# Do I have to enable Port Forwarding for VPN?



## MDLarson (Apr 11, 2005)

So I got my shiny new Xserve, and have hit a wall.  I think it's just a small fence and not a full-blown _wall_, but I'm stuck anyway.

*Mac OS X Server configuration:*
Xserve (static internal IP) > switch > Cisco 675 DSL modem (static external IP)

I've created a user, added that user to a group and, in my VPN service in OS X Server, restricted access to that group in the _L2TP over IPsec_ section.  I started the service, and it is now running.

Soo... my question is:  do I have to configure my router (Cisco 675) to forward a "VPN port" to the Xserve?

I am asking all of this because the Internet Connect app asks for a "Server address", and the only accessible point on the internet at large is the Cisco router.  I've done this for VNC stuff (using ports 5900, 5901, etc...), I'm just not sure if there even exists a VPN port.  What is the way it is *normally* done?


----------



## MDLarson (Apr 12, 2005)

Gah!  Where are the experts when I need them?!?! 

After much fruitless searching on the internet, I finally called our ISP and got some good info.  *VPN has nothing to do with port fowarding*.  The Xserve needs to have its own public IP address, not hide behind the DHCP server with a static IP address.

Basically I need to enable the DHCP server and NAT on the Xserve and disable those items on the Cisco 675 modem.  The Xserve has two ethernet ports, so the DSL modem will plugged into one, and the other will go to my main switch.


----------



## BGprinting (Feb 25, 2006)

Careful, you cant run both your xserve ethernet ports on the same subnet unless multihoming. I would keep the NAT and dhcp running on your router (its faster). Just check with cisco to see if your router support vpn. L2TP and PPTP almost always bypass the NAT performed in the router. I always disable DHCP, static ip is more reliable. Im not sure technically but vpn requests are not actually forwarding through the router they use the ip address that you told it to use to access your network. If you want other  internet requests such as http port 80 or ftp 21 then you will need to tell the router the address of the computer that those should be forwarded to. either way vpn clients will need to put the public ip address that your isp gave you to get into  your network. Sorry I cant explain further but i gotta go!


----------



## MDLarson (Feb 25, 2006)

Hey, thanks for the reply actually.  Several months have gone by without anyone helping out, so it's appreciated.

We have upgraded our equipment to get rid of the Cisco DSL modem, added T1 service and some Netgear routers, and I have a better handle on things now, learning by trial and error, and several Google searches.


----------



## escargot (Nov 20, 2009)

MDLarson, I read your posts above with interest as I am in the same predicament.

Our config is:

Xserve (OSX 10.5) (static IP) - Netgear switch - Netgear ADSL wireless router (static external IP)

I know the VPN 'works' as I can connect internally. When I'm outside the LAN however, I get a connection failure.

I've opened the VPN ports on the router and set them to forward all requests to the xserves IP but to no avail.

hmmm.

Any help appreciated


----------



## ElDiabloConCaca (Nov 20, 2009)

What kind of VPN are you using?  L2TP/IPSec?  PPTP?

Not everything that you need to forward for certain VPNs is a "port" -- some VPNs require that you forward IP Protocol GRE as well.  This is not a "port" -- it is a "protocol," and some routers can do this while others cannot.

Verify with the manufacturer of your router that it can, indeed, forward protocol GRE for VPN compatibility.


----------



## escargot (Nov 20, 2009)

Thanks for the reply 

It's the inbuilt LT2P/IPSEC VPN that comes with OSX Server 10.5

Would the GRE protocol be relevant in this instance?


----------



## ElDiabloConCaca (Nov 20, 2009)

I don't think so... which ports have you forwarded, and of what type (UDP or TCP)?


----------



## escargot (Nov 20, 2009)

UDP 1701 is forwarded to hit 192.168.3.1 (internal IP of the Xserve)


----------



## ElDiabloConCaca (Nov 20, 2009)

Don't forget UDP 4500 (for NAT translation) and UDP 500 (for IKE).

Protocol 50 also needs to be "forwarded" (or allow IPSec pass-through) if using ESP (Encapsulated Security Payload or something).

Try forwarding UDP 4500 and 500 first and see if that works.


----------



## escargot (Nov 20, 2009)

Sorry, I should have mentioned, I've done that too.

Protocol 50 I assume is different to TCP port 50?


----------



## ElDiabloConCaca (Nov 20, 2009)

Yes, "Protocol 50" is neither TCP nor UDP.  It's not a "port."  It's simply "Protocol 50," which is different from "port 50."  Some consumer-level routers do not have support for doing this (or it's labeled under a different option such as "Allow IPSec pass-through").


