site-to-site VPN, osx server connected to a router

Question

Level 1

0 points

site-to-site VPN, osx server connected to a router

Hi!

I'm having a bad time setting up a site-to-site VPN between our two offices :

Each office is connected to Internet via a satellite-modem box (IpStar) that is also a router device, so on one side of the box we have our public ip address and and the other side it's private.

Mac OS X Server is running on a Mac Mini 2GHz.
(I've added one more ethernet port by using a USB-to-Ethernet adaptater D-Link DUB-E100)
The Mac Mini is providing all the basic network services to the other client computers in the office, it's doing Nat and routing as well.

en0 is the internal interface for the client side (192.168.210.0 for office 1 / 192.168.220.0 for office 2)

en2 is the external interface and it's connected to the ethernet port of the satellite-modem box (10.143.243.0 for office 1 / 10.143.244.0 for office 2)

Everything is working fine (including normal client/server L2TP VPN), only site-to-site VPN is making problems.

In the satellite box i've forwarded the right ports to the Mac Mini en2 (external) interface ip address.

I've followed the Apple Network Services Documentation to setup the Firewall and the VPN using s2svpnadmin.
But the trick is, in the apple doc the os x server is connected directly to internet via one of their internal interface.
My situation is different : between my os x server and internet there's another router : the Satellite modem box. I thought i would only have to setup port forwarding but apparently that's not enough.

Here is my s2svpnadmin config for office1:

External gateway address of the local site: ABCD
External gateway address of the remote site: WXYZ
Using shared-secret encryption. Shared secret = password
====Details for policy #1====
Local subnet address: 192.168.210.0
Number of prefix bits representing the local subnet: 24
Remote subnet address: 192.168.220.0
Number of prefix bits representing the remote subnet: 24

And i'm a bit confused when i'm running s2svpnadmin 'cause it's asking for "external gateway address of the local site", is it the ip address of en2 or the one provided by the isp ?
Anyway, whatever i enter it doesn't work (ping...)

So now i hope somebody can help me, thx in advance !

MacBook, Mac OS X (10.4.10)

Posted on Sep 28, 2007 10:57 PM

Reply

Answer 1

Sep 28, 2007 11:56 PM in response to lulu62

What impact a sattelite link has on latency I don't know (a couple of seconds? how far out in space is the sattelite?) but conecting two sites with VPN might be impossible(?) because of that.

Then depending on what traffic you want to send/receive it might be "unusable".

Also what upstream speed are those links? That would be the highest speed you can achieve between sites.

Then first I would lose the USB thing as you don't really need it and probably will mess up the s2svpn. Dual NAT to Internet isn't a good thing for LAN users.
At least lose the NAT and use only routing (ipforwarding on) if you need to use the firewall. Would require static routes in the sattellite routers though.

The satellite router needs to be able to forward the ESP protocol to the server (VPN-passthrough might suffice if present in router) if there's going to be any chance of getting the s2svpn up and running. You also need UDP port 500 portforwarded to the server 10-net IP but that must already be configured as the L2TP (?) is working.

And it's the public IP you have to use for the two servers to be able to find each other over the Internet. Having static IPs for the public IPs is prefered.

As OS X Server now (not allways in earlier Tiger versions) use only UDP ports for L2TP when either client or server is behind NAT I can't be sure ESP is used fpr s2svpn with your config, but I suspect it is as "plain" IPSec is used for a s2s tunnel.

Important: ESP is protocol number 50 (and UDP is number 17, TCP is number 6) not to mix up with UDP and TCP PORT numbers.

Reply

Answer 2

lulu62 Author

Level 1

0 points

Sep 29, 2007 12:57 AM in response to Leif Carlsson

It's true that the latency with satellite connection is not good at all, we're experiencing that every day while browsing.

For now we're using linux servers with OpenVPN and we're going to migrate to OS X server.
The current VPN link is working fine. Of course the latency make it not suitable for normal users but we, at the i-t, can use it to fix problems remotely with remote desktop.

I was not expecting so much with the USB to Ethernet adaptaters but i must say they're doing their job very good, and stay alive all the time !

As i said before i have no problem using the normal L2TP VPN connection, i've been able to connect the office network from outside and access ressources.
So i guess the fact of having 2 routers is not a problem as long as the devices are correctly setup.

Everything about port forwarding and firewall seems to be correctly done.

When running test and performing pings from office to office, i can see in the firewall logs that the remote office is receiving data on port 500 but nothing is sending back and there's no Deny rules too...

Reply

Answer 3

Sep 29, 2007 3:05 AM in response to lulu62

"For now we're using linux servers with OpenVPN"

Important to mention that up front..

