PPtP only and get creative with the username and paswords.

Do you think if I disable the quick VPN on the router it would make a diference ? Does anyone know if it uses the L2TP protocal ? I'll like to give it a shot but I hate to slow down the office workflow.

Thanks,

FILI

Fili,

I had a hard time finding docs detailing how the QuickVPN client connects, but i found 2 pages that mentioned that it does use IPSec.

Based on that, I am betting that your QuickVPN is interfering with your L2TP traffic, and that could be causing your issues.

I think the only way to be sure is to give it a shot. This does sound like the most logical cause.

Let us know what you find!

Can anyone explain why the Network Globe does not function when connected to a remote network via a VPN connection? I can connect to my office from home but can only see the server and its share points. Am I missing something?!

Mark,

Network globe? Are you referring to the network icon in the finder window?

If so, and you are seeing only the network shares on the server and not the rest of the machines on the LAN, i am betting you have an issue like others have further up in the thread. Experiment with the NAT service on the server and check your routing rules in the server configuration. Your problem should be somewhere in there.

And checkout the rest of this thread. Some good solutions have been found along the way.

Steve, Yes I am referring to the Network Icon. Are you able to use this method to browse your network?

I have already posted to this thread once or twice but it seems that everyone's issues although related are all ever so slightly different enough to mean that stitching together the various solutions offered up does not result in a solve... if you now what i mean! I am using the OS X Server firewall... and alot of the problems discussed here centre around issues with external routers...

Maybe some enterprising soul can set up a VPN help website. There is definitely enough material.

I had read elsewhere (apple discussion list on VPNs dominated by a poster called Leif Carlsson who catagorically denied the ability to browse Networks using the finder over VPN) See thread here - comments welcome:

http://discussions.apple.com/message.jspa?messageI...

Mark,

Thanks for the link. I will take a look. To be honest, I have never tried using the icon to browse the network. I have gotten in the habit of using the connection window (Apple+K in the Finder) to connect directly to the IP addresses. Once i had all of the IPs I use added to the list, I guess I was just set in my ways.

You're right, there is enough material to devote an entire site to.

For what its worth, I am about to post a story about Hamachi. Its a really interesting VPN solution that has recently been released for the Mac. It won't be the right tool for everyone, but it does simplify some things greatly.

I should have that post up in a day or two. Its a fairly complicated piece to write and I'm on the 3rd draft of it.

Do you think it would be easier, if using an Xserve, to just configure the Xserve as the DHCP, firewall, and VPN? I'm still having some issues getting this thing to work correctly.

Tadd,

I don't think that will help you at all. Using an Xserve as a firewall for the entire network is only possible is you are using the same server as a router, and I don't think you want to try that.

If your router is already acting as a firewall, or the router is using NAT to turn one IP address into an entire network of internal addresses, then i would just turn off the firewall service on the Mac. You won't need it in that situation and it only stands to get in your way as you work with the VPN.

I'm wondering if the problem is your Netgear FVS318. redelader had a Netgear RP614v1 that simply would not work for him. He replaced it with a Netgear WGT624v3 and it solved his issues. I'm starting to think you're in the same boat.

Hi,
I have gone through all the same issues as most people on this forum (see my previous postings). However I fixed the problem with a phone call to the helpline of the router manufacturer. I have a DrayTek Vigor 2600Gi (which I highly recommend) at both ends of the tunnel, going into mac osx server. The guy at the helpline, went in remotely to both routers, configured them, checked them and left the vpn up and running within less than half an hour. At 75p per minute, I think it was £20 well spent.
I know everyone won't be able to do this, but it might be worth seeing if it is available for your router.

I just posted a review of an alternative VPN solution for the Mac called Hamachi.

It could be a good fix for some of you who have had not been able to get OS X's VPN server to work on your networks. Hamachi is a unique alternative, and it exceptionally adept at dealing with NAT traversal issues.

http://maclive.net/sid/202

Please feel free to leave feedback in that thread as well!

I appreciate your tutorial. I have not started to set this up, but am trying to plan. My concern is that my ISP is providing a static address that is associated with either a router or the server itself and uses the devices mac address to associate the two. My question is when setting up the VPN connection do you point to the static IP or to something else. I will admit up front that Networking is not my strong point. Bear with me please.

madneb,

You're on the right track. If your VPN server is on a network that is behind a router and only has one IP address, the VPN clients on the outside would need to point to the real IP address of your router. From there, you would set up NAT rules to send the traffic to the internal virtual IP address of the VPN router on all of the necessary ports.

You should be able to use a static or dynamic IP on the outside of your router if you use a service like DynDNS.org to keep track of a changing router IP.

Hi,

Mac os x server 10.3

When i have access with a vpn client,i can't ping and haven't acces to the others servers of the local network.Even if i set the Nat, it doesn't function. Until now the only thing which function is the vpn connection.


Any suggestions?

thx

TigerMac,

It sounds like there might be an issue in your Client Information settings. They define how the internal and external routing are handled.

I think that the configurations on my client are ok, but when i have a vpn connection, i can't even ping the vpn server. But when i look the mask on the client, it's different than my local mask.
Is that normal?

And i try with the pptp because the l2tp doesn't start on the server.

TigerMac,

Make sure the OSX firewall is disabled and try again.

What are the subnet masks of the client, and the local networks?

firewall is down already; i will start it when it works. lol

ip distributed by the vpn server: between 10.99.99.251 and 10.99.99.254

subnet received by the client: 255.255.255.255

subnet and ip of the local network: 255.255.225.0 ip between 10.99.99.0 and 10.99.99.250

TigerMac,

I always try to start with the stupid question. :-)

That subnet does seem like it would be a an issue (255.255.255.255). I tried to test it on my network, but oddly my system isn't showing me the subnet mask on the client when its connected. How are you getting your clients VPN subnet mask to show? I will compare your results to mine and see what i get.

Another stupid question... the subnets on your remote and local networks aren't the same, are they. For example, your local network is not in the same range as the remote network? If it where, that would kill the routing as well.

to see the mask you put in the console "ifconfig" (Mac) and "ipconfig" for xp.

and the two networks are different.
very strange that i can't even ping my server.
don't understand why.

thx for help

thnx Smanke for a very helpful vpn guide.

I've got a VPN from my home to my office Xserve working well, but I can't seem to get the "Send all traffic over VPN connection" feature to work on a mac.

When I connect and authenticate the client tries to change the L2PT device to the Default Route for about a second, then fails, and the network falls back to my original default route. The VPN otherwise works well. It connects and can access the remote network, but I can't force all traffic over the VPN with the mac client.

What makes me blame the mac [or the mac client machine] is everything works the way it should under the Windows PPTP client. (I can browse the Internet from the remote location's public IP address with no problem.)

Here's the errors I'm getting in the Mac client's /var/log/system.log:

Jul 18 15:49:45 ocam2 pppd[591]: L2TP connection established.
Jul 18 15:49:45 ocam2 pppd[591]: Connect: ppp0 <--> socket[34:18]
Jul 18 15:49:49 ocam2 pppd[591]: local IP address 172.22.2.123
Jul 18 15:49:49 ocam2 pppd[591]: remote IP address 208.177.xxx.xxx
Jul 18 15:49:49 ocam2 pppd[591]: primary DNS address 65.106.xxx.xxx
Jul 18 15:49:49 ocam2 pppd[591]: secondary DNS address 65.106.xxx.xxx
Jul 18 15:30:11 ocam2 launchd: Server 0 in bootstrap 1103 uid 0: "/usr/sbin/lookupd"[570]: exited abnormally: Hangup
Jul 18 15:30:11 ocam2 configd[37]: posting notification com.apple.system.config.network_change
Jul 18 15:30:11 ocam2 lookupd[576]: lookupd (version 369.5) starting - Tue Jul 18 15:30:11 2006
Jul 18 15:30:12 ocam2 launchd: Server 490b in bootstrap 1103 uid 0: "/usr/sbin/lookupd"[576]: exited abnormally: Hangup
Jul 18 15:30:12 ocam2 configd[37]: posting notification com.apple.system.config.network_change
Jul 18 15:30:12 ocam2 lookupd[577]: lookupd (version 369.5) starting - Tue Jul 18 15:30:12 2006

Here's the ppp log (omitting public IP addreses) on the Xserve:

Tue Jul 18 15:49:49 2006 : ipcp: up
Tue Jul 18 15:49:49 2006 : local IP address 172.22.2.123
Tue Jul 18 15:49:49 2006 : remote IP address 208.177.xxx.xxx
Tue Jul 18 15:49:49 2006 : primary DNS address 65.106.xxx.xxx
Tue Jul 18 15:49:49 2006 : secondary DNS address 65.106.xxx.xxx
Tue Jul 18 15:49:49 2006 : rcvd [ACSCP] 02 02 00 0a 01 06 00 00 00 01
Tue Jul 18 15:49:49 2006 : rcvd [ACSP data]
01 00 00 14 00 0b 00 00 ac 16 02 00 ff ff ff 00 '................'
00 01 00 00 '....'
Tue Jul 18 15:49:50 2006 : sent [ACSP data]
01 00 00 08 00 04 00 00 '........'

Client:
Mac G4 Powerbook OS X 10.4.7
Internet Connect 1.4.2
Server:
Mac Xserve G5 OS X Server 10.4.7


Any thoughts on why lookupd is "exited abnormally"?

Many thanks to anyone that may have some insight on this issue. --jk

Tigerhart,

I had tried ifconfig, but was surprised not to see a netmask listed. All I see is a mask that shows as 0xffffff00, which I believe is the hex version. I haven't found a converter that will tell me what the resolves to. Not sure if that helps you at all.

I can't seem to get my MacBook to show me the subnet mask in a standard format.

selsyn,

This is the first I have heard of an issue like this. It leaves me wondering if there is an issue with 10.4.7. Did you get the same error with 10.4.6?

FWIW, I have 10.4.7 on both my clients and server and can't seem to reproduce your error.

For the moment, I am at a loss. Maybe one of our other readers can make a recommendation.

Steve:

Interesting tidbit I finally figured out.. maybe Maclive worthy since there's many posts (unanswered) of similar problems......

Problem: OSX Server 10.3.9-10.4.7 VPN server fails to connect Windows 2k or XP VPN clients (error 732 or other 73X errors) after certain crashes OR upgrades. This has plagued me with every update and a few crashes.

Solution which worked today (after hours of trying different solutions (ie new user etc..):
-In Server Admin:
Shut down NAT
Shut down VPN
Note your configuration of NAT and VPN settings (imperitive) screenshot or whatever

In Finder:
Locate the com.apple.RemoteAccessServers.plist and delete and empty trash (/Library/Preferences/SystemConfig/ generally)

Go back to Server Admin:
Verify NAT is set to Forwarding and Translation
Then go to VPN and re enter your settings.
Start NAT service
Start VPN service
-Then shout out explitives :)

Its almost like a corruption occurs during a crash or in the case of upgrade the settings fields are changed and it doesn't pass the right PPP attributes (it's always a PPP settings error in windows or similar).....

This came up because I did an osx update over the weekend and no one except Macs could connect.....

Jon.

Hi. So this thread was very helpful, but I continue to have problems. Heres the story:

I have an xserve g5, hooked up to a static ip dsl from verizon. The server is acting as the gateway to everything. I mean that the dsl line goes from the modem into ethernet port 1, and then the rest of the network is in ethernet port 2. All of the computers below the server are working fine DHCP and NAT wise. They can access the network, internet, etc. VPN is turned on, and set exactly as described in this tutorial, using L2tp. In order to insure it wasnt the firewall, under firewall I turned on any to all connections, just to test, which should open everything up. However when I connect from outside it just hangs on the connecting and never connects. The server log under VPN shows no connections at all.

Given this I assume that the problem is relating to DNS and NAT. I think probably just NAT. Because my server is acting as DHCP, NAT and VPN, I am not sure how the server knows where to route VPN requests coming into the one static ip. Is there something I need to configure in the NAT to change that? The fact that the VPN says that no one is trying to connect, but I seperately can connect to that server via ARD3 and via server admin and monitor is confusing. Any thoughts?

jpf,

Allowing all traffic through the firewall with a rule is a good idea, but I'm not sure that rule (or rules) will apply to GRE or ESP. Just to be on the safe side, can you disable the firewall all together? I'm wondering if that will make a difference.

Aside from that, I think you're right. It seems to be a NAT issue. Luckily (or not) the NAT options in 10.4 Server are few so trial and error is the only way to really get through it. I think that if you set the option for IP Forward and NAT, and then specify the port that your modem is hooked to, you will be set.

To be on the safe side, don't be afraid to reboot the box after making the changes. It shouldn't be necessary, but sometimes a good reboot can clean caches no one knew existed.

This raises a very interesting question. I admit, I have never tried a setup like this, so I'm in the dark. Broadband routers allow external access through NAT because they let you set portmap rules. I'm not sure how that works with OSX's routing capabilities. I can't see the firewall being used for such a service. There must be another place to set rules.

Hmm... anyone else have an idea?

Great article, helped me - to a point. Maybe I'm just misunderstanding how VPN works? I set this up as above for a few IPs that we have available through our T1 provider. I can successfully connect to the VPN server, BUT ALL of my traffic looks like it comes from my ISP's IP! I do have "Send all traffic over VPN" active.

In other words, in my head, when I'm connected via VPN to the server, my traffic should look like it is coming from an IP on the remote network - 216.220.x.x. But when I get my IP from sites like http://whatismyipaddress.com, it shows up as 24.60.x.x.

Ergo, the access rules that I setup with the OS X Firewall, don't work.

Ergo, despite being CONNECTED through VPN, nothing is... actually happening.

Honestly I'm just having a hard time determining what is going wrong, where. When you are connected via VPN, shouldn't your originating IP be reported as whatever the IP is that VPN assigned you?

Argh! Any help would be SO appreciated - once I have an answer to that, I can ask another one (namely, WHY is this happening?! =)

Thanks in advance!

hi there

i've found out the non500-iskmp is actually udp 4500 for those that need to know. I'm still experimenting with this so i'll check back later to let you know the results. Almost completed the set up.

Re: JustinD

You are correct as far as I know, not sure why it doesn't work for you though, did you set the dns and route info correctly?

Hi!

I'm new to network administration and have just been asked to enable the VPN service on our Mac OS X server. I've done a good bit of research on this topic and now my mind is swimming with questions that I'm hoping someone would answer.

Here's the situation: we are a small, 20 person maximum non-profit that runs 10.4.7 on our Xserve. We have both Windows and Mac in our organization, so both clients would utilize the VPN. Currently, the only services that have been enabled (as shown in Server Admin) are: DNS, Firewall, Open Directory, iChat, Windows Services. After reading the Apple Network Services documentation, I've been leary of enabling the VPN service because it indicated that VPN and DHCP should work closely together, and right now, DHCP is disabled on the server. Internally, we follow the 192.168.x.xxx convention for our IP addresses and I've noticed that most LAN clients go into the 100 range for the final octet. In the Apple docs, it says to allot the addresses 192.168.x.128 thru 192.168.x.254 for VPN clients. However, we currently have LAN clients that are in this range! What to do in this case? Enable DHCP and create a subnet group so that LAN clients get new, distributed IP addresses, *then* enable VPN with the specified IP address range?

Also, I contacted our T1 provider and requested our external IP addresses. Do any of these addresses need to be specified in any of the Mac services that would be required to enable the VPN?

Thank you very much for any advice you can offer. And thanks to the author of this document for creating such a forum for discussion.

Christine

Re: Christine

I'll try to help with what I can. Regarding your DHCP situation, just limit the DHCP server on the other machine to make sure it only give out from 192.168.0.10-192.168.0.100 then on the Xserve you can limit it to give out from any range you want. I myself have the DHCP on another machine and have it setup so that it only gives out from the range of 100-199, and the Xserve will get the range of 200-220. DHCP doesn't have to be enable on the Xserve, this will be taken care of by the VPN service. I think you should keep that as simple as you can unless you have to do other crazy stuffs otherwise it would be tough to troubleshoot anything later.

And if you know how to enable to firewall and such already you shouldn't have to have any other external IP address unless you want to create a new name for it to match to.

JustinD,

Sorry it has taken me so long to reply. I have been swamped with work and had no time for the site at all.

Given the fact that the Route all Traffic over VPN option is currently broken, external sites that show you your IP address would be showing you the broadband providers IP address. If the option worked correctly, you are correct... you should be seeing an address from your remote secure network.

No word as to when Apple will fix the router all traffic option. To be honest, I haven't had time to check and see if they are even aware there is an issue.

The only way you will know if your traffic is going through the VPN is by running a few trace routes. Run one to Yahoo.com. You should see your traffic running through your ISP's network address on its way to Yahoo. When you do a trace to an address on your remote secure network, the trace should be very short and it should not include any references to your ISP's network.

