1applePhreak
Level 1 (0 points)

Q: Issues with l2tp VPN

Tl;Dr Verizon fios router --> apple airport extreme --> Lion server. port 22 & 1701 forwarded correctly SSH works but VPN does not. VPN works locally.

 

Trying to set up a VPN from my mac server. In the past I had everything set up properly and it worked fine, however after we moved I have had some trouble with the setup. We changed to Verizon FiOS and had to use their router in conjunction with our own Airport Extreme. I have forwarded port 22 through the FiOS router to the Airport Extreme and then to the server, SSH works fine. After setting up the VPN and testing it locally I forwarded port 500,1701,4500 on both, but the VPN will not work externally.

 

Here is a summery:

Lion Server

Ports 22,500,1701,4500 all forwarded through routers

SSH works

VPN does not

 

syslog:

configd[54]: SCNC: start, triggered by System Preferen, type L2TP, status 0

pppd[49277]: pppd 2.4.2 (Apple version 596.13) started by [Redacted], uid 501

pppd[49277]: L2TP connecting to server '[Redacted]' ([Redacted])...

pppd[49277]: IPSec connection started

racoon[414]: Connecting.

racoon[414]: IPSec Phase1 started (Initiated by me).

racoon[414]: IKE Packet: transmit success. (Initiator, Main-Mode message 1)

racoon[414]: IKE Packet: transmit success. (Phase1 Retransmit).

--- last message repeated 2 times ---

pppd[49277]: IPSec connection failed

racoon[414]: IPSec disconnecting from server [Redacted]

 

What can I do to get this working properly again?

iMac, OS X Server

Posted on Jul 21, 2013 2:25 PM

Close
1applePhreak

Q: Issues with l2tp VPN

  • All replies
  • Helpful answers

  • by John Lockwood,

    John Lockwood John Lockwood Jul 22, 2013 2:06 AM in response to 1applePhreak
    Level 6 (9,309 points)
    Servers Enterprise
    Jul 22, 2013 2:06 AM in response to 1applePhreak

    It sounds like you have a double NAT configuration now, whereas previously you may have had a single NAT configuration. Any NAT is likely to make running a VPN server more complicated, double NAT doubly so

     

    What type of VPN device are you using? If it is Windows then as standard the Windows VPN client is particularly less happy with VPN via NAT. See http://support.apple.com/kb/HT5078

     

    I would first look at your network setup and see if you can get rid of one layer of NAT. Either by making the Verizon router only act as a bridge, or leave the Verizon router as the router and make the AirPort Extreme only act as a bridge.

  • by 1applePhreak,

    1applePhreak 1applePhreak Jul 22, 2013 8:39 AM in response to John Lockwood
    Level 1 (0 points)
    Jul 22, 2013 8:39 AM in response to John Lockwood

    It is a double NAT, but as I stated I was able to forward the correct ports on both so I can get the connection working for SSH. Also I should have stated earlier that I am using a MacBook pro and I have setup the VPN client side by deploying a mobileconfig file

  • by John Lockwood,

    John Lockwood John Lockwood Jul 22, 2013 9:04 AM in response to 1applePhreak
    Level 6 (9,309 points)
    Servers Enterprise
    Jul 22, 2013 9:04 AM in response to 1applePhreak

    Something I keep forgetting, is that if your using 'Back to my Mac' then this will use the same ports as the VPN server and might prevent the VPN server working properly.

     

    Note: The AirPort Extreme itself can also run 'Back to my Mac' so check its settings as well.

     

    See http://support.apple.com/kb/ht3944

     

    It would be worth testing with manually configured settings on a (remote) Mac, don't try everything at once, if you do manual settings to start with you avoid the possibility of the MobileConfig being incorrect.

     

    Ideally think about removing the Double NAT setup, I agree it sounds like you have set port forwarding up correctly but double NAT is generally un-necessary and more trouble than its worth.