And that is used for site to site VPN or just client to site ("roadwarrior")?

If you only have one public IP (and no one-to-one NAT for a second one) it will be hard to test VPN. Especially if the Linux servers are up and running and I would expect problems with UDP port 500 as it is most likely used for the Open VPN communication (haven't looked into it recently - I'm used to play around with IPCOP Linux firewall/VPN whicj I think also use Open VPN now).

If you have more than one public IP why not use Linux for site to site VPN and firewall duties (IPCOP is nice) and OS X for L2TP (and or PPTP?). If possible the satellite router should only be used as a modem and not forward traffic (not route) and use "either" firewall instead. You'd get a "cleaner" setup.

But for Windows XP pro L2TP compatibility with OS X Server you need to have OS X as the VPN gw using a public IP on the Internet interface. PPTP works with server on a private/NAT LAN network (if you can get GRE protocol through) with both Mac and Windows built-in VPN clients.

And if you read my post again about the ESP protocol passthrough and it is also probably used for Open VPN.

Reply

Answer 4

lulu62 Author

Level 1

0 points

Sep 29, 2007 10:11 AM in response to Leif Carlsson

We are using OpenVPN in the site to site mode, and we have only one public ip address/site. OpenVPN is using port 1194 UDP and i have no problem to access some other services like ssh, ftp or l2tp in the os x server. I doubt about OpenVPN to use ESP protocol, i made a quick search on google and it seems to be 2 different things... I feel we're going away from the main subject, i would prefer to talk about the site-to-site functionality of OS X server behind a router.

Reply

Answer 5

Sep 30, 2007 12:12 AM in response to lulu62

OK, my bad. I remembered wrong (IPCOP doesn't use Open VPN). Sorry for that, haven't used SSL VPN (yet).

Well I still think you need ESP and UDP port 500 passthrough/forwarded but it might also be impossible to get s2s vpn working if you have the server behind NAT.

The OS X firewall have settings for letting ESP through (in).

Some NAT routers have no "real" settings for any other protocols than TCP/UDP but can have a "VPN passthrough" setting that might work. But it would be best if you either had a "real" firewall/router with settings for ESP or could use the public IP directly on the OS X server.

You can check if any traffic from the other side gets through to the server by using tcpdump, but you probably want to filter out most other traffic and look specifically for s2s vpn.

Ahem...

http://images.apple.com/server/pdfs/NetworkServicesv10.4.pdf

They are talking about L2TP is used by s2s so it should be the "standard" OS X VPN ports that needs to be forwarded. So if client VPN is already working the correct ports are already open.

Also according to this:

http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/s2svpnad min.8.html

"The s2svpnadmin tool identifies each site-to-site server with an identifying string. This string should not have any spaces in it."

Reply

Answer 6

Sep 30, 2007 12:35 AM in response to Leif Carlsson

In http://images.apple.com/server/pdfs/NetworkServicesv10.4.pdf they are talking about opening up advanced firewall rules for s2s VPN on pages 113-114 esp and ipencap (the latter which seems to have to do with gif-tunnels).

Reply

Answer 7

lulu62 Author

Level 1

0 points

Sep 30, 2007 7:31 PM in response to Leif Carlsson

First post of mine :

lulu62 wrote:
{...}
I've followed the Apple Network Services Documentation to setup the Firewall and the VPN using s2svpnadmin.

Message was edited by: lulu62

Reply

Answer 8

lulu62 Author

Level 1

0 points

Sep 30, 2007 7:58 PM in response to Leif Carlsson

Leif Carlsson wrote:
You can check if any traffic from the other side gets through to the server by using tcpdump, but you probably want to filter out most other traffic and look specifically for s2s vpn.

Second post of mine :

lulu62 wrote:
When running test and performing pings from office to office, i can see in the firewall logs that the remote office is receiving data on port 500 but nothing is sending back and there's no Deny rules too...

Reply

Answer 9

David_x

Level 4

3,011 points

Oct 1, 2007 12:59 AM in response to lulu62

Bit of a shot in the dark - just wondering if listing the routing tables (during attempt to form s2s) on both minis interfaces might show up something?

When a remote single client forms a vpn at the mini, the mini will allocate it an IP on the internal network. Traffic returning to that internal IP is obviously getting routed back to external client OK. However, the site-to-site vpn traffic has to get routed back to the originating sites' local IPs and this does not seem to be happening. This may show up in routing tables, if you can get them generated at the right time.

As I said, just something to look into since it is a difference between client-to-site and site-to-site vpns (which I just became aware of, thanks Camelot).