Christine,

mac appreciator is correct, you don't need to enable DHCP serving on your Xserve. If you already have a DHCP server on the secure network, you don't want to enable 2 DHCP servers.

Even without having the DHCP service enabled on the Mac server, the VPN server will allow you to specify any range of IP address on the virtual secure LAN that you want to allocate to people who are connecting via VPN. You just specify a pool of addresses to pull from, and the VPN server doles them out as needed to people as they connect.

As for your Firewall on the Xserve, you might want to disable that while you are getting the VPN working. Most people waste tons of time trying to get VPN working before they ever realize that the Firewall is what has been preventing them.

Post back if you are still having problems. I have been away from the site for some time, but I should have more time to keep up with it.

Good luck!

I have managed to get our client computer connecting to our server via VPN but the client machine is not showing up on our network nor does it have access to any network devices, ie. printers. Just wondering if there is any additional calibration to do to allow the user access to all network services? If anyone has any ideas please respond to my email webmaster@outeraspect.com

if the client machine doesn't show up on the connections tab then it means there aren't any connections at all. You'll need to recheck that and test it first from within the network to make sure it works then you can go out and enable firewall and all that stuffs.

Hi. I have an OS X server 10.4.7. I've set it up as a VPN server using l2tp with a shared IPSec secret. The server is behind a D-Link DI-808HV router. The router has IPSec passthrough enabled, and I have UDP ports 500, 1701, and 4500 open.

When I try to connect with an OS X Tiger client, I get a "Connecting to VPN server" message for a while, then "server did not respond." In the VPN server log, there is no sign that anything occurred - no log entries at all for the attempted connection.

Where else should I look to troubleshoot this?

I've tried PPTP, which at least makes a connection but the fails at the negotiation with the error "Wed Sep 13 13:50:28 2006 : sent [LCP ConfReq id=0x1 ]" in the log.

Also - I am using the local server's user database, not Open Directory.

Thanks
David

David,

Try opening 1723 and see if that lets you in via PPTP.

As for L2TP, see if you can open up ESP (protocol #50) and GRE (protocol #47). If you have OS X's firewall on while you are setting the box up, disable it until you know everything else is up.

Hi smanke, thanks for your reply. Yes I opened 1723 for PPTP and I still got the PPTP errors. I have the OS X Server firewall service turned off. Unfortunately I can't manipulate ESP or GRE on the Dlink router.

I spent a couple hours yesterday researching VPN routers that allow multiple L2TP passthrough - I might have to bite the bullet and just purchase VPN Tracker software instead.

David,

Based on feedback from a couple of people who have posted on this thread, there are some Dlink routers that simply don't work for this. It sounds like you have one of them.

Another solution to consider is Hamachi. Check out this post on it: http://maclive.net/sid/202

It doesn't fit the bill for everyones needs, but its an amazing software. Its Mac GUI is still a little buggy, but very functional when you need to do point to point VPN. If you need an entry point for an entire network, its won't fit the bill.

If you are considering replacing your router, checkout the Linksys RV082. It can be the VPN server for your network if you want client machines to connect via PPTP. Works with the Mac and XP. Its does router to router VPN as well.

If you tryout VPN tracker, let me know what you think of it. I have yet to play with that.

Great tutorial I'm connect over the inet to my remote apple 10.4 server in vegas.

My intention was to be able to manage it over the vpn so I don't have to open up all those ports on the firewall, but the server doesn't show in My Network of the finder.

Seems like it should...this is true even when my client is dmz'd outsife of my router and the 10.4 firewall off...

Why is that?

Thanks in advance and thank you again for this GREAT tutorial!

Sam

Thanks for the note. I've given up on the Dlink and am waiting for a Linksys RV042 to arrive.

Sam,

You're right, it seems like it should. For some reason it doesn't work. I'm not sure why, but it seems that the network browser doesn't scan for machines out side of the machines local subnet. Even with the VPN connection, this won't let it browse machines on the other end of the tunnel.

You can connect if you know the IP address of the machine on the other end. Just hit Apple+K in the finder and the connection window will come up.

You will still be able to connect, you will still be secure. The traffic will still go over the VPN. Its just the network browse feature that won't work through the tunnel. I imagine there would be a way to make it work by enableing at the command line, but I still don't know how.

Hi Smanke,

Thanks for the nice tutorial. Could you please add the Server side configuration for WinXP machine? You have only considered XP as a Client. What if I want to use XP on both sides (Client and Server). Thanks

Mat,

Great idea. Unfortunately, I tried that once and it didn't go well for me. Windows as a VPN server was a nightmare for me. Plus, with all of the security issues that popup constantly, I'm really not comfortable using Windows Server as a portal to my networks.

That's personal opinion. Like I said, I did give it a shot once. I just never really pursued it after that.

If anyone has a tutorial, I would be glad to post it. Or, at least link to it.

Thanks!

I got PPTP and L2TP working, via L2TP connection i can acces the internet but via the PP2P connection i get errors like:
ibookg4:~ andre$ ping tweakers.net
PING tweakers.net (213.239.154.35): 56 data bytes
ping: sendto: Cannot allocate memory
ping: sendto: Cannot allocate memory
ping: sendto: Cannot allocate memory
^C
--- tweakers.net ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

Andre,

That's an odd one. I can't say i have heard of that one before.

If you are using the latest patch to the OS, i would suggest booting from the install CD and running a permission fix on the boot drive. It's a shot in the dark, but I can't think of another possible cause.

I am using Mac OS X Server (latest version) and would like to set-up a VPN so I can access the server hard drives from Powerbook. I see your great tutorial above. But I also saw your favorable comment about the Linksys RV082. Is it easier or better to setup and use OS X Server VPN or the Linksys RV082. Thanks.

I just went through this with the same equipment, and I found it easier to set up VPN on an Xserve sitting behind a private network on the RV082.(Firewalled and only allowing the ports needed to do L2TP and PPTP.) It works great for my mac and my windows clients from anywhere. ...My mac clients enjoy auto setup when I 'export VPN client configurations' (Apple Internet Connect can export XML files containing hashed key entries and login info.) This way I can send config files to users who need to get into my VPN. Either through encrypted email or a ship a USB stick drive. (They still need to enter their account password, but don't need to worry about keys.) This was my only way to get non-tech people to use the benifits of VPN without the hassle downloading a client program. Good luck on your mission. -jk

Well i tested my PPTP on several macs on the network all giving same problem, deleted config on the server, and still noting.

swolock,

It is far easier to set up the VPN using the RV082. Since the VPN is handled by the router, you don't have to mess with all of the port mapping issues and the firewall/NAT hell.

The only down side is that the RV082 uses PPTP. Its supposed to be less secure but even that has been debated. From what i have read, its less secure in the eyes of hardcore security guys. It's still widely used and very popular, so it can't be all bad.

Personally, I am very happy with the RV082 and highly recommend it.

selsyn,

You make a great point! I did something similar by exporting the configs at my last job. It makes it very easy to get a non-techy set up quickly and easily. And all they can really mess up is their personal user name.

I think the concept is worthy of its own post. I will try to get to that here shortly. Thanks!

Andre,

Sorry to hear you're still getting the error. Any luck Googleing the exact error message? You might also try Apple's tech area separately. Google seems to do a poor job of indexing that part of Apple's site.

Unfortunately I'm still at a loss. Deleting the config on the server was a great idea.

If you come up with a solution, please post back. I will post if I come up with any other ideas.

Thank you smanke for your fine tutorial and your comments. And to you too, selsyn.

smanke> You made a couple mentions to a review of the RV082 that you were doing. I looked through the comments a couple times and didn't see it. Did I miss it? Where can we find this?

Mike

Mike,

Just laziness on my part. Its on my list of posts to put up. I just haven't gotten around to it. I'm not posting nearly as often as I would like either.

I have moved it to the top of my list. Sorry for the delay.

Thanks. . .for a minute I thought was missing something obvious. Right now, I'm using a Linksys RV0041 (very similar to RV082 but has 4 gigabit ports). I have it set up to be accessible from VPN Tracker (running in Demo mode) - and that seems to work fine. But unless it's the ONLY option, I think it's ridiculous to pay $90 for VPN Tracker to do something Internet Connect should be able to do.

Looking forward to reading the review when it's posted.

Mike

Mike,

I haven't had a chance to play with the RV0041. I've heard conflicting reports about it. Some have said that its the exact same (except for the number of port), others say the config offers less options.

If it is the same as the RV0082, you should be able to create an FTP account in the PPTP server area under VPN. You should be able to configure OS X's Internet Connect app to access the PPTP VPN without VPN Tracker. I use Internet Connect to access my router all the time.

I say give it a shot! :-)

It's working, aperently there was something somewhere wrong with the config.

Next thing is my stupid Linksys WRT54GC :/

For some reason, I seem to be having problems posting from home.

Alright, I admit I'm new to VPN setup, but I've worked with tons of Linksys routers and I'm at a loss. The VPN admin pages and user guide look like they REALLY want a Linksys-supplied connection utility - Windows-only, of course. I didn't see a PPTP server area (as such) previously referred to. The RV0041 is at the latest firmware (v1.3.6). I'm posting images of the config pages, perhaps someone can set me straight.

Sorry for the double - it seems it REALLY doesn't like a URL being posted. I'll try it this way -

www .creative-mac. com/ linksysvpn.jpg

Thanks to Mike C's posted screenshots, its confirmed. The RV0041 doesn't have a PPTP server built in, so there is no way to connect to it directly using OSX's Internet Connect application.

On top of that, I realized i posted the wrong router model above in my post. I have used the RV082, not the RV0082. The RV082 has the PPTP server. Not sure if the RV042 offers PPTP. Anyone with experience with that model please post.

Sorry for the confusion. And thanks to Mike C for posting the screenshots of his router for clarification.

Steve> As I understand it, there are/were three models with similar names.

RV042 - VPN Router with four 10/100 ports
RV082 - VPN Router with eight 10/100 ports
RV0041 - VPN Router with four 10/100/1000 ports

I have an RV0041 and while it's still on Linksys' page, most vendors are showing it as discontinued.

After it's all said and done, I think I'll be better served setting up OSX Server to handle VPN. However, it does feel good to know I can set my clients up with a RV082 as a perfectly viable VPN option.

Mike

Poor luck of the draw. No matter how much I read about these routers, I can't find one that does everything I want.

I want:
A PPTP Server (or another that will work with the Mac's VPN software), QoS, and SNMP.

Its a lot harder to find than you might think! There are no affordable routers with all of that support.

I've even tried a hacked WRT54G and I just can't get everything working that I need.

Yeah, if I didn't already have the RV0041 I'd probably look at a SnapGear SG560. From what I understand, it does PPTP - but also does L2TP over IPSec. So it works fine with the VPN client built into OSX. And it does QoS. So I don't know if SNMP is a deal-breaker.

Details are at - http://www.securecomputing.com/index.cfm?skey=1557...

I may end up chickening out and paying for VPN Tracker since right now I'm really the only one who needs to VPN to my network. But if my business grows to the point where I'm hosting apps/services, then I'll almost certainly look to move away from the Linksys product. Whether to a OSX Server hosted solution or to a different hardware piece is the question.

Mike

Wow! I've never heard of the SnapGear SG560. Looks really interesting. The retail price I see is around $400, but one or two paces had prices closer to $300. Definitely worth checking out.

I'm still compelled to look at VPN Tracker again. It has changed a great deal since the last version I looked at.

Its nice to see more and more VPN options becoming available to Mac users!

Hi!

With this tutorial it was a breeze to setup VPN (Server 10.3.x, client 10.4.8), thanks!

One thing puzzles me, though: When I use a service on the VPN (Mac OS X) server, e.g. the web server, the Apache log file lists the remote IP address, not the private IP address. The same is when I ssh into the VPN server, the "who" command shows the remote IP address. On all other machines, internal or external, the private IP address is logged/shown.

I have tried setting an explicit route but that did not change this effect.

I have a few web pages on that VPN server which can only be reached from within the private network. Currently that diesn't work.

Is this normal behaviour or is there anything I can do to access other services on the VPN server as if I was in my private network?

Thomas

smanke> You'll often see two different prices on the Secure Computing SnapGear stuff - with either 1yr or 3yr support.

Mike

ThomasG,

I've been racking my brain on this one. You should be seeing the private addresses in your logs. That fact that you're not is very strange.

It makes me wonder if the VPN tunnel isn't in place. What do your trace routes tell you?

Hello. Here is my setup:

We have 2 buildings where I work.

The main building houses the database with the time clock software on it. Both buildings have their own independent ways to access the internet. We use the built in VPN client to access the network in the main building for the time clock. When the VPN is running we are unable to access a web-page through any browser. When we shut off the VPN we then have internet access. This is only on the Mac with the VPN turned on. Any other computers on the network have full internet access but cannot access the main buildings network.

My question is this:
Is there a way to have the VPN running and be able to access web sites at the same time?

I searched these forums and could not find a solution. I thought that the VPN was a direct connection to our home office network but I didn't realize that it would disrupt the local machine from working from working on the local network. Or do I have something set up wrong? Thanks in advance for any help on this subject.

Ken

Ken,

The must be something set up incorrectly. The VPN clients should be able to access the internet when they are still connected to the VPN.

First, go to the Client Information tab on the OSX VPN Services on the server. Make sure that there is an entry under Network Routing Definition that specifies your remote secure network as Private. Make sure that network is specified with a .0 in the last set of values. Then make sure the subnet mask qualifies the entire network. If its a Class C network, make sure its 255.255.255.0. If the subnet is smaller, make sure that value is set correctly.

The next most likely cause is the set of addresses on either network. You cannot have the same set of network addresses on both sides of the VPN tunnel. Most home routers have a default network set to 192.168.1.0. If that is the case for the client network, and the remote secure network is also 192.168.1.0, you are going to be screwed. If one network is 192.168.1.0 make sure the other is something else like 192.168.0.0 or 192.168.10.0 or 10.0.1.0. Any other private network designation will fit the bill.

The last possible cause could be in your Internet Connect application. Make sure the Send All Traffic Over VPN Connection option is turned off under Connect --> Options.

One of those should resolve your issue. I'm actually betting solution #2 is your best bet.

Good luck!

Wow, this page definitely took some time to read. Alrighty, the network that I run is all public IP based(class C), but will be changing to private IP since we are changing service providers. We will still get a handful of Public IP address for things like our e-mail server, FTP Server, Web server, etc. And from this, I figured that we'd have to have some computer or device here operating NAT.

So, the question starts. We plan on either purchasing a MacPro or Xserve. For a 16 person company, will it have any issues running all of the following: NAT, DHCP, VPN, AFP, SMB, and E-Mail/Calendar via Kerio Software? Or would it be better to have another computer or device handle some of the services? We actually have an open 350mhz G4 tower and a 1.25Mhz G4 MacMini. Should either one of these run some of the Network-based services such as NAT and DHCP to free up some of the load off of the XServe or is there a recommended hardware device that would be preferred? Furthermore, if the Xserve running 10.4 server would be set to handle the VPN service, is there anything that I may need to configure regarding the T-1 modem device supplied by the service provider? Or are those devices normally fully open for all traffic?

gatti,

Wow! Your desire to completely rebuild your network is ambitious. I would say you have your work cut out for you. Having recently setup a similar size network on a T1, I'm afraid you are in for some heartache. If your experience is anything like mine was, there will be an impressive list of issues.

The first major issue you will face is the horribly inadequate T1 router that your ISP will no doubt provide. It will likely lack support for real firewall access control lists and thereby make all of the things you want to do a total nightmare.

Ideally, my advice would be to get yourself an actual Cisco router. I had great luck with a 2610. Unfortunately you will need someone very good with the device to get it working the way you want. If you need assistance I would be happy to put you in touch with my Cisco support guy. He's a real pro with the configs.

In my ideal setup, the Cisco does the routing, NAT, and DHCP. It uses ACLs (access control lists) as firewall rules to control access to your network. Specific ACLs (listed above) allow VPN tunnels to pass through to the Mac VPN server.

I'm concerned that you might be putting all of your eggs in one basket by putting all of that on one computer. I think both the MacPro and Xserve can handle the load, but you will be looking at support issues down the road. One problem could potentially take down the entire network since the entire network will depend on one machine.

The Mac makes a great VPN server. And it can do all of the things that you want it to. Its just a question of putting everything on one box. Beyond that, I have no experience with Kerio.

Normal T1 routers won't have full access to all ports. They actually work the opposite by blocking everything and forcinging you to essentially poke holes (ports) to allow the access that you want through. That was my number one issue with the T1 router that my ISP provided. It was a Netopia and only allowed a handful of rules to be applied. Not nearly enough to setup the type of access you are looking for here. Not nearly enough for a modern network. FWIW, I still keep the Netopia around. I kick it every time i get stressed out. It's in a box in the corner cabinet. It makes me feel good. Better than a shrink, and it was free... so what the hell!

This might not be the advice you had hoped for, but I have been through a similar network config. Best of luck!

