1 Reply Latest reply: Sep 13, 2008 11:44 PM by Leif Carlsson
Mike Matthews Level 1 Level 1 (10 points)
Hi:

The previous discussion thread (http://discussions.apple.com/thread.jspa?threadID=1451405&tstart=0) has been closed, but I think I may have finally solved the problem.

Recapping the goal:
To have one FQDN that users would use to connect to the VPN. Continue to use the second FQDN for the file server, a FQDN the users are already accustomed to. So in the office, to use the file server they connect to server.company.com, and after they connect via VPN, they still know to connect to server.company.com for the file server.

Or, put another way, the last problem was this:

"Whichever IP you connect to, use the other one to access local resources on the server. For consistency reasons it would make more sense to make the VPN connection to the alias IP and then connect to the familiar server IP to access local resources."

And this didn't solve it:

"Switching the order of the services in the Network pref pane to list the VPN first followed by Ethernet 1 didn't work."

But I ended up erasing this server's hard drive and starting over after an Apple Tech Support rep told me that installing as a standard server and promoting it to an advanced server would *definitely, no doubt about it*, lead to problems down the road.

Everything seems to work fine now.
The setup:

• This Xserve will run several services using Mac OS X Server v10.5.4., including AFP and VPN.
• I registered two FQDNs (the names below are changed to protect the innocent, but I think you'll get the idea) with full reverse lookup:

server.company.com--this one is used to connect to the Xserve's file server--xxx.xxx.xxx.130
vpn.company.com--this one is used in the VPN configuration document--xxx.xxx.xxx.140

• I set up the server to have Ethernet 1 use IP address xxx.xxx.xxx.130 (corresponding to server.company.com). I did not set up anything on Ethernet 2.
• In System Preferences > Network I duplicated the Service on Ethernet 1 (calling it VPN) and gave it the IP address of xxx.xxx.xxx.140 (corresponding to vpn.company.com). I did not change any other settings, including the subnet mask.
• Using the Action (gear) button in System Preferences > Network I set the service order to move the duplicated service--VPN--to the top of the list.

Et....voila:

I can now connect over the VPN using either xxx.xxx.xxx.140 or vpn.company.com in the Server Address field of the VPN (L2TP) service of System Preferences > Network. And once connected, I can connect to the file server via the Finder's Go > Connect to Server command using either afp://server.company.com or afp://xxx.xxx.xxx.130.

Maybe it was starting off with the advanced server (and playing it straight by not putting one of these two IP addresses on each physical ethernet port) that did the trick. I really don't know. But I think I'm happy now.

But I wonder...would the server operate more efficiently if I did put xxx.xxx.xxx.140 on Ethernet 2. My guess is that with VPN traffic on the Ethernet 2 port, there would be less traffic to content with on Ethernet 1. Or maybe the ports can be bound together.

Not sure I'll tempt the fates, but I probably will ask an Apple support rep.

Hope this helps someone.
mm

Mac OS X (10.5.4)
  • Leif Carlsson Level 5 Level 5 (4,950 points)
    "But I wonder...would the server operate more efficiently if I did put xxx.xxx.xxx.140 on Ethernet 2. My guess is that with VPN traffic on the Ethernet 2 port, there would be less traffic to content with on Ethernet 1. Or maybe the ports can be bound together. "


    You can't have two different interfaces using IPs on the same subnet unless you use link aggregation (LACP/bonded interfaces). And the VPN tunnel endpoint must use the server "real" public IP not an alias one. You could use the second interface but then you would need to use NAT and a private IP subnet for that, which can be a good thing if you don't have enough or want to use public IPs for the VPN client IP pool. I guess you use the firewall to protect the VPN client IPs when connected? You can still reach Internet through the VPN (if desired) if you make the VPN the default route (ipforwarding must be on - turned on automatically if NAT is on).