----------



## escargot (Nov 20, 2009)

Ahh yes, it is different. Hmm. Not sure how to do that on the netgear though. (DG834Gv5 model).


----------



## ElDiabloConCaca (Nov 20, 2009)

This datasheet seems to indicate that that particular router has hardware-level support for VPNs, and should support IPSec pass-through:

http://kbserver.netgear.com/datasheets/dg834gv5_ds_29apr08.pdf

It also mentions a "VPN wizard" or some sort of router-based assistance in setting up a VPN.  Have you explored that portion of the router configuration?


----------



## escargot (Nov 20, 2009)

I've had a play with it but it would appear to be setting up a 'netgear vpn' as opposed to allowing a passthrough. To which, I would need to purchase the netgear client application.

Very strange.


----------



## MDLarson (Nov 20, 2009)

Well, I did end up figuring out the whole VPN thing, but not Mac OS X Server's implementation of it.  We have two Netgear FVX538's bonded via site-to-site VPN and I can also provide VPN capability to Windows and Mac clients.  I was so excited to figure it all out that I made this tutorial:
http://www.hazmatt.net/tutorials/vpn/index.php

Assuming your VPN truly does work, my guess is that perhaps your home network (or whatever external network you are connecting from) is on a conflicting subnet.  They've got to be different subnets (like 10.0.0.XXX is different than 10.0.1.XXX).

I don't think I'd be much more help than what my little tutorial can offer, as you have a different setup than I doin my case the actual VPN server IS the gateway, so no need to forward ports for me.

ElDiabloConCaca sounds like he's got a better handle on it anyway.


----------



## MDLarson (Nov 20, 2009)

escargot said:


> it would appear to be setting up a 'netgear vpn' as opposed to allowing a passthrough. To which, I would need to purchase the netgear client application.



You'd only need to purchase the Netgear VPN client if you are using Windows.  Especially since Netgear doesn't offer a Mac VPN client (see my tutorial for Mac alternatives).

If you do purchase the Netgear VPN client, make sure that you are provided with the latest version.  When I bought our 5 pack, the version on the disk was so horribly out-of-date that nothing worked (including any sort of online version checking).  It was lucky I called Netgear and got it straightened out 'cause if I had waited too long they wouldn't provide me with an up-to-date version.


----------



## escargot (Nov 21, 2009)

Thanks for the advice there 

Perhaps I'm going about it the wrong way in that case. If the netgear router allows me to set up a VPN gateway, perhaps I ought to utilise that instead of the Xserve.

Argghh, it's all so mind-boggling.


----------



## MDLarson (Nov 21, 2009)

Welcome to where I was a few years ago.    Such are the pitfalls of self-taught expertise, I guess.  You might also try the official Netgear forums.  You'll have to register your products to get into the 'blue box' section, but if my tutorial doesn't help you, ask them.


----------



## escargot (Nov 21, 2009)

Self teaching is frustrating but perhaps more rewarding. 

Netgear forums - good idea. I need teaching how to use my brain sometimes too.


----------



## seigereyes (Apr 16, 2010)

Hi escargot,

I was just reading this article and teaching myself at the same time.
I have now got this working using both OSX and WinXP clients.

Firtly I followed this article to setup the OSX VPN server and the WinXP clients, the OSX part is a little old but you will get the idea.

http://www.maclive.net/sid/132

Then I did some research on the net for the various ports required. The 2 port forwards that got me working were UDP 500 and TCP 1723

On a Billion BiPAC 7300GA they look like this:

TCP 	 1723 	 1723 	 192.168.xx.xx 	 1723 
UDP 	 500 	 500 	 192.168.xx.xx 	 500 

Next I simply fired up the WinXP client from a different network using PPTP and "Microsoft CHAP Version 2" only.

I connected right away after that.

As the others have stated you need to check if your router supports IPSEC Passthru.

I hope this helps out.

Regards,
Seigs


----------



## escargot (Apr 16, 2010)

Hi Seigs,

Thanks very much for the response.

As it happens, I eventually got it working using the netgear router as a VPN endpoint then using VPN tracker to connect to it.

I would still "rather" connect to the Xserve VPN via the OSX VPN client but it just got too time consuming in the end. I'll probably look at it in the next couple of months again. For now though, it does what I need it to do.


----------



## MDLarson (Jun 30, 2011)

Sometimes I should take care when I decide to lay waste my website.  My little tutorial has been down for probably over a yearsorry!

Here's a new link to the same tutorial:
http://www.hazmatt.net/tutorials/vpn_ipsecuritas_to_fvx538/index.html


----------