Thanks for the advice smanke. Before this big switch I'm trying to enable vpn on our current 10.4 server. I finally opened to right ports on the server firewall to allow my laptop (on a different internet connection) to connect. However, I receive an "Authentication Failed" message on the client computer. On the server it states "gatti failed CHAP authentication" and then two lines afterword it states "Failed to authenticate ourselves to peer". Any ideas?

Its possible that you haven't gotten all of the necessary ports open yet. If your firewall rules are on the Mac server, see if it works when you disable the firewall all together.

Is your client a Mac or PC?

I'm a bit hesitant on opening too many ports. However, I'll take your advice and I'll temporarily turn off the firewall and see if it allows the connection. If so, then I guess it'll be a matter of enabling more ports than I already have open when I enable the firewall again.

Oh, regarding the client question: I tried connecting through 2 kinds of Macs. One running 10.3.9 and the other running 10.4.8. both give me an Authentication Failed message.

I just disabled the firewall and tried it again. I then re-enabled the firewall but set "allow all traffic" in the 4 different groups...Same error.

I have spent the past couple of days configuring a VPN for our office on our Xserve box. I'm not sure if it's relevant, but we are behing a Netopia 3347NWG-006 router provided by Bellsouth.

At any rate, the VPN is functioning properly for our Windows boxes. They are able to both browse the Internet and network folders.

For our Mac boxes, however, we are having a bit of trouble. We can connect via PPTP, but are unable to browse network folders (although we are still capable of browsing the Internet -- I opted not to send all traffic through the VPN). Our Mac boxes are unable to connect to the VPN at all using L2TP.

The ports I have enabled are as follows:
1023: TCP
1701: TCP/UDP
500: TCP/UDP
4500: TCP/UDP
10000: UDP
1723: TCP/UDP

There is no firewall currently on the Xserve.

Any suggestions would be greatly appreciated

gatti,

Is it possible that your router is blocking the access? Is there some kind of firewall or ACL in the router that might be getting in the way?

Meghan,

I don't think you will be able to browse the network over the VPN from OSX. From what i can tell, the Bonjour broadcast and AppleTalk broadcast can't be transmitted beyond the home subnet.

You can still access the network shares by using the Finders Connect option and entering the machines internal IP address directly.

As for the inability to connect using L2TP, you are either missing a firewall rule, or using a router that simply doesn't allow it. There are a few routers listed in the comments above that seem simply incapable of routing L2TP traffic.

I hope this helps a little.

Smanke,

IF I enable any other service/port (such as: web, AFP, Mail, etc.) it seems to work fine in regards to remotely accessing the computer. Is VPN connectivity uniquely different than those other protocols/services? If yes is the answer, are you saying that the T-1 modem device provided by MCI could be the problem with the "Authentication Failed" result?

VPN is very unique in that it uses protocols like GRE and ESP which are not TCP or UDP based.

My best guess it that the modem is the problem.

Thank you very much for all your assistance. I truly appreciate it.

Oh, by the way, if any of you are feeling nostalgic about video games of the past, try out a retro-based (Mac only) video game I designed called "The Adventures of El Ballo." http://www.ambrosiasw.com/games/elballo

As new findings come about regarding VPN and our possible T-1 modem situation, I'll be sure to post about it.

I've try to setup a VPN connection between my home and the office. I have two D-link router a 604 and a 504.
I wasn't able to make a connection with L2TP until I've setup DMZ on the Server Router to the address of the machine running OSX Server 10.4.8

I don't know if it is a valid connection but I am able to connect to the server by uning its ip address in the range 192.168.0.xxx

I guess what is missing i the firewall setting on the DL-604.

I'm I on a good track or not???

Jacques

Jacques,

Sounds like you're on the right track. The DMZ idea was a good one. It should help you avoid some of the potential issues!

I can connect from my pc to the mac server at work using vpn but cannot see the file shares. where are they located?

OK this is my setup
Office - Server OS X 10.4.8 Dl-624 VPN septped
Home - Client OS X 10.4.8 DI-524
I can connect from home to the office by using Internet Connect. The VPN connection is established with L2TP but I can connect also with PPTP.
I had to setup port 500, 1701,1723and 4500 to connect with L2TP .
Now I am able to make Outside of the building backup to my home machine.

Anybody who wants more info let me know, I'll help as much as I can.

Thanks to all in the forum.

Jacques

Jacques,

Congratulations!

Anonymous,

Due to a limitation in the way OSX broadcasts it shares, you won't be able to see them if you simply browse for computers with shares. You can us the Finder's connection function to enter the IP address of the computer with the share. Once you do that, you will be given a list of share on that system.

OSX doesn't seem to be able to broadcast its sharing info beyond the home subnet. Which, is logical.

Try connecting to the host via name or IP and you'll be set.

I do not get the list of shares when I type the IP address in the Finders connection/My computer address bar? - instead I got connected to my office intranel homepage. I think I am doing sth wrong here. pls help; feel like I am almost there....

janine,

Are you choosing Connect to Server from the Finders Go menu? and the IP you type to connect to the computer should be the internal IP of the computer on the company network, not the router's IP.

You're so close! :-)

I am using a PC (!) thrrefore am not using Finder/Go. I have no problem connecting to the server using a Mac from home. It is the PC that is giving me all this headache and heartache!!

I have created the PPTP connection and once I get connected, my normal broadband connection is also on. I hope this is ok.
Then I type the server ip address in the address bar of My Computer. I get to our offce intraanet himepage with a usrname and login at that address. BUT i do not get the list of file shares that are available on that IP address as I do when log in through my Mac.

I see!

From the PC, go to the Start menu and click run. Then type \\ipaddresshere\ and hit return. That should bring up a list of the shares on the machine that belongs to that IP address.

See how that works for you.

No luck! Get a window saying ' Windows cannot find ....'

Can you ping the IP address?

yes I can ping.

Thanks to a great great site; I think I've got everything configured just right but there is one thing that's bothering me. Here's my setup.

Tiger Server 10.4.8
DNS setup ok (10.10.1.20)
OD is set
Kerberos working fine
VPN configured perfectly as well.

Here's my problem.

From outside my Lan, I am able to successfully connect to my VPN. No problem there.

However, I don't think my DNS is working 100%. If I open Terminal and type in Host 10.10.1.20, I get an error message. I have set 10.10.1.20 (which is my DNS) in the client information section of the VPN. I can ping it fine as well as all my other local machines but for some reason it wont resolve their names.

Is this normal?

Also, if I go into the Network section in the Finder Sidepane, my server doesn't show. The only way I can connect to it is manually by selecting CMD-K and only if I enter the IP. It won't accept the name (i.e. server.foo.com).

If I do a HOST and the name of one of my machines, I get some public IP rather than it's internal IP. Naturally, connecting to my VPN from within my Lan results in no issues whatsoever.

Any help would be much appreciated.

Thanks a lot.

Anthony,

There has been some mention back through the comments. It seems that the protocol that the Finder uses to scan for local network devices doesn't work over a VPN connection. That's why you can't browse for the network volumes, but you can connect to the IP directly.

I'm not sure if the Finder is still using AppleTalk on the LAN or if its Bonjour now. Either way, it doesn't play well beyond the subnet and that seems to be the problem with the VPN.

I'm not sure why your DNS is messing with you. I have seen similar issues. It seems to be a way that DNS resolves local IPs to external addresses. Some DNS servers have options to allow or prevent some kind of auto translation but I'm not sure how to control that. To be honest, I'm not even sure that's what's happening to you.

If you figure it out, please post back.

Good luck!

janine,

The only cause i can see behind that would be a firewall rule on either the Mac or the PC. Beyond that, I'm stumped.

You can't type the \\ipaddress\ into the address bar of the browser. You need to do it from the Run prompt. If that doesn't work, something else is getting in the way.

Well basically when I'm connected to my VPN from the outside I'm supposed to be as if I never left my local network. Hence, if I try and do a HOST (IP), I'm supposed to be getting the hostname of the machine in question. Problem is, I'm not. Instead, I get an error.

The Finder limitation for scanning a local network over VPN sucks but it's ok I guess. The DNS issue though is a real stickler. Everything is setup perfectly yet this little critter refuses to work properly.

Btw, is this Finder limitation something we can overcome? or is this something that Apple must do?

Thanks again for all your help.

As far as I know, there is no easy way to overcome the network browsing issue. It can be done with Hamachi, but that's a point to point solution so every machine on the network would need Hamachi. Not a great fix to get around this issue.

I'm not sure what is causing the DNS issue. The way I understand it, you are trying to map private internal NAT addresses for internal DNS use. I have tried that before, and found it problematic.

I will keep my eyes open for some explanation. I know enough DNS to get by, but its not my strong suit. Please post back if you find a solution first.

I solved it :-)

From a remote location, I was able to successfully connect to my VPN AND browse the network AND have full DNS working.

The critter that was buggin it all was the routing info. Once I cleared those entries; everything works perfectly which leads me to wonder though, how one really uses the routing info.

Great!

I should have thought of that. Can you describe the routes you has listed? They might help someone else trying to do the same. Plus, I would really like to understand what happened.

Did you delete all of the router to correct the issue, or did you leave some in? You should still need one router to define your office network and make that traffic route through the tunnel.

Well, since my local lan was 10.10.1.x, I had entered 10.10.1.0 ; 255.255.255.0 ; private as my routing info. As soon as I removed that entry, bam, everything worked flawlessly. It was unbelievably fast too. I was literally on my local lan from a remote location connected via VPN. DNS lookups worked perfectly, I was able to see all my local servers from the network section in the left pane of the Finder window, printing, etc etc.

I'm still not sure why the routing info was getting in the way but that's something that I'll look into.

To bring things up a notch, I've also successfully kerberized my server and I'm able to connect to the VPN via kerberos but only if Im on my local lan. From the outside, it gives me an authentication error which doesn't really make sense because the info if correct. It could be a firewall issue, but Im not sure.

Any idea in that regards?

Also, if you need any other info regarding how I got the VPN to work 100%, just ask :-)

PS. You may want to modify the part above which says 'It seems that the protocol that the Finder uses to scan for local network devices doesn't work over a VPN connection.' We've just confirmed otherwise.

Well, the VPN server macosx seems to be up and running, from a remote location the printing goes great through the VPN (after setting these up as LPD printers afcourse).
I red the issues about not being able to see the other clients on the LAN, I have the same issue so I will look into the NAT services.

I do have a question about mounting a LAN's shared disk, I connect to these discs using the CONNECT TO SERVER command, enter afp://xxx.xxx.xxx.xxx (static IP) and after providing my user and pass, the discs shows fine, the strange thing is that I DO NOT have to connect with the VPN client first. Is this a normal behaviour or am I not browsing the files through the VPN at all. (speed is slow)

Thanks for any info.

Fred,

For your first point, make sure NAT is on, and that IP FORWARDING ONLY is on.

For the second question, could it be that you see them because they're were cached from when you were on your network before connecting through VPN.

Anthony,

Ok, I have just restarted the VPN clients mac. Now without connecting to the VPN server I connect to the VPN server entering its ip address using afp://xxx.xxx.xxx.xxx.

I gives me the list of available shares and after selecting one I can just move, copy and paste any files/folders from and to the shared volume. This means I am definately not connected via VPN right ? But how am I connect then ? Does this goes through the ftp protocol then perhaps? Now if I connect to the VPN server and do the same connect to the shared volume I do not see any increase in speed whatsoever.

Thanks.

Fred,

You can connect to your shares even without VPN. VPN just makes sure that all the acitivity between your remote location and your network is encrypted.

What's your complete setup like?

Our setup is like this:

A static external IP address.
Router address 192.168.0.254
LAN static IP addresses.

Server address 192.168.0.123
MacosX 10.4.8 server with the following services enabled: VPN / AFP / Firewall / FTP / Web.
VPN with routing set up as 192.168.0.123 ; 255.255.255.0 ; private

If you have AFP on and that your router has the ports forwarded to your server, then you should be able to connect to your server from a remote location using afp://x.x.x.x.

However, when you're connected via VPN, not only is your entire connection to your network encrypted, you're actually on the local network, meaning you should be able to browse your network as if you never left.

If you don't want to be able to connect via afp://x.x.x.x, remove the AFP ports from your router.

I would always recommend connecting via VPN if that option is available.

Hello Anthony,

Today I have enabled the NAT settings of the server to IP forwarding only. Now connecting via VPN I still do not see the other users and services on the network, what could this be? Perhaps I should enable the NAT settings on my router also?

Fred,

How exactly do you mean 'I still do not see the other users and services on the network'?

As for NAT, if you're behind a router using internet, NAT is already enabled on your router.

Anthony,

Ok, as you probably have noticed I am a real newbie at this stuff, so I am just learning here.

The whole setup is good and all goes perfect but the only thing I cannot see are the other shared macs on the LAN, I can reach them by entering their IP number and connecting via AFP but when clicking on the Network (globe) icon no shares seems available. So reading through the posts here I was to understand that the issue would be solved by enabling the NAT settings of the mac server to IP forwarding only, but unfortunately I cannot see the other LAN shares yet.

No worries about being a newbie; everyone starts there.

About the network thing, I did notice something that perhaps I may have overlooked earlier. When I connected to my VPN from another laptop (other than mine) I noticed that I too, could not see any of my machines in the network section. The only explanation I could find as to why I could before is that I was using MY laptop which was previously on my local lan, and the entries where already there (cached) in the network section when I went to a remote location to use my VPN.

What I'm going to do and what you can try is select that network globe after you're connected to the VPN and just leave it there selected to see if eventually, the servers show up or not. If they don't, then perhaps its true that currently the Finder cannot browse networks over VPN. I really hope this isn't the case because even though its not that great of a deal, it still sucks that it can't do it.

Thanks.

The funny thing I noticed just now is that when I connect to my VPN LAN, after about 5/6 seconds a few folders appear in the "globes" network list, 1 is called MY NETWORK and the other one is called WORKGROUP, but both appear and disappear quickly in less then a second, strange ??

Will leave the globe selected to see if the shares appear after time a you suggested.

Here's something that may be of interest:

I had my l2tp vpn working perfectly and then all of a sudden it quit on me again... Turns out it was a DNS problem. The client has a fixed IP/DNS and though successfully connecting to the VPN, was not properly switching over to use the inherited DNS entries and search path from the vpn connection. I tried a TON of stuff to fix it and in the end this is what did the trick:

I opened up the system preferences on the client (os x tiger) and under network location config I clicked on show: network port configurations. I dragged the VPN connection to a slot ABOVE the regular wired nic and saved the location. Now it works perfectly... Kindof an odd quirk.

*Great discussion here*

I have a fully functional OS X server L2TP vpn running fine. Clients connect and use the service normally.

However, I need the VPN clients to receive the same internal IP address upon each successive connection.

Without going into too much detail - I need to be able to backup VPN users via Retrospect and Retrospect server looks for clients on the LAN via UDP and that isn't reaching the "outside" clients. Configuring a TCP subnet broadcast range in Retro does nothing.

I am able to add clients to Retrospect using their inside dynamic IP address and they function normally until they disconnect from the vpn and reconnect and are assigned a new IP... at that point they are "lost".

If my clients could connect and receive the same IP address each time this would work fine.

I have experimented with configuring the client IP address manually/static in the network system control panel for the vpn interface. The VPN server ignores this IP address and assigns it from the DHCP pool defined on the server.

The ability to assign the client a static IP in the VPN network control panel on the client must serve a purpose. How do I harness this?

Perhaps not defining any range on the OS X VPN config?

Any ideas?

TIA!

Wow! What a great question. I just wish I knew the answer.

My best guess would be to use OSX's built into DHCP server to control the distribution of IP addresses. It lets you map an assignment based on the clients MAC address. That being said, I'm only guessing. This text from an Apple PDF I found suggests that VPN based address allocation is entirely separate from all DHCP functions:

When a user connects in to your server through VPN, that user is given an IP address from your allocated range. This range is not served by a DHCP server, so you’ll need to configure additional network settings. These setting include the network mask, DNS address, and search domains.

I will keep an eye our for solutions. If you find one, please post back. This is a very interesting idea.

I have a Draytek Vigor 2800 router at work configured to accept VPN connections from 3 ip addresses using L2TP over IPSec.

One of the remote users has a iMAC G5 running Panther and a USB ADSL modem and can connect with no problems.

Another user has an Mac Mini G4 running Tiger and cannot connect.

I have an iMac G5 running Panther and a Mac Mini Dual 1.66 running Tiger connected to an Airport Express base station which is connected to a Netgear DG834 router.

The iMAC G5 can connect with no problems, but the Mac Mini cannot.

My conclusion is therefore that the problem lies in the configuration differences between Tiger & Panther or a bug in Tiger which is not in Panther.

If I allow the router to accept PPTP VPN connections then both machines can connect using PPTP.

