Currently Being ModeratedFeb 16, 2012 7:21 PM (in response to SudKish)
Below is how mine is set up. This applies to my own internal network where I use a network of 192.168.0.0/24 and OSX server's internal address is 192.168.0.11. I also use Open Directory for authentication of all of my users.
This is on OSX 10.5 but 10.6 is similar.
- Enable the VPN service in Server Admin.
- Go to VPN then click Settings.
- Click L2TP.
- Enter a starting IP address and Ending IP address. I used 192.168.0.101 and 192.168.0.110 -- make sure that you select something that will work on your network. If you have a DHCP server (you probably do) then adjust it appropriately so VPN service doesn't try to hand out addresses that your DHCP server is also using. For example, I use the OSX DHCP service and have it set up to provide only 192.168.0.20 through 192.168.0.100. Then the VPN service uses .101 through .110.
- In PPP Authentication, choose Directory Service then change Authentication to MS-CHAPv2.
- In IPSec Authentication, choose Shared Secret (or choose a Certificate, but you'll need to make sure the cert is on all of your devices that will need VPN access). Provide an appropriate secret in the field. It's a password that all of your devices will use.
- Click the Client Information tab.
- Enter the IP address of your DNS server. I'm using the IP of my OSX server as it provides DNS inside my network.
- Enter the name of your domain in Search Domains.
- Leave Network Routing Definition empty.
- That addresses the VPN service itself, but don't start it yet.
- Next, go to your firewall (Airport Extreme?) and go to Manual Setup > Advanced > Port Mapping.
- Create a new rule and for Public and Private TCP and UDP put it port 1723 (that's 1723 in four boxes) and the Private IP Address of whatever your OSX server's internal IP is. Mine is 192.168.0.11. Click Continue. Give it an appropriate name, say, "TCP 1723" or maybe "L2TP TCP" then click Done.
- Add another rule, this time, it'll be UDP only. Put in 500,1701,4500 (with commas) in Public UDP and Private UDP. TCP entries should be blank. Use the same Private IP address as before. Click Continue and give it another appropriate name. I use "L2TP UDP". Click Done.
- Click Update to write the changes to your Airport. Your firewall will now pass VPN ports from public internet side to your OSX server.
- Now you'll need to set up access lists because you probably don't want just anyone to be able to use VPN. Load Workgroup Manager and log in.
- Click the Groups button then create a new group. Name it "VPN Users". Save the group then click the Members tab.
- Add your domain users or groups that you want to have VPN access. Don't forget to save your changes.
- Now, go back to Server Admin then click Settings > Access.
- Choose the VPN service on the left.
- Click Allow only users and groups below.
- Add the VPN Users group that you just created.
- Click Save.
- Go back to the VPN service and start it.
- To set up your VPN connection on your clients, you'll need to know your public IP address, the Shared Secret that you set while configuring your VPN service, and the username and password of a member of your VPN Users group.
That should be about it. Let us know how it goes.