VPN Server behind Time Capsule

Question

Level 1

0 points

VPN Server behind Time Capsule

I have a mixed environment at home, with several Macs, two Ubuntu servers and 3 Vista laptops the family uses. Recently I had the need to setup a VPN server on one of the Windows machines with standard PPTP/L2TP, nothing out of the ordinary. All my internal clients can connect to the VPN server just fine, however, I find no specific VPN passthrough option nor a port forwarding option for GRE in Time Capsule, thus, any external connection attempts have been in vain. Yes, I have tried this by dropping all firewalls, etc for a short period of time, but to no avail.
The time capsule is hooked up directly with my ADSL2+ modem, where RFC bridging is setup on the modem to allow Time Capsule to be my sole NAT devices.

Any insight into this, or has anyone else had success with this?

Macbook, Mac OS X (10.5.5)

Posted on Sep 24, 2008 10:13 PM

Reply

Answer 1

Ahmed.S Author

Level 1

0 points

Sep 24, 2008 11:18 PM in response to Ahmed.S

Forgot to mention, default host works for web, ftp, ssh and other standard ports, but not for VPN, still running in circles, any help would be appreciated.

Reply

Answer 2

PaullieG

Level 1

5 points

Sep 29, 2008 12:24 PM in response to Ahmed.S

I have the same problem. Did you find a solution?

My VPN endpoint is OS X Server 10.5.5 behind Time Capsule using PPPoA to PPPoE bridging like yourself.

I did the usual troubleshooting, like using DMZ, stopping firewalls but to no avail.

Reply

Answer 3

Ahmed.S Author

Level 1

0 points

Sep 29, 2008 12:51 PM in response to PaullieG

No, this is still pending and I do not think there is a solution, at least not a solution based solely on any of the Apple Networking products. I could piggy back on a Dlink router I have at home and that handles it just fine, but it defeats the purpose of having a single router and is unnecessary. The problem is that the "default host" option does not work as expected, it does work for many ports such as the standard tcp/udp but the Generic Routing Encapsulation doesn't work, which I would assume is part of the "VPN Passthrough" feature in TimeCapsule, but again, I don't see it working.
At this point in time, there is no solution, at least none that I have found yet. I hope someone else can respond and confirm this because I'm truly at a loss with TC.

Reply

Answer 4

PaullieG

Level 1

5 points

Sep 30, 2008 11:26 AM in response to Ahmed.S

I did extensive testing with this last night but still managed to get nowhere (did fix another NAT-PMP on IPv6 issue I had though by enabling Tunneling on the Time Capsule -- another story but my time wasn't completely wasted 😉 ).

I'm just trying to get L2TP working personally... I think this uses ESP rather than GRE but the same principle applies. I disabled all 'Back to my Mac' services too, I felt these may be interfering with IKE/NAT traversal ports (I know it's a requirement to kill these for CISCO VPN client to work).

Which ISP are you with btw? I'm on BT.. You don't think they are the root cause in my case do you? Clutching at straws now i know. 😟

Wonder id my AEBS functions any differently....

Reply

Answer 5

Oct 16, 2008 10:35 PM in response to PaullieG

Just now got this working myself after much head scratching. I turned off Back To My Mac (BTMM) because I noticed, on this helpful page of port numbers: http://support.apple.com/kb/TS1629?viewlocale=en_US that port 4500 is shared amongst VPN and BTMM services. Finally I can get back to VPN access. Back To All My Macs. ; )

For the record, I have the following ports open on my Airport Extreme to allow L2TP:
500 - IKE
4500 - NAT Transversal (This is the one that was conflicting with BTMM)
1701 - L2TP Traffic (PPTP would require a separate port)

None of these ports are spelled out in the Port Mapping pop-up menu, you need to enter them manually and point the services to your VPN server.

Good luck to you all...

Message was edited by: danpoarch

Reply

Answer 6

Jan 11, 2009 6:21 AM in response to danpoarch

Wonderful now it also works for me!
Thanks

Reply

Answer 7

Mar 13, 2009 6:51 AM in response to Ahmed.S

I'm glad to see I'm not the only one struggling with this one. I just purchased Time Capsule yesterday with firmware 7.4 I have a VPN box behind the TC firewall. When establishing a VPN connection on my local network to the VPN box the connection works fine. However whenever I attempt to connect via the WAN IP using I'm seeing errors in my VPN log about GRE (protocol 47). I have the following port-mapping's:

UDP: 500, 1701, 4500
TCP: 443, 1723

Any thoughts or comments would be greatly appreciated.

Cheers!

port number reference: http://support.apple.com/kb/TS1629?viewlocale=en_US

Reply