If I type the server address used in the VPN configuration in Internet Connect into the Safari address bar on either machine, I can connect to our web server and I can access the router. (I have activated "Allow Management from the Internet" in the router and limited this to the ip addresses of the remote users)

The error message received after "Contacting VPN Server... "is shown in Internet Connect for about 60 seconds is "The server does not respond. Please verify your server address and try again." (The working connection takes less than 5 seconds)

I can recreate the problem on Panther by entering the wrong Shared Secret in the VPN configuration.

I hope I have provided enough information for someone to help! Thanks in advance.

This one's a puzzle. I know that 2 computers on a home network cannot connect to the VPN at the same time. The activation of the second tunnel scrambles both tunnels and makes them unusable. I'm wondering if that might be the case with your 2 machines at home.

That being said, it does sound like you have found an issue between 10.4 and 10.3.

I will see if i can find any documentation that helps. So far, I'm not aware of any issues like this.

i want to know more about VPN how to configure in a laptop(OS XP SP2)

Great tutorial haven't finished all the comments but if there isn't one, a matching tutorial on dns... configuring -consumer dynamic ip- for vpn woud very cool
I know enough to setup dynamic dns but I am unsure what to do from there @ the router and in the vpn configuration.

Dynamic DNS would be a great idea. I haven't run across a situation where I can explore it yet. If I do, I will certainly post about it.

I am considering a post detailing the mail server functionality in 10.4. I had a heck of a time getting my first server to work the way I wanted. I'm about to set up a new one, and plan on putting something together when I do.

saikat,

I thought the post explained the intricacies of XP's VPN from the client side. Did you have problems, or question that wasn't covered?

I have been trying for the last couple of days to get VPN working over L2TP from a 10.4 Powerbook to a 10.4 Server through a Linksys router. The connection and authentication works great, however once I am connected through VPN, I only have access to the VPN server and not other devices on the network I am connecting to. I am not able to ping the other IP addresses on the network. I saw something about using the NAT service to rectify this issue, but have so far not been able to get that working. Is there anyone who has had this problem that can maybe expand on the suggestion listed in on of the updates in the article? Should I enable NAT on the router or Server? Thanks.

Question:

I'm able to connect to my VPN from outside and connect to all servers via Server Admin. However, - I am unable to connect to the server running the VPN itself.

Why is that? and how can I fix that. I need to be able to get to files on that server as well.

But everything else works like a champ.

PS. Connecting with 10.4 laptop via L2TP through Cisco 2600 FW with udp ports 500, 1701, 4500 and tcp port 1723

Any help on this would be fantastic!

BMC

wizzard & BMC,

I think you are both having the same problem, you are justing hitting it from different sides of the issue.

There are two possible causes that come to mind. First, I'm betting that you don't have the configuration correct under Client Information (inside the VPN service of your server admin application). Double check your settings against the ones listed in the story above. If that doesn't work, try adding a line designating your home internal network as private. I think that if you toy with the setting here and remember to restart the service between tests, you will come up with the answer.

The second possible cause is fairly simple too. If you use NAT on your remote secure network and NAT on your home network, make sure both networks are using the same subnet. For example, if you home network is 192.168.1.x, and your office network uses 192.168.1x, your screwed. you will need to reconfigure your home network to use a different virtual subnet. For example, change to 192.168.10.x or 192.168.52.x.

smanke:

Thanks for the quick response!

Why would my settings on the VPN server allow me to connect to every server in the network except for the vpn server itself?

I'm not running nat at work. All static IP's. I'm coming in from any hot spot.

I was thinking it might be the route like you said but I have the statement added. should I remove it?

I was thinking it might be more of a port issue or a security issue that keeps folks from messing with the VPN itself.

I know on other VPN devices like a Cisco concentrator, you are not allowed to administrate the VPN through the VPN. Is that the same case here?

smanke: and others ...

I fixed my own problem! :)

It may not be the prettiest or correct way but it is functional!

I bound a second IP to the NIC of the VPN. When I connect to the VPN it won't let me connect to that server but it WILL let me connect to the second IP!

It works but if any of you have a better way, I'm all ears!

Thanks

BMC

I have double checked many times the configuration and all appears to be OK. The remote network run on the a different subnet 10.100.13.x while my home runs on 192.168.1.x

Still no luck though. I only have access to the VPN server when I connect to my home network. I cannot see anything else on my home network.

BMC,

Great workaround! Very creative, and practical!

I'm not sure what would happen in your case if you remove the rule. I'm puzzled. The NAT service on your VPN server might hold the answer since you don't have NAT running on the secure network.

FWIW, I am able to admin the VPN server from on the VPN. So I'm sure that's not the cause of your issue. Good question though!

wizzard,

Even though you can't see the other machine on the network, can you ping them if you hit the internal address? I'm still thinking it has to be an issue with the NAT service on the VPN server, the routes on the VPN service, or the firewall on the server. I assumed it was off, but might have been mistaken.

I cannot ping other addresses on the VPN network. My connection is going through a linksys router that has UDP ports 1701, 4500 and 500 all open and forwarded to my internal Mac OS X 10.4 server running VPN. I am able to connect successfully and I receive the IP address from the VPN server, but I am not able to ping anything else on the network. NAT is running on the OS X / VPN server, but there is only an ON/OFF option and IP Forwarding only OR IP and NAT option with external NIC. The NAT service is currently set to IP and NAT forwarding, but I have tried both options with no luck.

What happens if you make the VPN server's IP address the DMZ address in your router? Then all ports not otherwise specified in the portmaps would go to that box.

Its not a perfect way to go, but it would be a way to see if a necessary port is causing the problem.

If you do it, remember to remove your existing portmaps that let VPN traffic through. I'm not sure what would happen if you mapped ports to the DMZ address at the same time.

Sound like it might be worth a try?

I have a bizare problem.
I am unable to get service from my VPN using L2TP.
In the 'Overview' of VPN in the server it say
L2TP: Enabled but not running.
I tried reconfiguring but it still the same.

The PPTP is ok and I am able to connect to it.

Jacques,

I'm missing something. L2TP shows up in the admin as enabled but not running?

Well that what it say.

aI double checked and this is it.
If i disable the PPtP and try to start the vpn with just the L2TP it does not want to start.

Can we send jpeg on the forum?

Thanks for emailing the image. That helped. I've never seen that happen in the VPN service before. I had a similar issue with the web service. Actually, it happens to the web service all the time.

For whatever reason, in the web service, sometimes the httpd.conf file (that's the file that is save every time you change the settings of the web service) gets slightly out of format. From what I can tell, the Admin application is saving something slightly out of whack and causing the problem. As a result, the service is unable to startup correctly when it initially reads the config file.

I'm betting that the same thing is happening here. The problem is that I'm not sure how to fix that. In the case of the web service, I had to go back into /etc/httpd/conf/sites/?.conf via the command line and correct the issue with the config file by hand. I don't even know where to begin something like that with VPN.

Admittedly I'm as much in the dark as you here, but I do think there is something munged in the VPN services config file. Short of reinstalling, or finding the config file and grabbing it from a clean install, I don't know what else to do.

You could stick with PPTP since that works, but that's not a good answer. I wish I had better advice. I'm really hoping the 10.5 server will be immune to these "little" issues.

Sorry for the weak advice. If you figure it, please let us know.

smanke
Thanks for the advise. That happened early in december when I disconnected the VPN connection before disconnecting the Timbuktu.

I tried the same thing with the PPTP and nothing hapened.

I know the PPTP is less secure than L2TP but at least I have a secure connection. Before we had nothing.

But I'd rather have a T2TP connection.

When I have time I look and try things.

Thanks for the info.
and if I solve the problem I will post in the forum.

smanke,

I work with BMC and I have a question regarding the OS X Server VPN service and cpu/memory usage. We have a small number of users, 5-10 at the most, with less than 4 regularly needing VPN access.

How much memory do you think is required for the VPN service to work in our situation? We have an Xserve w/ample memory, but would rather use it for other services. Thinking about running OS X Server on a mini or 17" iMac as a dedicated VPN, which would max out at 2GB of RAM. Any thoughts?

gnweber,

I can't give you an specific memory requirements, but based on my experience a Mini with 1GB of memory would fit the bill. The VPN service doesn't require much memory or processor. You might be fine with 512MB.

I currently run VPN access on a 1.25GHz mini while running a host of other services.

Hello and thanks for this forum. I am a non-technical user trying to connect via VPN (PPTP).

I have successfully established a VPN connection using Internet Connect. However, I cannot yet connect to the server.

I have been entering the IP address of the server in Finder/Go/Connect to Server. But is says it cannot find the server.

I also have tried to ping the IP address of the server. No luck.

I feel I'm close! Any advice you can provide would help a lot.

Thank you, Kristen

Hi all - thought I'd report back on my previous question above regarding backing up users via Retrospect once connected to the VPN.

To recap, Retrospect scans the subnet for clients via UDP and this wasn't being routed all the way out to the client machines connected to the VPN - so they were essentially lost.

I needed the clients to always receive the same IP address when connecting to the VPN so I could simply add them via IP.

I was unsuccessful in getting clients to always receive the same IP, so went with a dynamic dns setup.

I used the DNSUpdate 2.8 client with dyndns.org.

The key here being that the VPN configuration is actually a virtual NIC in the network system preferences.

Once I had DNSUpdate up and reporting my real Internet IP properly, all I had to do was make the VPN "NIC" the highest in the list in the network system preferences on the client and set DNSUpdate to report the DEFAULT INTERFACE.

WALAH! It now report's the internal/vpn server provided IP.

Now I can add my Retrospect clients via dyndns name and they are found instantly once they connect to the VPN... and can subsequently be grabbed by the backup server.

sfpete,

That's a really impressive and creative workaround! Way to think outside of the box!

Here's a question for you. I have had issues with the use of Dyndns.org on my home router. My IP doesn't change often enough and Dyndns keeps trying to cancel my free account since they assume I'm no longer using it.

Does the DNSUpdate client tickle the service often enough to keep them from closing it out? Since your IPs won't be changing at all, I'm hoping you won't suffer the same issue.

That being said, I haven't looked at the site's services in some time. Maybe they offer a service the prevents this from being an issue. Or maybe just using DNSUpdate is enough to solve the problem. I have a client's server that I have been meaning to install that on. Maybe I'll just have to try and see what happens.

Thanks for getting back to us with your solution!

kristen,

It sounds to me like there is an issue with the firewall. I'm betting there is a port that not yet open. Have you disabled the OS firewall? And double check portmaps. It seems like the most logical issue.

Also, make sure you have the routs set up correctly in the VPN services admin. Be each subnet on either side of the VPN is unique as per some of the previous comments as well.

Smanke,

DNSUpdate and dyndns.org are working great together.

DNSUpdate forces a DNS update every time there is an IP change on the interface... which would be every time the user reconnects to the VPN.

I also sprung for the $9.95 per year upgraded dyndns service which allows up to 20 hostnames (each user will need their own) and never expiring entries due to inactivity.

One side benefit I realized from the above config is it allows me to hit users connected to the VPN via remote desktop quickly (dns name entered) vs. going into server admin and looking up their new IP every time.

Works for me. Off to Dyndns.org I go! Thanks for the scoop!

using dyndns,
name of dyndns domain macblahblahblah,
internal name of server is tigerserver,
internal ip 192.168.99.99 for rrouter
server static ip 192.168.99.100

what should my client settings page on the vpn tab on the server be

Is it possible to set up a client to gateway VPN using nothing but the Mac VPN client and the Linksys RV082 VPN router? I have had much success with OS X Server VPN server and client in the past, but none here.

Fellow techs have recommended using either Hamachi, IPsecuritas, or VPN Tracker as the VPN client on my remote Macs. Is it necessary to utilize third party software for my desired configuration?

The Linksys documentation is, as always, too convoluted for us simple Mac folk. Any suggestions?

There is one Linysys router that I know works with the Mac VPN client for sure. It only supports PPTP, but it works and it works well. Checkout the RV082.

That router isn't cheap, but it is powerful. More so than any other Linsys I have seen. One of the posters has a lot of luck with VPNTracker. Look for his comments higher up. I have been tempted to try it out, but the price has kept me away.

I have been using a VPN connection to my xserve about a mile from the house.

About 3 weeks ago, the VPN speed went from ok... to painfully slow. This was shortly after I upgraded my home cable account from 7mbs down & 786kbp up. The server at work is 4mbs down and 2mbs up.

Long story short, I have been in contact with Time Warner help, support, level 3, technicians out at the house... I even upgraded my router to an ambient router to match the one at work.

The internet works fine. Speeds are fine.

The only issue is with VPN.

I did not change anything on the server, nor did I change any settings at home.

But for some reason... it is CRAWLING!

Time Warner says everything is fine as far as their service... which I have to agree.

Any recommendations as what to do?

Please help!

By the way....

I am on a Dual G4 1.25 at home with internet speeds of 7mb down and 768kb up.

The Xserve at work is a Dual G4 unit with 4mb down and 2mb up.

Both are currently running the latest OSX software, while the xserve is running the latest xserve software.

Interesting. My VPN speeds are always considerably slower than my non-VPN connections. I have that's running at 7Mb/768Kb too (Comcast). Even then, the fastest transfers I see when sending a file over the VPN is about 100KB/sec.

I've never been sure of the cause. I always suspected it was due to overhead on one of the end routers. Anyone else have an idea?

FWIW, I've never been on a VPN that's transfer speed was the same as an unsecured connection.

I can connect to the VPN but can't ping nor connect to computers using the "Connect to server" function.

Here's my entire setup:
Ok, I have and intel xserve. It has 2 network cards in it:
Card#1 has a public IP address with a subnet mask provided by my ISP.
Card#2 has a private and static IP address (192.168.1.224) with the subnet mask of our internal network 255.255.255.0.

The xserve actively runs the following services: AFP, Firewall, VPN, and a 3rd party Kerio mail server. It's internet access is provided over Card#1.

Here's some background of our network switches:
xserve Card#1 is plugged into a network switch that only computers with other public IP addresses are plugged into (let's call it "Public switch").
xserve Card#2 is plugged into our network switch that only local LAN computers/printers are plugged into (let's call it "Local switch").
Our "Local switch" is behind a DLink firewall that does the NAT and DHCP. Now, the WAN port of the Dlink firewall device is plugged into the "Public switch" (same switch as Card#1 of the xserve) since it additionally has a public IP address and subnet mask of the ISP. As you may have figured out, our local network (provided by the Dlink firewall/NAT/DHCP device) runs 192.168.1.1 - 192.168.1.254 with a subnet of 255.255.255.0

This is the thing, I'm connecting to the xserve through its public IP address. I'm pretty sure all the firewall ports on the xserve are opened up in order to connect via VPN since I can connect and see the "time connected" message. However, as I mentioned at the beginning of this post, I can't connect to any computers on the local network.

Do I have to enable something on the xserve to allow it to pass me from the public IP card to the other network card that's on the private network?

I'm very new to all this. Am I doing this all wrong? Can I please be pointed into the right direction?


PS. I'm trying to connect from 2 different laptops running 10.3.9 and 10.4.8. They are both behind Linksys routers that broadcast the same IP addresses and subnet as our company-based Dlink firewall/NAT/DHCP device.

I can get PPTP working wired only. Airport Express and Linksys wireless router both fail to allow me to connect. But the same Linksys router will allow me to connect if I am hardwired in.

Ok, but the really strange thing is that OCCASIONALLY I CAN connect to VPN wirelessly. I'm confused.

I actually have Netopia R910 serving up the VPN from the remote location. Again.. works great wired, not unwired.

gatti,

Sorry for the delay in my response. I think the info your provided in the PS is the key. You must have different IP subnets on each side of the VPN. Since your secure network is 192.168.1.*, each connecting network must be something else... try 192.168.2.* and 192.168.3.*.

Aside from that, you have a surprisingly complicated setup that gives me a lot to think about. Its possible that you missed a port in the FW. You might try disabling the servers firewall while you do testing. You could also have an issue with the Client Information tab of the VPN config. You will want to make sure your 192.168.1.0 network is private.

GlennK,

Are you sure you have the wireless devices in access point mode? If you are running them in router mode, or allowing them to do NAT and DHCP it could cause this issue. You only want your main home router to do the NAT and DHCP. The wireless access points should allow the main router to send DHCP addresses to the wireless clients.

I use a Mac at home, and I'm trying to use VPN Client or an equivalent to access the office network. There's an RV042 in the office and everything's Windows XP. My co-workers have set up QuickVPN on their home Windows computers and accessed the office network without difficulty. Is this a possibility for me? Thanks....

dzak,

I'm not sure if you will be able to connect to the RV042 directly using the Mac's built-in client. Its certainly worth a shot. I would start with an account that is known to work on Windows and give it a shot. I'm guessing the VPN type will be PPTP, but be sure to try L2TP as well. If it does work, please let us know. It would make the RV042 a big seller.

There is no Mac compatible QuickVPN client out there. It just a question of whether the Macs built in support will do it for you.

