Do I have to enable Port Forwarding for VPN?

MDLarson

MDLarson

Registered
So I got my shiny new Xserve, and have hit a wall. I think it's just a small fence and not a full-blown wall, but I'm stuck anyway.

Mac OS X Server configuration:
Xserve (static internal IP) > switch > Cisco 675 DSL modem (static external IP)

I've created a user, added that user to a group and, in my VPN service in OS X Server, restricted access to that group in the L2TP over IPsec section. I started the service, and it is now running.

Soo... my question is: do I have to configure my router (Cisco 675) to forward a "VPN port" to the Xserve?

I am asking all of this because the Internet Connect app asks for a "Server address", and the only accessible point on the internet at large is the Cisco router. I've done this for VNC stuff (using ports 5900, 5901, etc...), I'm just not sure if there even exists a VPN port. What is the way it is *normally* done?
 
Gah! Where are the experts when I need them?!?! :confused:

After much fruitless searching on the internet, I finally called our ISP and got some good info. VPN has nothing to do with port fowarding. The Xserve needs to have its own public IP address, not hide behind the DHCP server with a static IP address.

Basically I need to enable the DHCP server and NAT on the Xserve and disable those items on the Cisco 675 modem. The Xserve has two ethernet ports, so the DSL modem will plugged into one, and the other will go to my main switch.
 
Careful, you cant run both your xserve ethernet ports on the same subnet unless multihoming. I would keep the NAT and dhcp running on your router (its faster). Just check with cisco to see if your router support vpn. L2TP and PPTP almost always bypass the NAT performed in the router. I always disable DHCP, static ip is more reliable. Im not sure technically but vpn requests are not actually forwarding through the router they use the ip address that you told it to use to access your network. If you want other internet requests such as http port 80 or ftp 21 then you will need to tell the router the address of the computer that those should be forwarded to. either way vpn clients will need to put the public ip address that your isp gave you to get into your network. Sorry I cant explain further but i gotta go!
 
Hey, thanks for the reply actually. Several months have gone by without anyone helping out, so it's appreciated.

We have upgraded our equipment to get rid of the Cisco DSL modem, added T1 service and some Netgear routers, and I have a better handle on things now, learning by trial and error, and several Google searches.
 
MDLarson, I read your posts above with interest as I am in the same predicament.

Our config is:

Xserve (OSX 10.5) (static IP) - Netgear switch - Netgear ADSL wireless router (static external IP)

I know the VPN 'works' as I can connect internally. When I'm outside the LAN however, I get a connection failure.

I've opened the VPN ports on the router and set them to forward all requests to the xserves IP but to no avail.

hmmm.

Any help appreciated :)
 
What kind of VPN are you using? L2TP/IPSec? PPTP?

Not everything that you need to forward for certain VPNs is a "port" -- some VPNs require that you forward IP Protocol GRE as well. This is not a "port" -- it is a "protocol," and some routers can do this while others cannot.

Verify with the manufacturer of your router that it can, indeed, forward protocol GRE for VPN compatibility.
 
Thanks for the reply :)

It's the inbuilt LT2P/IPSEC VPN that comes with OSX Server 10.5

Would the GRE protocol be relevant in this instance?
 
Don't forget UDP 4500 (for NAT translation) and UDP 500 (for IKE).

Protocol 50 also needs to be "forwarded" (or allow IPSec pass-through) if using ESP (Encapsulated Security Payload or something).

Try forwarding UDP 4500 and 500 first and see if that works.
 
Yes, "Protocol 50" is neither TCP nor UDP. It's not a "port." It's simply "Protocol 50," which is different from "port 50." Some consumer-level routers do not have support for doing this (or it's labeled under a different option such as "Allow IPSec pass-through").
 
I've had a play with it but it would appear to be setting up a 'netgear vpn' as opposed to allowing a passthrough. To which, I would need to purchase the netgear client application.

Very strange.
 
Well, I did end up figuring out the whole VPN thing, but not Mac OS X Server's implementation of it. We have two Netgear FVX538's bonded via site-to-site VPN and I can also provide VPN capability to Windows and Mac clients. I was so excited to figure it all out that I made this tutorial:
http://www.hazmatt.net/tutorials/vpn/index.php

Assuming your VPN truly does work, my guess is that perhaps your home network (or whatever external network you are connecting from) is on a conflicting subnet. They've got to be different subnets (like 10.0.0.XXX is different than 10.0.1.XXX).

I don't think I'd be much more help than what my little tutorial can offer, as you have a different setup than I do—in my case the actual VPN server IS the gateway, so no need to forward ports for me.

ElDiabloConCaca sounds like he's got a better handle on it anyway. ;)
 
escargot said:
… it would appear to be setting up a 'netgear vpn' as opposed to allowing a passthrough. To which, I would need to purchase the netgear client application.
Click to expand...

You'd only need to purchase the Netgear VPN client if you are using Windows. Especially since Netgear doesn't offer a Mac VPN client (see my tutorial for Mac alternatives).

If you do purchase the Netgear VPN client, make sure that you are provided with the latest version. When I bought our 5 pack, the version on the disk was so horribly out-of-date that nothing worked (including any sort of online version checking). It was lucky I called Netgear and got it straightened out 'cause if I had waited too long they wouldn't provide me with an up-to-date version.
 
Thanks for the advice there :)

Perhaps I'm going about it the wrong way in that case. If the netgear router allows me to set up a VPN gateway, perhaps I ought to utilise that instead of the Xserve.

Argghh, it's all so mind-boggling.
 
Welcome to where I was a few years ago. ;) Such are the pitfalls of self-taught expertise, I guess. You might also try the official Netgear forums. You'll have to register your products to get into the 'blue box' section, but if my tutorial doesn't help you, ask them.
 
Self teaching is frustrating but perhaps more rewarding. :)

Netgear forums - good idea. I need teaching how to use my brain sometimes too. ;)
 
You must log in or register to reply here.
Back
Top