-david

Reply

Answer 10

lulu62 Author

Level 1

0 points

Oct 1, 2007 2:28 AM in response to David_x

David_x wrote:
Bit of a shot in the dark

yeah it's turning like that, so i propose to go step by step :

First of all :

When i create the s2s using s2svpnadmin i'm asked for :

Please enter the external gateway address of the local site:

Should i enter the public ip address provided by my isp or the private ip of the external interface (en2) of the mac mini server ?
(I remind new visitors that my os x server is behind a router, so it is not connected directly to internet).

Please enter the external gateway address of the remote site:

I guess this one has to be the public ip address or the remote site.

Please enter network address of a local subnet (e.g. 192.168.0.0):

Local subnet, en0 (internal) interface, 192.168.210.0 or 192.168.220.0

Please enter number of prefix bits that represent the local subnet [0-32]:

24

Please enter network address of a remote subnet (e.g. 192.168.0.0):

Local subnet, en0 (internal) interface, 192.168.210.0 or 192.168.220.0

Please enter number of prefix bits that represent the remote subnet [0-32]:

24

Reply

Answer 11

David_x

Level 4

3,011 points

Oct 1, 2007 11:09 AM in response to lulu62

Please enter the external gateway address of the local site:

Should i enter the public ip address provided by my isp or the private ip of the external interface (en2) of the mac mini server ?

The public IP. Same at other end.... remote gateway at one end = local gateway at other, therefore both ends have matching gateway pairs.

Similar with local subnets.... At location 1, the network address of remote subnet must match location 2's network address of local subnet and vice-versa.

-------

What I'm wondering about though is whether the remote site's vpn server has the correct routing table created to return the initial connecting traffic. If an internal vpn client can reach the remote LAN using L2TP, then the s2s should work... one would think (unless there are other differences between OS X's s2s solution and whatever you are using for client2site). I really don't know anything about the various nitty-gritty bits that Leif was mentioning so cannot add any comments there. Just think it might be worth generating routing tables or listening on both ports on the mini - see if returning traffic is going to other port? Another question to my mind is whether sending a s2s configuration with a specified local lan (192.168.210.0) to a port with another lan defined (10.143.243.0) is messing with either the routing table or the acceptance of the vpn negotiation. There must be a way to increase debug logging at least?

Personally I've always avoided using os x server as firewall/router purely because of this type of added complexity. Even if just as a test, it might be worth ditching the second interface and just port-forward from modem to single (internal) interface. This would remove the routing question as well as the double nat. I'm presuming that you have a good reason for running the os x server as firewall/router instead of just the modem/router as otherwise it's just adding complexity.

-david (disclaimer... I'm really not an expert on this type of thing - Leif & Camelot are the 'pros' here. I'm just chucking in a few thoughts (& probably confusing things further 🙂

Reply

Answer 12

lulu62 Author

Level 1

0 points

Oct 1, 2007 8:23 PM in response to David_x

David_x wrote:
What I'm wondering about though is whether the remote site's vpn server has the correct routing table created to return the initial connecting traffic.

I think you have an important point here.

If an internal vpn client can reach the remote LAN using L2TP, then the s2s should work... one would think (unless there are other differences between OS X's s2s solution and whatever you are using for client2site).

I'm using the default vpn client2site solution of apple, and i think it's working different than the s2s system.

Just think it might be worth generating routing tables or listening on both ports on the mini - see if returning traffic is going to other port?

As i said before, the remote server gets traffic on port 500 but that's it, nothing is sent back.

Another question to my mind is whether sending a s2s configuration with a specified local lan (192.168.210.0) to a port with another lan defined (10.143.243.0) is messing with either the routing table or the acceptance of the vpn negotiation.

Could be too, that would be nice to have people here who could comfirm.

There must be a way to increase debug logging at least?

Something else i would like to know too.

Personally I've always avoided using os x server as firewall/router purely because of this type of added complexity. Even if just as a test, it might be worth ditching the second interface and just port-forward from modem to single (internal) interface. This would remove the routing question as well as the double nat.

I can give a try, and see if it's working this way.
If so, then, should the problem be the routing tables ?

I'm presuming that you have a good reason for running the os x server as firewall/router instead of just the modem/router as otherwise it's just adding complexity.

I would not trust the satellite modem to be the only "firewall" in the network. It's just a nat-router, and nowhere is mentioned Firewall. So that's why...

I've been thinking : If i turn off the Nat functionality of the satellite modem, and manage to get a public ip address on the external port of the mac mini server, could it be better ?

Reply