If you still can't get the Mac VPN client to work, checkout VPN Tracker. A couple of users have had great luck with it. Its expensive, but works with a wide range on VPN enabled routers. I've been wanting to try it myself, but that price tag has kept me away since i more or less just want to play with it.

Please let us know how this works for you.

I have made the connection from my home network to the Server at work with a VPN Connection. Where do I go next to see the network at work. My mac is connected as it is issueing the correct IP Addresses but what do I do next to see the network at work?

You should be able to connect to any machines on the work network as you would if you were physically present. There have been problems where people can't browse the network properly by simply selecting the network icon in a Finder window.

If that's the case for you, you should still be able to connect to the machine manually if you know its IP on the work network. Just hit Apple K in the finder and enter the IP in the window. If the remote machine is Windows based, prepend the address with smb:// (for example: smb://192.168.2.225). If you're connecting to a mac, you can just enter the IP.

Hi everyone -

Thanks so much for a great page, Steve! The original post is outstanding and almost every hiccup I have hit along the way has been covered in the comments.

I finally have WinXP (via PPTP) and Mac OS X (via IPSec) clients connecting remotely, including over a Cingular wireless connection. I cannot browse the network, but Command-K gets me through to everything.

I am still struggling with a few things ...

1) In Windows only, I must -uncheck- "Use default gateway on remote server" under advanced TCP/IP settings or I do not have access to the internet. On occassion, I do not get 192.168.4 access OR the internet.

A reboot of Winxp seems to help. Was any progress made after that chat between Matt, Jamie and Steve up in the comments?

I am running Mac OS X Server 10.4.8 on a G4 Tower. My external cable modem comes into en0 and the server acts as a gateway (DHCP, NAT, Firewall, VPN, DNS - caching only). It then serves files, print and the internet to en1 - the local ethernet network.

Settings: DHCP Server
Subnet: 192.168.4
Starting IP: 192.168.4.2
Ending: 192.168.4.127
Subnet Mask: 255.255.255.0
Router: 192.168.4.1
Lease Time: 1 hours

VPN Settings:
L2TP over IPsec
Starting: 192.168.4.128
Ending: 192.168.4.200
PPP- MS-CHAPv2
Shared secret Set

PPTP:
Enable PPTP
Do NOT allow 40-bit encryption
Starting IP: 192.168.4.201
Ending: 192.168.4.254

Client Information:
DNS Servers: From Road Runner NYC Cable Modem info (24.29.xx.xx)
Search Domains: Nothing

Network Routing Definition:
Network Address: 192.168.4.0
Network Mask: 255.255.255.0
Network: Private

Thanks in advance for any help on this, guys :)

2) Kind of paranoia, I suppose. I know the VPN is "working" because I type afp or smb://192.168.4.1/ to access server resources as opposed to the external Internet IP.

However - I can still access the server by typing the external IP into Connect to Server when I am NOT on the VPN. Is there a way to disable this? In other words, only allow external SMB and AFP sharing when someone is connected via secure VPN?

3) Next topic: Vista. For my test laptop, PPTP and IPsec did not work at all. Connects, authenticates, but can't find resources. Looks like MS changed something...

Best,
Eric
(drcomp)

drcomp,

First of all, the single best post I have ever read. You covered all of the config info that I could have asked for! Outstanding!

1. I'm actually wondering if "Use default gateway on remote server" option is caused by the DNS servers you are using on your client machine. Once you are accessing the web via the gateway on your secure network those servers might not work any more because your traffic is actually no longer passing through Road Runner as they would expect. Try checking the box again, but set your DNS servers to something that we know isn't dependent on the network you are accessing from. I suggest 4.2.2.2 and 4.2.2.3. Those belong to AT&T and have been wide open for as long as I can remember.

In fact, for your testing, I would set those DNS addresses not only on the client machine, but in the network definition of the VPN server too. Just to be on the safe side. If that corrects your issue, you can always go back and figure out which one needs the wide open servers (client of the settings on the VPN server).

It would also be interesting to find out if you can ping Google or Yahoo with the checkbox checked. If my guess about your DNS server settings is correct, you would be able to ping the IP of Google, but not the name. If you can't ping the name or IP even after setting your DNS servers per above, then we can be sure there is a routing issue and go from there.

2. Not paranoid at all. It's the internet. If its exposed, it will be attacked eventually! This should be addressable simply by changing your firewall settings. My guess is that you opened up a rule to allow afp and smb access to the box across the board. You need to refine your rule to allow access from addresses on the 192.168.4.0 network, but block them from everyone else. With that in place, you should have things locked down as need.

3. Good question about access from Vista. I've only used it on a virtual machine so far. And even this that case, my use has been very limited and has not included VPN testing. If anyone else has take a crack at it, please post back. Otherwise, I'll take a look at it and report back whenever I get my hands on a notebook and get off my network to test remote access.

Good luck, and please let us know how these suggestions pan out for you!

Again, this post was a perfect example of the information people should be posting along with their questions. It provided deep insight into the network setup and answered every question that came to mind about the config.

Hi smanke -

Thanks for the lightning fast reply and the positive comments about my post. I figure, sometimes you only get one shot at a response so the first post better be good!

I am excited to try out your suggestions and will post back with my findings later in the week.

Best,
Eric

Great tutorial!!! I don't have any exprence on Mac OS X Server. I spent 1 hour at last night to read this Great tutorial. Today I tried on my office OS Server 10.4.7, VPN works fine on L2tp from 2 different location.

I still have 2 problem:

1. I got VPN works with Mac and Windows Client from home, But only can ping the Office Mac VPN Server IP, can not ping rest of the computers in the my office.

2. On Windows, I can not open any web page on windows when connected to Mac VPN Server with Windows VPN Client via PPTP

Any help will be helpful!!

thanks a lot.

Darren,

It sounds like you might have the route set wrong in the Client Information tab. Either that, or you have a firewall issue on the server. That part is easy to test. If you have the firewall enabled on the server, just disable it and see if that corrects the problem. Otherwise, check the comments above regarding the NAT functionality. Some users have resolved the issued by activating the NAT service on the box.

As for Windows, I think you are hitting the same issue. On some machines, the "Use default gateway on remote server" box is checked in the VPN network config. Sorry I don't recall exactly where that's located. If that's checked, the Windows box is trying to route all traffic over the VPN which means you then run into the same issue you have in problem number one. Resolve the first issue, or uncheck the box. If you uncheck the box now, you will find that you can surf everywhere but the secure network from the PC.

I know a number of people have had the same problem. Maybe one of them can post back and describe how they came up with resolution if it wasn't as I suggest.

Good luck!

I have been using VPN to access to my office G4 running OS X 10.4.9 Server. The server is connected, wired to a Netgear DG834GT router with a fixed IP address. The problem is when the server is running I have to reboot the router every morning for wireless clients to access the Internet and have VPN connectivity available.

The Netgear router is fine because when I turn the server off, wireless clients can access the Internet and remote administration on the router is operational, all day everyday.

Any thoughts?
Thanks guys

Paul,

Any chance you have DHCP enabled on your server and on the router? It sounds like the two are fighting for control and your client machines are paying the price.

Smanke,

Thank you, it does appear that is the case, so I will try turning the routers DHCP server off. I am new to the server world and felt that the server needed an IP address from the router then the clients would get theirs from the server.

This may also answer why the wireless clients cannot log into their home folders remotely, only manually via Apple K

Thanks for the prompt

Hi all-

Just thought I'd check in and update everyone on my further adventures with OS X Server vpn.

I actually got my Win XP clients connecting to the OS X Server VPN via L2TP IPSec using the built-in windows VPN client!

L2TP is *significantly* more secure than PPTP - I highly recommend it.

It was a long road to figure it out, so I thought I'd share.

1) Setup the L2TP vpn service as normal (described above). I would check that your Mac clients can connect to confirm the service is running properly.

2) On the Win XP client if running service pack 2 - this is the kicker - you must edit the registry to tell it whether your client is behind NAT, your server is behind NAT (mapped service), or both. In my case, and most others it will be both.

"AssumeUDPEncapsulationContextOnSendRule" entry with option #2: A value of 2 configures Windows XP SP2 so that it can initiate IPsec-secured communications when both the initiators and the responders are behind network address translators.

details on this here:
http://support.microsoft.com/kb/885407


3) The proper Windows XP client config is:

Create new network place > connect to a computer at my office

General tab:
host name: (your server or router public ip or domain)

Options tab:
(default)

Security tab:
Click Advanced radio button > click settings button

Data encryption: Require encryption (disconnect if server declines)

Allow these protocols: uncheck everything except Microsoft CHAP Version 2 (MS-CHAP v2)
(click OK)

IPSEC Settings: enter the PSK


Networking tab:
Type of VPN: L2TP IPSec VPN


Good luck!

sfpete,

Thanks for the scoop! The config info is great. I should be shocked that you have to crack open the registry, but its Windows so nothing really surprises me any more. Changing the registry by hand seems like the long way around, but it gets the job done. Maybe someone will find the time to make an application that can make the necessary changes for the average Windows user.

Hi all,

When I set up my VPN, I get a connection OK but then can't, for example, access a server through it. The server log has a msg "Cannot determine ethernet address for proxy ARP" immediately after the signon messages, which presumably explains why I have the problem.

I'm only running AFP and VPN services on this newly set up server. If I ssh into it I can ping and everything, so presumably the basic network connections are OK, including ARP lookup.

Any suggestions on what to do, or why the "proxy ARP" doesn't seem to be set up properly? Or where I can find out about how the server configures pppd? I haven't had any luck googling or searching the Apple support site.

Thanks.

mmburns,

You said you can SSH to the server you can ping everything. Can you ping anything direct from the computer attaching to the VPN? If not, there must be a problem in the Client Information tab of the server config, or a firewall issue. You might want to play around with the NAT service on the server. Some have found that enabling one of its 2 modes has solved this sort of issue even though they aren't using the DHCP service.

smanke,

Thanks for the suggestions. I tried turning on the NAT service with no change, and the firewall was always off. I could not ping from the client.

For the record, with the help of our network guru I did get it to work. We changed two things and I don't know which change was the critical one (we suspect the second):

1. The server machine has both a private address (10.1.*.*) and a public address, with the VPN set to serve addresses in the private space. In Server Admin the server's public address was listed as the primary (first) and the private address as secondary (second). We changed that in System Preferences/Network with some judicious deletions and re-entry.

2. The server's System Preferences/Network had the Router address for the private space set to our public router address. We changed that to the equivalent private router address (but same machine).

No changes were made to the VPN setup in Server Admin, so the original settings were evidently correct.

And now it works.

This posting and the comments are a great resource - I learned a lot. One point I stumbled on for a while that I didn't notice mentioned was that if you host both L2TP and PPTP services, you need to make sure that the IP addresses served for each are disjoint - they shouldn't have any overlap. I had initially set them to the same range of addresses, which isn't good.

Thanks again.

Don't be afraid of the Windows XP registry modifications needed for L2TP connectivity. When I started to read the instructions... I too was like... uh...oh. But they are quite detailed, walk you thru step by step...and it actually on takes about 2 mins. Easy.

I know... I know... windows. weee.

This is slightly off topic so I apologize, I have paid two different Apple Certified consultants almost $800 to get my Mac Mini with 10.4 Server installed and operation.
The critical function for me is the email. The problem I am having is that when I am on the local network I can send and receive no problem, when I leave the office no matter where I go I cannot send, I get SMTP errors.
If there is anyone that thinks they can fix it I would love to talk to you, I really need someone that understands server. I am willing to pay to get it done, I just can't seem to find anyone that really knows what they are doing and I don't want to keep throwing good money after bad.
Please contact me by my email if you would like to discuss with me.
Thanks in advance. Gary

Sorry I thought my email would post, it is info@splinedesigns.com

I FORGOT MY PASSWORD TO MY TABTOP I CAN CANT GET IN IT

WHAT SHOULD I DO FORGOT PASSWORD TO LAB TOP

I CAN NOT GET ON MY LABTOP

I HAVE A APPLE MAC IBOOKG4 AND I FORGOT MY PSSWORD WHAT CAN I DO BECAUSE I CANT SIGN ON

OK... does anyone have the config for a CISCO 506e PIX Firewall... I can not seem to make a complete connection! Would love to see a working config file!

This tutorial looks great and I plan on using it, however I'm having problems enabling the VPN service in OSX. The "start service" button is grayed out, but it appears to be installed.

Any ideas?

Thanks

Okay - I was able to get the VPN service running on OSX server.

Now, I have another question. Here's what I'm doing.

I have a server on a public IP address. I also have my network behind a firewall. Will I be able to see inside the network remotely if I install a 2nd ethernet card which is behind the firewall?

Last question - Does the IP address on the 2nd ethernet card need to be configured any special way for this to work properly?

Thanks,

Ryan

ryansalazar,

I need to be clear on an important detail. Your network is behind the firewall. Is your server with the public IP also behind that firewall, or is it on the outside?

If its inside the FW, you should be fine with 1 NIC. You would just need to add another IP address to the same card. That IP would be a virtual IP like the rest of your FW network. Having both IPs on the same NIC would let your server speak with both parts of the network.

My server is on an outside IP and outside of the network, so I figured - Get another NIC and put it inside. Can I do that and it'll work fine?

Interesting. I'm actually not sure. It seems logical.

In this situation, most people put the server on the inside of the FW and then map through the ports necessary for the VPN connection. That's the way I've set up a couple of servers.

Let us know how this configuration goes for you. I can imagine others might want to try something similar. I've just never had a network config that would let me try something like this.

Sorry I can't be of more help.

If you really get stuck, I have a great network consultant that I can put you in touch with. They guy is a real wizard with network security.

OK - Let me rephrase the question!

I have a Pix firewall... can someone give me line by line config to enable passthrough onto the OSX server which is running the VPN?

The following is already entered into my PIX firewall (506e 6.3.4)
access-list 101 permit tcp any host 209.100.100.88 eq pptp
access-list 101 permit tcp any host 209.100.100.88 eq 1701
access-list 101 permit udp any host 209.100.100.88 eq 1701
access-list 101 permit udp any host 209.100.100.88 eq isakmp
access-list 101 permit esp any host 209.100.100.88
access-list 101 permit gre any host 209.100.100.88

Thanks

Lost,

Here's the info from my config:
permit udp any host 12.152.25.44 eq isakmp
permit udp any host 12.152.25.44 eq non500-isakmp
permit esp any host 12.152.25.44
permit gre any host 12.152.25.44
permit tcp any host 12.152.25.44 eq 1723

I've fudged the IP addresses here, but the config is real.

Smanke,

I just wanted to let you know that my idea of setting up 2 ethernet cards - 1 to the outside world on a public IP (outside of the firewall) and 1 within the network and behind the firewall, worked! Obviously, I'm using firewalling on the OSX box itself. It worked like a charm and I had the system running within a few minutes.

Ryan Salazar

Smanke,

One last thing - Love the instructional guide and really appreciate you having this forum online. It has been a lifesaver!!!

Ryan Salazar

Ryan,

Glad to hear that the double NIC idea worked so well. Its something for everyone to consider if they are in that situation. Thanks for posting back about it. Feedback like that adds to the value of the guide.

Smanke,

Just curious - Do you have any other forums like this for other Mac server functions? I'm currently looking to setup an LDAP server (preferrably on Mac).

Thanks,

Ryan Salazar

Nothing on LDAP. I've never played with that. I basically write things as I experience them first hand. That's why we have info on VPN, iTunes, File Sharing, and I am about to post a thread on Mac & Windows software firewalls. I've been asked a lot of questions about the firewalls lately, so I need to get that finished.

My main problem is the shortage of spare time. It takes a great deal of time to write detailed workups with images and the like.

I have plans to post about the mail server and possibly the web and DNS servers.

I'm always looking for contributors, if you're interesting in detailing what you learn when you dig into server software. Apple does a poor job of documenting the software.

it's good

Hi,
I had installed MAC OS X 10.4.8 on my Intel PC. I wish to be connected on the internet on MAC through the Router. I have D-link router DSL-2540T. I don't know how to be connected. Can anyone tell me the procedure of connecting through this router on MAC OS X 10.4.8
Reply me on:
aqeelahmed409@hotmail.com

I would feel more confident in the reliability of this article if the writer hadn't used the terms synchronous and asynchronous when he meant symmetric and asymmetric under the Disadvantage heading.

Anonymous... the instructions are indeed valid.

On a Cisco ASA 5505, I had to allow traffic on UDP ports 500 (isakmp) and 4500, nothing else.

This allows clients running 10.3 and 10.4 to connect.

The router logs show that the client first tries to connect to port 500, and if that isn't blocked, to port 4500. If either of those are blocked, the client just gets a "Trying to connect to..." displayed in Internet Connect until it times out.

We only run L2TP over IPSec on a Mac OS X 10.4 Server, not PPTP.

I currently have the VPN server configured, thanks to your guide. The problem I'm now experiencing is not being able to resolve hosts by name.

I can ping both by name and IP from within the internal network, but when I establish the VPN connection, only pinging by IP works.

I noticed that when I connect via VPN, the subnet issued to the client is 255.255.255.255, as opposed to 255.255.255.0 for the clients on the internal network.

Any idea why this would be happening? I can't think of any other reason other than the subnet problem...

rkjohnson2,

I'm betting that the DNS servers you use are not allowing lookups from an off network host, which is what you are to your connection provider when you VPN to another network.

To test the theory, set the client config on the server and the network config on your client to use 4.2.2.2 as the single DNS server. I believe that server is wide open and run by someone like AT&T.

After that, try and reconnect. Hopefully that will resolve the issue.

Let us know!

smanke,

thanks for the reply. I'm actually running my own DNS server on the xserv as well. Would that make a difference?

Thanks

Good question. I think it will depend on the config of your DNS server. Try the AT&T server and see if it gets you around the problem.

I created a VPN on MacOSX Server 10.3.9 with both L2TP and PPTP and opened ports 1723 and 1701 on my firewall. I can connect using PPTP and I can't connect using L2TP at all.

This is a short term thing while I'm on vacation from work, so PPTP by itself is OK for now.

I connect to the network, The internal IP address shows up, "Send all traffic through VPN" is checked in the connection options... but that's where the fun ends. I can't ping anything on the internal network. I saw in one of the updates that NAT should be enabled... still nothing.

In the OSX Server Admin App/VPN/Client Information: DNS server is set to the my internal DNS server [192.168.175.1] that all other computers in my office use. Search domain is set to local. Network routing definitions are: Address:192.168.175.0 Subnet: 255.255.255.0 Type: Private.

Little help? It would sure be appreciated!

Solved my own problem.

Bad news: I couldn't get PPTP to work.

Good news: After reading through the comments, I opened UDP 500 and 4500 in addition to 1701 and BAM! Everything works like a charm. Funny how Apple doesn't tell you about the other two ports.

Great site. Thanks a lot.

Excellent! I'm glad you went through all of the comments. I think some people don't bother to take the time. A few people keep asking the same questions over and over.

Smanke,

I'm having a strange issue. Everything connects and everyone can see each other's servers/computers, etc. The problem I'm having is that while pc users are connected to the VPN, they can't browse the web. The mac users can browse perfectly fine! So, I immediately thought it was a dns issue. I configured the vpn client to utilize the "internal" dns server...the same one that people behind our network would use, and same result - no web browsing is possible.

Any ideas? Also - I'm curious if anyone has set this up on a windows xp box and set the "share network connection with other computers" option? If you did that, did it also share the vpn with the rest of the network? That way only 1 system would need to connect?

Last question - Can you somehow tell the windows vpn client to automatically connect when windows loads?

Thanks!!!

Ryan Salazar

Ryan,

There may be a logical reason for a configuration that works for Mac users and not Windows users. But first, lets test the DNS theory. From the Windows box, try to hit www.yahoo.com. When you can't, see if you can ping it from the command line. From there you should be able to see if the lookup fails, or if the ping fails. I'm thinking its a DNS issue too.

Sometimes the Mac will default to a VPN config that routes all the traffic over the VPN. If that's the case here, the remote computer will be using the local DNS server for both local and internet DNS lookups.

Windows might be routing only the secure traffic over the VPN. That would explain why lookups against the local servers work. They are hitting your local DNS server.

Its hard to say which way you're set, but I'm betting one OS sends all data over the VPN and the other doesn't. I'm betting that the DNS server on your secure network has been secured to only accept lookups from local IPs. That would explain why one machine would work and the other doesn't. When all traffic is routed over the VPN, all lookups appear to be local to the DNS server.

Another option might be to configure both clients to use a know open DNS server rather than one provided by the VPN. Its a good way to test. I know 4.2.2.2 is an AT&T server thats open. If you can hit everything alright when that's your only DNS server, then you know its the problem I've described.

The idea of sharing a single connection with others on the network is interesting. I've never tried. If you can get everything working and have a chance to test it, let us know. I don't have a network config that will let me test the easily.

I'm not sure how to make the VPN connect automatically either. If you set the Windows client to route all traffic over the VPN and then connect automatically, you might be set. For the life of me, I can't seem to find the option to route all traffic in Windows right now. I know its there somewhere. I'm short on time right now, or I would look it up. I tried setting up a VPN on my XP box here to look for it, and my PC blue screened when I hit apply. Go figure.

Good luck!

Smanke,

Thanks for your input. I did try using a few public DNS servers and still no luck - Very bizarre. I also don't have any of the ports mentioned in this forum blocked. Everything is open and still probs. Also - I can't hit anything via name lookups when connected to vpn, but I can ping computers at the place where the vpn server is, just nothing by name.

Ryan

i want establish VPN for XP

I have a problem with my VPN connection.
I have my Mac OS X server with the VPN server on and all the options filled in.

My client Mac is behind an Airport Extreme, and the same for my Server.
The ports have been forwarded such as discussed before.

All works if I click the, enable default host to the server, but I can only get one client at a time.

If this option is not clicked, I can only get a connection through PPTP, but it stops after negociating with a LCP: Config-Request time out error.

I was wondering, I forwarded BOTH tcp and UDP for all the ports discussed before, could this be the problem?

I need a solution, because I need more than one connection at a time on my server, so the "default host" work around is not good for me.

Thanks for your time.

Just to give you more info on my previous post:

The Mac OS X server, gets it's ip via DHCP from the Apple Extreme Router.
The same router has a fixed address, and the internet works and all (internally). Syntax used for TCP and UDP ports are 47, 50, 51 ...
Should I configure each port in singular fashion?

The client, is any client I have tried, even a pc, directly on the cable modem.

Hi Smake,

Great posts!
Do you know if the is a Gigabit version of the RV082?
Sorry if this information is already posted.

Apologies...Smanke !
not Smake

np, I think this model might be what you're looking for:
http://www.linksys.com/servlet/Satellite?c=L_Produ...

Great thanks!
If I wanted to add more workstations to the network would you suggest a Linksys sd2008 switch or a eg008w switch.
Thanks for your time....
Matt

I really don't have any experience with the switches from Linksys. I've been very happy with the switches from Netgear. Especially if you can find the ones with the heavy metal chassis rather than the more common plastic jobbies. At the same time I'm not big on Netgear for switches. I guess I'm just fickle that way!

Keep in mind I'm not saying anything bad about the Linksys switches. I just have no preferences in their line because I have no experience with them. Good luck!

Hi Smanke,

I wrote a couple of comments earlier, about a problem I have with my clients connecting to my VPN.

Is their anymore information I can give you that may help you understand my problem?

Apple Support told me they can't help me, since I DO get a connection, when I DMZ my server... But it is not what I am looking to do..

I'll just resum up quickly
Server behind Apple Airport Extreme Base
Client behind another Apple Airport Extreme Base. Both client and Server are on DHCP, but server has a given IP adress (that is static).
Port on Airport Extreme on server side has ports listed in this article open on UDP AND TCP.

I can't get multiple connections to my server. Getting the LCP: timeout sending Config-Requests in my VPN servers logs. All I can do to have succesfull connections is enable the default host option on my Apple router, redirecting traffic to my server... in that case everything works great, but only 1 client.

Thanks for your time !

Smanke,

I've posted a few times on here and love the forum. My VPN setup is running perfectly.

Here's my current situation:

1. A company I'm doing some work with has 3 locations.
Location A - Running OSX Server VPN
Location B - Los Angeles (Needs to connect to VPN)
Location C - Caracas (Needs to connect to VPN)

My question is, has anyone here setup a "remote router" which logs into the VPN on its own and when disconnected attempts reconnect etc.

I'd like to do this so remote offices always have database accessibility and I can administer systems remotely without multiple users having to logon to the VPN. It'd be great to just have each router from each location just automatically dial in and connect to the main OSX VPN Server.

Any help is greatly appreciated...ESPECIALLY - Recommendations on specific routers that this will be easy to configure with. I'm partial to routers that also do wireless.

Thanks!

Ryan Salazar

I have a problem with my vpn connection with my OSX server.

I use a Linksys WRK54G router which I forward the ports to my server.

1723 TCP
1701 UDP
500 UDP
4500 UDP

I can connect but the call hangs up.

Read the error message below

2007-09-17 10:55:06 PDT Incoming call... Address given to client = 192.168.1.141
Mon Sep 17 10:55:06 2007 : Directory Services Authentication plugin initialized
Mon Sep 17 10:55:06 2007 : Directory Services Authorization plugin initialized
Mon Sep 17 10:55:06 2007 : PPTP incoming call in progress from '64.165.179.69'...
Mon Sep 17 10:55:06 2007 : PPTP connection established.
Mon Sep 17 10:55:06 2007 : using link 0
Mon Sep 17 10:55:06 2007 : Using interface ppp0
Mon Sep 17 10:55:06 2007 : Connect: ppp0 <--> socket[34:17]
Mon Sep 17 10:55:06 2007 : sent [LCP ConfReq id=0x1 ]
Mon Sep 17 10:55:09 2007 : sent [LCP ConfReq id=0x1 ]
Mon Sep 17 10:55:12 2007 : sent [LCP ConfReq id=0x1 ]
Mon Sep 17 10:55:15 2007 : sent [LCP ConfReq id=0x1 ]
Mon Sep 17 10:55:18 2007 : sent [LCP ConfReq id=0x1 ]
Mon Sep 17 10:55:21 2007 : sent [LCP ConfReq id=0x1 ]
Mon Sep 17 10:55:24 2007 : sent [LCP ConfReq id=0x1 ]
Mon Sep 17 10:55:27 2007 : sent [LCP ConfReq id=0x1 ]
Mon Sep 17 10:55:30 2007 : sent [LCP ConfReq id=0x1 ]
Mon Sep 17 10:55:33 2007 : sent [LCP ConfReq id=0x1 ]
Mon Sep 17 10:55:36 2007 : LCP: timeout sending Config-Requests
Mon Sep 17 10:55:36 2007 : Connection terminated.
Mon Sep 17 10:55:36 2007 : PPTP disconnecting...
Mon Sep 17 10:55:36 2007 : PPTP disconnected
2007-09-17 10:55:36 PDT --> Client with address = 192.168.1.141 has hungup

The router says vpn pass through is active. I was wondering if the router could be the issue.

Also the router dose have a firewall, but it is not accessible.

Should consider buying another router and if so what model?

Thanks

I get the same thing as Vizo.

So if anyone can help, I would love it...
I've searched plenty of forums and haven't found the solution..

It took a considerable amount of time to document this. Nice job and nicely put!

Thanks for a great site & tutorial!

I have two locations, A and B. At A and B I have routers that is connected via VPN (site to site, IPSEC). It works wonderfully.
But I can't use the old routers to create a VPN from laptops. Yes I have opened the needed ports. I think NAT is the problem. The router (3Com Office Connect) do support L2TP/IPSEC but not simultaneously with IPSEC site to site VPN.

I looking for a router that both have built-in support L2TP/IPSEC for laptops (and support Mac OS X built-in VPN client) and built-in IPSEC for site to site simultaneously.

Which router would enable me to do this?
I've been looking at Cisco ASA5505, but I am not sure it works with Mac OS X built-in VPN client.

Thank you to everyone who has left encouraging comments. For those with questions, or anyone seeking advice, I apologize. I have recently started a new business and it has been taking every waking minute of my time. My upkeep of this site, response to questions, and posting of new stories has suffered greatly.

I hope you will all have patience as I try to get with the swing of things. And please, feel free to help each other with comments and feedback.

Anonymous,

There's only one router that I have first hand experience with that fits with most of what you need. I currently use the Linksys RV082 at a clients location. That router has a 24/7 VPN connection to my home router but also supports VPN client access directly via PPTP. Unfortunately no L2TP support.

But take a look at VPNTracker: http://www.equinux.com/us/products/vpntracker/inde...
It lets the Mac connect to a wide range of VPN routers, most of which don't support VPN clients directly.

I emailed equinux last year and asked them for an unlimited evaluation license so I could speak more intelligently about the product but they blew me off. Its a shame... I think a lot of people would find their VPN client very useful. But for what they charge, few are willing to lay down the cash unless they know for sure.

Back to ThomasG's post about a year ago, I'm experiencing the same thing. So here is the question. I've read that it is not possible to direct traffic from one specific IP address and port over the VPN while directing other traffic to the same IP address but a different port number over the non-VPN network. Assuming that is true....

When my client (10.4.10) is connected to the server (10.3.9) via VPN I see the remote IP address of the client computer in my Apache logs and in my FTP logs. During that same VPN session if I check email, the mail logs will record the local IP address given by the VPN, not the remote IP address the client has before the VPN connection.

In a way, this might be a nice behavior... The server knows the VPN caller's remote IP address, so that might be more accurate to write into the Apache log files, etc. However just like ThomasG, I'm trying to setup some Apache restrictions whereby visitors from the internal IP addresses specified by the VPN server are served a different set of content, and as such it doesn't seem to be possible.

I have my VPN server setup so that traffic to the local network gets routed through the private network but all other traffic goes through the public network. At first I thought maybe I didn't setup the VPN correctly and despite being "connected" that my client traffic wasn't going through the VPN.... but then how could the mail logs properly identify my local (VPN issued) IP address while at the same time Apache is recording my remote IP address? Unless somehow it *is* possible to route traffic to one port one way and another port on the same IP through a different network.... but that just doesn't make sense to me.

Great article and comments. Very helpful. I have an issue with Tiger Server VPN that I've run into twice, but haven't been able to solve.

Using users in Open Directory, the first user to VPN works fine, and so does the second, except that when the second user connects via VPN (L2TP over IPSec), the first user's connection goes deaf. Internet Connect still reports the connection as connected, but the first user can't access any resources behind the VPN.

ifconfig -a on the server still reports a ppp0 and a ppp1. The problem is that the first user will invariably disconnect and reconnect, restoring his connection. But now user two's connection is deaf, and the cycle continues. Anyone seen this before?

Success! Thanks to Steve for a very helpful tutorial and all the comments that follow. I was able to set up my VPN with no headaches at all. The router is a simple SMC 2804WBR, whose Virtual Server settings were set to allow UDP ports 500 and 4500, and TCP ports 1701 and 1723. (I also opened 22 for SSH access.)

Then I configured the VPN for L2TP over IPsec and PPTP, each with a different range of IP addresses (and different again from the DHCP set). I did not add a route for the Client Info, and left the firewall off (for the moment).

Connected first time on each.

Many thanks.

Three questions about problems I'm having setting this up...

1) when I attempt to enter the shared secret on the L2TP page, the application returns an error "Error while writing settings (1000001) and will no acknowledge the passcode. Google searches aren't coming up with any answers that help.

2) I'm setting this VPN system up beteen a home office and a remote laptop using a PC connect card (Cell card). The server in the office is running 10.4.10 and is under an Apple Airport Extreme.
My public address is 72.189.x.x.
My private address scheme is 10.0.1.x
When entering the starting IP address in L2TP I'm using 10.0.1.80-89 (DHCP is set to 10-49)
and for PPTP, I've set the address as 10.0.1.90-99
Did I set this up correct?

and finally -
I've set port forwarding on the AE for ports 500, 4500 and 1701 to forward to the server and then set my VPN client on the laptops to the public address (72.189.x.x) There's no information in this article on router settings, so I guessed on this setup. Did I get it right?

Thanks!

I'm currently trying to set up a vpn server in 10.5 server, which is quite easy to do, and I can connect to it, although I can't browse internet or do anything else. Here are my settings:

First my connection at home: I use comcast cable with a cable modem only, no router at home since I have only one computer. The DNS server for comcast is 68.87.77.130, 68.87.72.130 and search domains hsd1.mi.comcast.net.

My IP address is 24.11.220.249, which will be the ip address of the server of course.

Now I go to server admin, select PPTP, IP address range, I pick 192.168.0.230 - 240.

Then I go to Client Information and write down the DNS servers I use for comcast, 68.87.77.130, 68.87.72.130. I don't make any routing definitions since I want all the traffic to go through VPN.

Now when I connect to this server, I'm assigned an IP from the range I picked, so everything seems to work ok, but I just can't connect to internet. What am I doing wrong here?

Try using 4.2.2.2 and 4.2.2.3 for your DNS servers on both ends. It sounds like you are trying to use Comcast DNS servers from outside of the Comcast network. That's bound to fail. They restrict that for security concerns.

The 4.2.2. serves have been open for some time, so they are a great way to test this.

I haven't had the pleasure of playing with 10.5 server yet. Dieing to get my hands on it!

So interesting problem, at least from my point of view.

I've got the xserve working as firewall/gateway/vpn server.

Xserve is configured as an open directory master, pointing to the active directory running on a windows 2003 box. The xserve is also bound to the domain.

I can log in on the xserve itself using an active directory account.

When I create an account local to the xserve, I can connect to it via VPN from external sources.

When I try and connect to the VPN using the same Active Directory account which I can login locally with I get the following error messages in the vpnd.log:

2007-11-03 22:36:41 PDT Incoming call... Address given to client = 10.0.0.140
Sat Nov 3 22:36:41 2007 : Directory Services Authentication plugin initialized
Sat Nov 3 22:36:41 2007 : Directory Services Authorization plugin initialized
Sat Nov 3 22:36:41 2007 : L2TP incoming call in progress
Sat Nov 3 22:36:41 2007 : L2TP received SCCRQ
Sat Nov 3 22:36:41 2007 : L2TP sent SCCRP
Sat Nov 3 22:36:41 2007 : L2TP received SCCCN
Sat Nov 3 22:36:41 2007 : L2TP received ICRQ
Sat Nov 3 22:36:41 2007 : L2TP sent ICRP
Sat Nov 3 22:36:41 2007 : L2TP received ICCN
Sat Nov 3 22:36:41 2007 : L2TP connection established.
Sat Nov 3 22:36:41 2007 : using link 0
Sat Nov 3 22:36:41 2007 : Using interface ppp0
Sat Nov 3 22:36:41 2007 : Connect: ppp0 <--> socket[34:18]
Sat Nov 3 22:36:41 2007 : sent [LCP ConfReq id=0x1 ]
Sat Nov 3 22:36:41 2007 : rcvd [LCP ConfReq id=0x1 ]
Sat Nov 3 22:36:41 2007 : lcp_reqci: returning CONFACK.
Sat Nov 3 22:36:41 2007 : sent [LCP ConfAck id=0x1 ]
Sat Nov 3 22:36:41 2007 : rcvd [LCP ConfAck id=0x1 ]
Sat Nov 3 22:36:41 2007 : sent [LCP EchoReq id=0x0 magic=0xceae4c68]
Sat Nov 3 22:36:41 2007 : sent [CHAP Challenge id=0x15 <6f8ac2c552057521e78600e6467471c5>, name = "hostname removed"]
Sat Nov 3 22:36:41 2007 : rcvd [LCP EchoReq id=0x0 magic=0xfdb4e402]
Sat Nov 3 22:36:41 2007 : sent [LCP EchoRep id=0x0 magic=0xceae4c68]
Sat Nov 3 22:36:41 2007 : rcvd [LCP EchoRep id=0x0 magic=0xfdb4e402]
Sat Nov 3 22:36:41 2007 : rcvd [CHAP Response id=0x15 <531d74f7f7ad9d2c82552935d1c61ee0000000000000000031543cf44749ab8b89196aa424e6956802aa91858 6f5ad9000>, name = "testUser"]
Sat Nov 3 22:36:41 2007 : Peer testUser failed CHAP authentication
Sat Nov 3 22:36:41 2007 : sent [CHAP Failure id=0x15 ""]
Sat Nov 3 22:36:41 2007 : sent [LCP TermReq id=0x2 "Authentication failed"]
Sat Nov 3 22:36:41 2007 : rcvd [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
Sat Nov 3 22:36:41 2007 : sent [LCP TermAck id=0x2]
Sat Nov 3 22:36:41 2007 : rcvd [LCP TermAck id=0x2]
Sat Nov 3 22:36:41 2007 : Connection terminated.
Sat Nov 3 22:36:41 2007 : L2TP disconnecting...
Sat Nov 3 22:36:41 2007 : L2TP sent CDN
Sat Nov 3 22:36:41 2007 : L2TP sent StopCCN
Sat Nov 3 22:36:41 2007 : L2TP disconnected
2007-11-03 22:36:41 PDT --> Client with address = 10.0.0.140 has hungup


Does VPN only authenticate to local accounts? Can I force it to look elsewhere?

Thanks

I've got all this setup, and from Mac clients I can connect to the server and transfer files, check email etc. From the Windows XP clients I can connect, get the proper IP address etc but I cannot connect to the users Home folder. How do I do this in XP? Thanks!

Anyone have the Vista settings? It's a bit differrent than XP Pro.

Thanks,

Ryan Salazar

Very good post, and thank you for the information!

I should point out that the network range 66.62.25.1 – 66.62.25.255 does not fit the original definition of a class C network.

It can be said that the 24-bit subnet mask (255.255.255.0) makes it a CIDR/24 network. Classless inter-domain routing (CIDR) would consider that network to be "sized" as 1C, because only the last octet's bits serve the 254 hosts (bits 0 through 255, minus the .0 and .255 addresses).

Further, this network doesn't fit the full definition of any classful network. A true class C network needs a 24-bit subnet mask and leading bits of 110 for the first octet. So the first octect can only have these values:

11000000 = 192 (decimal)
11011111 = 223 (decimal)

This means that acceptable IP address ranges for a true class C network are

192.0.0.0 through 223.255.255.255

Great post, I have learned a great deal. But unfortunately I am still stuck on getting XP to connect. I have a Cisco 1841 Router, managed by our service provider. I have a public IP that forwards to a private IP on a Leopard Xserve. All ports are opened on the 1841 for this IP. Firewall is set-up on the XServe. Everything on the Mac clients works great from outside. I have two salespeople that are running windows (one XP and one Vista). I can not get these to connect via VPN. I check the logs and they are connecting and being assigned an IP but they are timing our during the authentication. FYI: turned all firewall off and still could not connect.

I have seen some post about not getting this to work on a PC when using NAT. What are my options here?

Hi, Is there any reason why a MAC user would use PPTP instead of L2TP? I'm working with a place that the users are having intermittent problems. Sometime everything works other time they don't. A reboot or restart can help but I've found out that many MAC users are using PPTP.

Pat

Hey guys I ran into a problem trying to connect to my VPN at my office from home and have been pulling my hair out trying to figure out what is wrong.

Basically I have AT&T at home using OSX 10.4.5 and setup the VPN using PPtP and it connects fine. However, my girlfriend has Time Warner Roadrunner and it wont connect it just times out during the negoitating part. I used the same settings that I have for the AT&T but was wondering if maybe I need to set it up differently being that I am using Road runner? Any thoughts? I am really losing it here!

Thanks sooooo much

In A Jam Jay

That one could be tough. Make sure that VPN passthrough is enabled in her router? I don't know if that sort of thing is standard in all routers, but its in every Linksys I have touched.

Thanks smanke

However the router is a combo router/cable modem from Time Warner here in Los Angeles. I'm just perplexed because I cannot even access her IP using Timbuktu or anything else as well. I called Time Warner and they said the following:

They told me a couple of things:
1. They have no blocked ports or anything that should prevent us.
2. They have static Ips which change I guess similar to AT&T and the like.

Any thoughts?

I wonder could you help me understand the Network Routing Definition section better. Is there any time you would have more than one? It seems if that's the network the vpn is on then that's it?
My client has 6-7 different entries.

Pat.

You're right, it would be very rare to have more that one entry there. I have a client with several because the secure network actually connects to several VPN's. So, in that case, there is a normal map for the network that is local to the VPN server, and then there are a couple of extra maps to the subnets on the other ends of the other VPN's

Since those other VPN's are tunnels that connect directly to the router, it allows the users to connect to the Mac VPN server and then have access to the remote networks around the country that are also connected to the secure network through their own VPNs.

Confusing to explain. Setting up the routing wasn't easy either!

justjay,

Sorry... I'm in the dark on that one. I don't see why there would be an interruption. If the tunnel is up, you should be able to run anything through it. Unless one of the computers on either side has a software firewall enabled.

Smanke, Thanks for getting back. So if they are wrong to have other networks there, which I think they are, have you any idea what effect if any the others could have? They are having problems.

Pat.

Smanke,

After looking at this site

http://manuals.info.apple.com/en/MacOSXSrvr10.3_Ne...

On page 75 it sounds like you might add more. Still not sure why?

Pat.

I could see that causing issued. If there are networks defined incorrectly in there, there could be access or routing issues.

i am on dail up do you now how to set a L2TP OVER IPSEC.

Two questions.
1) you don't mention how to enter the shared secret in the Windows VPN setup. Is that because it uses PPTP, or is a shared secret still needed?

2) Is there a way to give the user a config file containing the shared secret but in a way not letting the user know the shared secret (i.e. binary encrypted)? I ask because in most corporate environments, the IT department doesn't give out the shared secret but instead gives out a config file that has it secret embedded in it.

1) PPTP should not need a shared secret.

2) I think you can export the config using the Mac's built-in VPN client. I can't say that I have tried since the release of 10.5, but I was able to do it on 10.4. And I don't know if the secret was encrypted but it was hashed in some way to keep it from being clear text.

I don't know about the Windows side.

Thanks for the quick reply. It's a great article by the way!

Any idea if Leopard Server VPN setup is any different than this? Just curious, about to get it - Waiting...can't wait! :)

- Ryan Salazar

Ryan, the Leopard Server VPN setup is pretty much the same. This is a very good article.

Sorry for the delay, Ryan. Its not much different. But I haven't loaded on the machine I had planned to use for testing. It was a Mac Mini that has some sort of low level issue right now. I have not had time to looking to its crashing.

Using instructions for XP, I am getting this at the VPN Log:

Thu Jun 5 10:47:53 2008 : Directory Services Authentication plugin initialized
Thu Jun 5 10:47:53 2008 : Directory Services Authorization plugin initialized
Thu Jun 5 10:47:53 2008 : PPTP incoming call in progress from '64.127.65.51'...
Thu Jun 5 10:47:53 2008 : PPTP connection established.
Thu Jun 5 10:47:53 2008 : using link 0
Thu Jun 5 10:47:53 2008 : Using interface ppp0
Thu Jun 5 10:47:53 2008 : Connect: ppp0 <--> socket[34:17]
Thu Jun 5 10:47:53 2008 : sent [LCP ConfReq id=0x1 ]
Thu Jun 5 10:47:56 2008 : sent [LCP ConfReq id=0x1 ]
Thu Jun 5 10:47:59 2008 : sent [LCP ConfReq id=0x1 ]
Thu Jun 5 10:48:02 2008 : sent [LCP ConfReq id=0x1 ]
Thu Jun 5 10:48:05 2008 : sent [LCP ConfReq id=0x1 ]
Thu Jun 5 10:48:08 2008 : sent [LCP ConfReq id=0x1 ]
Thu Jun 5 10:48:11 2008 : sent [LCP ConfReq id=0x1 ]
Thu Jun 5 10:48:14 2008 : sent [LCP ConfReq id=0x1 ]
Thu Jun 5 10:48:17 2008 : sent [LCP ConfReq id=0x1 ]
Thu Jun 5 10:48:20 2008 : sent [LCP ConfReq id=0x1 ]
Thu Jun 5 10:48:23 2008 : LCP: timeout sending Config-Requests
Thu Jun 5 10:48:23 2008 : Connection terminated.
Thu Jun 5 10:48:23 2008 : PPTP disconnecting...
Thu Jun 5 10:48:23 2008 : PPTP disconnected
2008-06-05 10:48:23 CDT --> Client with address = 10.0.80.225 has hungup

XP issue could be the need for network protocol GRE, ESP, and maybe AH. These are not ports, but protocols. I haven't read this entire thread so maybe mentioned above. Some lower end dsl/cable modems don't have these protocols enabled nor can they fwd them.

Additionally, has anyone ever gotten this to work with Certs?

Hi! I am completely new to setting up a VPN but have been trying to establish tunnels between my office LAN and home with no success.

The office LAN is behind a D-Link 824VUP VPN router. The office LAN does not have a computer running a MAC server OS. The file serving computer is connected, like all the other computers, via a hub, to the D-link. Within the LAN all the computers are MAC's and can access shared files via the remote feature on FileMaker Pro7. I have assigned static IP's to the computers on the LAN side.

At home I am behind a D-link 624 with static IP's assigned to a MAC and a PC. With the PC running XP I can connect to the office vpn but cannot see any of the network. With the MAC I cannot establish a connection. I am wondering if this is because I am not running a server OS at the office. But, I thought, perhaps mistakenly, that the VPN router at the office could act as a server to authenticate users and allow them access to the LAN.

I haven't opened up any ports yet, so am willing to try that, but if the solution is MAC OS X server, then VPN is beyond our reach due to a small IT budget. I am trying to implement the most "cost-effective" solution but I am so far unable to really make this work.

Any suggestions are welcome and very appreciated!

New to VPN,

If you are able to establish the VPN tunnel, you should be set as far as the open ports.

A good test would be to ping one of the IP addresses in the office from your home. If you can ping an address that you know is online, you are set. If not, then there is a problem with the tunnel.

If you can ping, try to connect to the file share by specifying the file server IP address, rather than just browsing the network. For some reason those broadcasts don't work well over a VPN. You should be able to connect if you use the server IP address when you try to connect. That does the trick for me.

If you can't ping, it gets a lot tougher. There are a lot of things that could be going wrong.

Anonymous,

You're right. Some routers just don't have the ability to deal GRE or ESP. Some can if you enable VPN passthrough.

I've never tried using certs. If you have a chance to try it, please post your feedback. I've been wondering how it worked, personally.

I managed to connect to our VPN using Leopard but our server is definitely microsoft. Am I still able to access my desktop at work?? If so where do I find the link to my desktop (even though my connection is valid I have no portal that enables me to see or select items on my computer at work).?

Thanks

Anonymous,

As long as the VPN tunnel is in place you should be able to connect to your desktop at work (if sharing is enabled).

If you work machine is a Mac, just select Connect to Server from the Go menu in the Finder. Then enter your work machine's IP address and click connect.

If the work machine is a PC, do the same, but when you enter the machine's IP, prefix it with smb://. So, essentially smb://ipaddress.

That should do the trick assuming there is no firewall installed on the PC workstation.

Hi,

I am getting the same thing as mhegge64 after following the windows xp instructions. The connection gets to "verifying username and password" Then times out and says that the server did not respond.

Any help would be nice.
Thanks.

TheRabbit,

I really think it all comes down to the router not correctly translating GRE & ESP traffic. I'm 99% sure that's why some routers work great and other don't work at all.

For example, my new Netgear ProSafe FVS124G won't do this at all, and it was an expensive router. Errr...

Hi smanke,

Thanks for the response. Hmmm, I am using an airport extreme router. I'm looking into the VPN log now and I see "MPPE required but not availble" when I try connecting via PPTP using windows xp, and I get LCP: timeout sending Config-Requests, when I try connecting via PPTP on a apple.

Any thoughts?

Thanks.

TheRabbit,

Sorry... you stumped me. If all of the portmapping is set up correctly, I'm not sure what would be causing that.

I don't have an Airport Extreme that I can use for testing. Normally PPTP is the more forgiving of the 2 types.

Sorry I can't be of more help. If you come up with a solution, please post back. I'm sure it will help someone in the future if you get it figured out.

I was having trouble accessing services on an Xserve with VPN. It's co-located with only one IP address, which meant that I could connect via VPN, but not use the services on the server (like AFP). The only way around (that I could see) was to add a 192.n.n.n type address on the active Ethernet port with the VPN address range set to match. Bit risky though if the ISP suddenly decides to use the same address range. Annoyingly it doesn't work on an inactive Ethernet port. It would be good if you could specify the address for "this machine" in the VPN set up.

I am a Mac user with a Macbook Pro and Mac Pro both Leopard 10.5.4. I am trying to vpn into a windows file server to connect to file shares. I can vpn into the server to access mail through Microsoft Entourage with no problem. When i connect to the server file shares i get an error message saying connection failed. In the office, i can connect to all file shares with no problem. Is there a set up issue in my VPN somewhere.
Thanks for your help!

Impressive site but I am still stuck. Can you anything below that I've done wrong. I am using a Win Vista machine on the outside trying to connect to our NATed LAN of all Macs
If my Router doesn't have a GRE setting can I just open port 47 to UDP and be OK?


Thanks Mucho!

Set up
Netgear router, OS Xserver software on iMac
ADSL Service

using server on private net
ie server name tsgserver.private

have both PPTP and L2TP set up with secret key for authentication, different IP address ranges for each VPN type.

Using windows laptop to access private net from another ISP.
Using standard MS VPN client
PPP enable LCP extensions check
security option typical/verify identifty by/ require secured password
type of VPN - Automatic
IPSEC - use pre-shared key for authentication

Ports Opened for VPN
47 UDP
500 UDP
1701 UDP
1723 TCP

Should there be others and TCP or UDP?

Logs below appear to indicate that the vpn is getting through the firewall to the server. I think??

Cat 5e cable connection from server to router

L2TP Server VPN settings
enable L2TP over IPsec
starting 192.168.2.22 ending 192.168.2.27
PPP Authentication Directory service checked MS-CHAPv2
Radius not checked
IPSec shared secret xxxxxxxxxxx

PPTP Enabled starting 2.28 ending 2.33
unchecked allow 40 bit....
PPP Directory Service MS-CHAPv2
unchecked radius

Client info
DNS Servers 192.168.2.54 (address of the server)
Search domains blak
network routing def - all blank fields

Logging Verbose enabled

LOG FILE FROM NETGEAR ROUTER

Sun, 2008-08-24 17:25:51 - Send out NTP request to time-f.netgear.com
Sun, 2008-08-24 17:25:49 - Receive NTP Reply from time-f.netgear.com
Tue, 2008-08-26 03:01:21 - Initialize LCP.
Tue, 2008-08-26 03:01:22 - LCP is allowed to come up.
Tue, 2008-08-26 03:01:53 - PAP authentication success
Tue, 2008-08-26 08:49:59 - Administrator login successful - IP:192.168.2.57
Tue, 2008-08-26 09:11:49 - TCP Packet - Source:xxx.211.49.82,49382 Destination:
Tue, 2008-08-26 09:20:49 - TCP Packet - Source:xxx.211.49.82,49384 Destination:zzz.101.133.51,1723 - [VPN-PPTP rule match]
Tue, 2008-08-26 09:21:17 - TCP Packet - Source:xxx.211.49.82,49385 Destination:zzz.101.133.51,1723 - [VPN-PPTP rule match]
Tue, 2008-08-26 09:22:43 - TCP Packet - Source:xxx.211.49.82,49386 Destination:zzz.101.133.51,1723 - [VPN-PPTP rule match]
Tue, 2008-08-26 09:22:45 - UDP Packet - Source:xxx.211.49.82,500 Destination:zzz.101.133.51,500 - [VPN-IPSEC rule match]
Tue, 2008-08-26 09:30:35 - TCP Packet - Source:xxx.211.49.82,49390 Destination:zzz.101.133.51,1723 - [VPN-PPTP rule match]
Tue, 2008-08-26 09:30:39 - UDP Packet - Source:xxx.211.49.82,500 Destination:zzz.101.133.51,500 - [VPN-IPSEC rule match]






LOG FILE FROM Apple Server

#Start-Date: 2008-08-11 14:03:22 AST
#Fields: date time s-comment
2008-08-11 14:03:22 AST Loading plugin /System/Library/Extensions/L2TP.ppp
2008-08-11 14:03:24 AST Listening for connections...
2008-08-26 08:45:12 AST Error while processing ip address range 192.168.2.22
2008-08-26 08:45:12 AST Error while reading PPP preferences
2008-08-26 08:45:12 AST Update preferences - Error processing prefs file
2008-08-26 08:48:32 AST Update of preferences failed - settings left unchanged

Peet,

It looks like your missing your network routing definitions. Your config listing shows that its all blank. You need to put the subnet of your remote secure network in there and set it as private. That should allow routing of your traffic to the work network's machines.

So, if your remote network is 192.168.2.x, you will set up the routing as 192.168.2.0 255.255.255.0 private.

I'm not sure what subnet your connecting machine is on, but as long as it is something other than 192.168.2.x, you will be fine there.

The other issue could be GRE, but since your log indicates that you are connecting, it should not be an issue. GRE is an protocol different from UDP and TCP and doesn't have its own ports.

The log file from the Apple Server is interesting. It indicates that the server is having trouble reading its own preference file for the VPN settings. If that;s the case, you might try deleting the pref file and letting it generate a new one for you. I could be corrupt.

Tony,

Interesting situation. Did everything work ok when you configured it like that?

Joe Mac,

When you connect to the file server, do you have any luck using the IP to connect? Select Connect to Server from the Go menu in the Finder and enter the server address in the address field.

If its a mac server, try afp://ipaddress. If its Windows or Linux, try smb://ipaddress. That might do the trick. Sometimes the network browsing gets all messed up over VPN's and direct connecting is needed.

Also make sure your remote secure network is defined correctly in the routing definitions on the Mac VPN server. I think they are fine, but it's worth double checking.

I have an idea that might help some of you who are just not able to connect to the VPN server through routers that don't let you map GRE or ESP in your routers portmaps.

It might be worth trying to put your VPN server in the routers DMZ. In theory, any port that is not portmapped would flow right to the DMZ IP address, in this case the VPN server.

With the server in the DMZ, it might be a good idea to start using the server firewall to protect the box. But be sure you don't activate the firewall and start playing with rules before you know if the VPN is working. One the firewall rules enter the equation, things get far more complicated.

If that works or doesn't work for anyone, post back. It will help the rest of us.

Thanks!

Smanke, I had caught the remote net to private from another of your answers after I sent the post. That didn't change anything regarding the errors I was getting.
Which pref file do I delete? The one on the physical server? Is there one for just OS Xserver?

Thanks

Peet,

Here's the log you posted:
LOG FILE FROM Apple Server

#Start-Date: 2008-08-11 14:03:22 AST
#Fields: date time s-comment
2008-08-11 14:03:22 AST Loading plugin /System/Library/Extensions/L2TP.ppp
2008-08-11 14:03:24 AST Listening for connections...
2008-08-26 08:45:12 AST Error while processing ip address range 192.168.2.22
2008-08-26 08:45:12 AST Error while reading PPP preferences
2008-08-26 08:45:12 AST Update preferences - Error processing prefs file
2008-08-26 08:48:32 AST Update of preferences failed - settings left unchanged

These lines make me think that your VPN settings might be corrupt:
Error while reading PPP preferences
Update preferences - Error processing prefs file
Update of preferences failed - settings left unchanged

That's why I'm thinking it might help to delete that pref and let the system build a new one. That being said, it would be smarter to backup that file before you delete it, just in case the system does not regenerate it.

And, off hand, I'm not sure which pref this is or where it can be found. But something unusual is going on there and it seems the place to start.

Could someone help me out.

I am running leopard Server from home and trying to setup a vpn connection for a leopard laptop.

I am thinking its my router a Belkin N1 vision

any how here is my log from the server
2008-09-17 12:22:09 PDT Incoming call... Address given to client = 192.168.62.1
Wed Sep 17 12:22:09 2008 : Directory Services Authentication plugin initialized
Wed Sep 17 12:22:09 2008 : Directory Services Authorization plugin initialized
Wed Sep 17 12:22:09 2008 : PPTP incoming call in progress from '208.11.32.118'...
Wed Sep 17 12:22:09 2008 : PPTP connection established.
Wed Sep 17 12:22:09 2008 : using link 0
Wed Sep 17 12:22:09 2008 : Using interface ppp0
Wed Sep 17 12:22:09 2008 : Connect: ppp0 <--> socket[34:17]
Wed Sep 17 12:22:09 2008 : sent [LCP ConfReq id=0x1 ]
Wed Sep 17 12:22:12 2008 : sent [LCP ConfReq id=0x1 ]
Wed Sep 17 12:22:15 2008 : sent [LCP ConfReq id=0x1 ]
Wed Sep 17 12:22:18 2008 : sent [LCP ConfReq id=0x1 ]
Wed Sep 17 12:22:21 2008 : sent [LCP ConfReq id=0x1 ]
Wed Sep 17 12:22:24 2008 : sent [LCP ConfReq id=0x1 ]
Wed Sep 17 12:22:27 2008 : sent [LCP ConfReq id=0x1 ]
Wed Sep 17 12:22:30 2008 : sent [LCP ConfReq id=0x1 ]
Wed Sep 17 12:22:33 2008 : sent [LCP ConfReq id=0x1 ]
Wed Sep 17 12:22:36 2008 : sent [LCP ConfReq id=0x1 ]
Wed Sep 17 12:22:39 2008 : LCP: timeout sending Config-Requests
Wed Sep 17 12:22:39 2008 : Connection terminated.
Wed Sep 17 12:22:39 2008 : PPTP disconnecting...
Wed Sep 17 12:22:39 2008 : PPTP disconnected
2008-09-17 12:22:39 PDT --> Client with address = 192.168.62.1 has hungup
2008-09-17 12:35:58 PDT Update of preferences succeeded - settings have been changed
2008-09-17 12:35:58 PDT Update of preferences succeeded - settings have been changed
2008-09-17 12:39:35 PDT terminating on signal 15
#End-Date: 2008-09-17 12:39:35 PDT


Please been trying to figure this out for over a month now.

I have tried both L2TP and PPTP neither are getting though i have port forwarded every port i have found and even put the server on the DMZ with no luck

GREAT NEWS. Looking further up about the conversations regarding not being able to access your Bonjour services when connected via VPN. Well guess what, Yazsoft has recently released a product SHARETOOL that does just that. It works over SSH and is fully compatible with those that have VPN servers. I tested it out, its UNBELIEVABLE!!!!! Must try for everyone. FINALLY we can do this. FINALLY FINALLY FINALLY!! Can you tell how excited I am about this. With ShareTool; it really is like you never left your network!!!

www.yazsoft.com

We have configured the VPN and now able to connect successfully from internal network and not able to connect from extenal network.It seems that the firewall is blocking the VPN connection.
We have two problem's in this.

1. Which port should be opened in the firewall to work this from external network.
2. After successfully connecting to external VPN server which tool should be used to connect the MAC server from client machine.

I can't believe how easy this was!! I've been working on this (off and on) for months. I setup my home server (10.4 server) and can reach it from my office mac and my office XP machine. Way too cool!!

The only little issue is that from the office, my mac (10.5) can only connect via PPTP and not IPsec. I have an Airport Extreme at home and forwarded the 4 ports on the firewall to my home server. Also I can't see the 2 computers on my home network. I know the IPs and can use Go/Connect to Server, but otherwise they don't show up. Any thoughts?

Again....too cool!!

To Hakari,

I was having this same issue and had my server setup in a DMZ also without a firewall but was still getting the LCP: timeout sending Config-Requests error.
The router in this case was the Xincom XC-DPG503 Dual VPN Gateway. After pulling my hair out for a couple of days I made sure the VPN settings were disabled on the gateway because I was using the VPN service on Leopard Server 10.5.5. I then poked around the many features of this router and finally found the Protocol & Port Binding List tucked inside the Advanced Features. Even though I had the server in a DMZ is still had to allow the GRE and ESP protocols to be sent through the right WAN port. I added these protocols to the Protocol and Port Binding List and it finally worked! At least the PPTP VPN did, still working on getting the LT2P VPN to work.

Hope this help anyone. It was definitely a router problem in my case

What are the pros and cons of using Apple server VPN as opposed to say VPN X?

Can mobile home folders be used Synched over a VPN?

Thanks

JR,

Interesting, I have not hear of VPN X. From what I can tell, Apple's solution should be about the same thing. In that case, either solution should be able to sync the mobile home folder... though it would be slow given the WAN connection speeds.

Since you are working with mobile home folders, let me pick your brain. I have been trying to set up an Open Directory server on 10.5. I get the server working as I think it should, but I can't get the client machines to authenticate via the OD server. Its driving me nuts.

I can get the client to connect to the OD via the Directory Utility, but when I go to the OS login screen, I can't get it to authenticate.

Until I sort that out, I don't get to play with home folder sync among other cool features.

Any suggestions?

nice and useful article,it's very useful for those who use http://vpnomania.com/proxy-surf.html/">proxy and http://world-secure-channel.com/why/">vpn

I have tried to use mobile home folders in the past, however I did not find the solution to be stable - Hopefully now Apple have fixed the issues.

I drove Apple support round the bend to get Advanced server working - I am sorry that I can't answer your question.

I am having trouble connecting an XP Windows client via VPN to my Mac X server (10.5.8) I see there were issues in the past with the IPsec protocol with Microsoft. Has there been any resolution to the L2TP / IPsec connection for a Windows client? Or do I need to set the Windows client up under PPTP. And is that more of a security risk?

RDP over VPN OS 10.6? I have followed your directions and successfully established VPN between remote Macbooks/Powerbooks but cannot seem to tunnel RDP from the Mac laptop to a local (internal) XP box for RDP which i can RDP to from the VPN (os x 10.6 server). What am I missing?

try this instruction http://www.cometip.com/2010/03/mac-os-vpn-routing....
it works for me.

Cheapest and easiest solution that I've found recently is VPN+, works for me and cheaper than all the other products out there, just in case any of you hadn't found what you were looking for yet. This was the first place I found when looking for a solution so thought that people here might want to know.

It says not to use it on server version but it does work, for me anyway, just don't try and use apples vpn server admin at the same time. I prefer VPN+, it seems to just work better than apples.

What are the pros and cons of using Apple server VPN as opposed to say VPN X?

Can mobile home folders be used Synched over a VPN?

Thanks

----------------------------------------
http://www.ashisoft.com

It's amazing years on and neither of the software giants has put much effort into VPN.

Apples efforts are a cobbled together mess.

MS just love making life complicated yet the concepts for both due to the L2TP and PPTP etc have not changed.

Instead of making VPN better Apple bailed from servers and MS focused more on wizbang projects like Hyperhoohaa commonly known as RD on opiates.

Funny how we end up coming to places like this to find the short comings of such technologies.

I have been trying to find an easy solution for providing vpn security to open AP hotspot users.

Yes you can use other providers yes you can even use 3rd party software.

But being the purist and dam fool i am i prefer to keep it stock OS to the best of my ability.

I hate installing extra stuff it virtually defeats the purpose.

And linux users gee can be happy go open vpn $per connection.

I can see why IT staff would really get peeved with this.

NAT-T starts playing a part and allsorts of stupid crap i am sick to death of VPN and i've only been working on it solid for a month or two ARRRRrrgh.

The best i get things is all connections work on a netgear wired hub the moment i goto the intended wifi AP the dramas start i think it's the shared IP's or the NAT or possibly the IP isolation.

Sometimes it gets stroppy lets one through then no others especially if the one is high bandwidth consupmtion the others can't see the authentication server and so it goes on.

I shall return when i have something more concrete because this is just mind numbing if i did it for a living i'd be fired :)

Happy New Year.

VPN is still a challenge. More and more users are using VPNs for day to day internet access (as opposed to just gaining access to a work server), so getting a good VPN service is imperative.

For those in the above position (how do I get general VPN access to the internet from my Mac), there's a great article in this somewhat obscure blog - http://macwize.com/HOWTO/files/witopia_vpn.html

I don't particularly support Witopia over anything else, but it seems pretty cheap - $3/mth - and the article goes over how to set it up on your Mac really well.

Does somebody know a good vpn client for windows xp?
Running mac os server 10.5.8 and, with a mac client i can connect (both pptp and l2tp) and it works perfectly . With the integrated client from XP i get also the connection but nothing...
The router is a netgear fvs338 and all the ports are open (i think)
Any help?

My mac os x server has only 1 network interface. It does not function as a router for anything else. Yet I want to connect to it through a VPN, so all my connections to it are secure. So, my firewall blocks everything except VPN. Works great. But now how do I connect to SSH on the mac os x server (VPN endpoint) ? I would like that to be possible through the VPN, but the firewall still blocks everything...

@whiter

I'm not sure I understand. You said the Mac server is not acting as a router. And you mention a VPN, but I'm not sure if the Mac is the VPN, or if the router is acting as the VPN endpoint.

I haven't had a chance to use a Mac as a VPN server in a while, but I will give it a shot troubleshooting this with you.

If the Mac is the VPN server, you should open the ports (described above) in the router/firewall. At that point, its often best to disable the Mac servers firewall at least until you have the normal VPN communication working.

Also make sure that you have the proper Network Routing setup in the Network Routing Definition. You need to properly designate the local network so the VPN server knows what to route locally.

Attn All:

I'm sorry I haven't been able to keep up with this thread as of late. I don't currently have a Mac VPN server setup at my office, and its made it harder to follow up with cases and suggestions.

I have been exporting a new VPN solution. If any of you have read my prior posts about Hamachi, an official Mac client has finally been released. And Hamachi 2.0 offers some really amazing new features. I just need some more quality time with it to find out if the same feature set supported on the PC is functional on the Mac. If so, this could be an amazing new VPN alternative that is much easier to configure.

I'll post more on that as soon as I have had a chance to setup a test sever and really giving a good look.

But take a look at http://hamachi.cc in the mean time!

Hi Steve. Well... the client and server are both Mac :-P

The setup is this:
- Xserve as server in datacenter, say IP 123.123.123.123
- Mac client(s) at home, say IP 234.234.234.234

The Xserve does not route anything. It is a plain server, serving webpages.
I would prefer to be only able to access anything that's not public on the Xserve via a VPN connection only. So, the Xserve will expose www publicly on 123.123.123.123, but screen sharing and ssh are only available via VPN, which is to be set up.

Now, if I configure the VPN on the Xserve to use a private network range, like 192.168.2.* and connect my Mac clients to it, the client will get IP 192.168.2.1
But the Xserve does not have a private network address in that range. It only has the public 123.123.123.123.

So, the question is, how do I get the Xserve to also have a private IP address in the 192.168.2.* range when a VPN client connects, and then how do I make sure the firewall does not block anything (ssh, screen sharing) that connects via the VPN?