9 Replies Latest reply: Dec 30, 2010 4:39 AM by Leif Carlsson
ploughguy Level 1 Level 1 (0 points)
Hi,

Question 1: Can you confirm if the VNC server in Snow Leopard works out of the box, once Screen Sharing and the VNC password are set up in Preferences? I am trying to connect from RealVNC from Windows XP.

Question 2: Does anyone have any idea how to reliably get an L2TP VPN working from Snow Leopard over a 3G connection? If I can get a working answer to Q2, then I don't care about Q1.

The Back-Story...
I am trying to get access to my iMac desktop through a VPN running over 3G. I would rather use dial-up because it is easier and quicker (in that by the time I get this mess running I could have finished my life's work and retired) but something inside keeps saying that it should all Just Work.

For those who are amused by the misfortune of others, the VPN connects from my Snow Leopard laptop, but it will not pass traffic. No pings, no nothing. I tried to add a route sending all 192.168 traffic down the hose, but my reward was the grey curtain of death and an OS X reboot.

Anyway, I have given up on the whole 3G thing from Snow Leopard - it is so unpredictable that it gets embarrassing when other (Windows) people are looking on.

However, my macbook has a copy of Windows XP running in Fusion. It makes me feel queasy to even think this, but I get nostalgic for the networking in windows - it was a pain at the time, but now it looks positively shiny.)

I get it to take over the 3G usb thingo, and it creates a VPN first time, and I can access the web server on the iMac through it. I could probably even get it to share files if I spent half a day on it (Oh, right... I forgot - It Just Works... barely.) However, what I need to be able to do is see the iMac screen from the laptop. If the **** routing would work, I could use Apple's Screen Sharing, but it doesn't so I have to use VNC from the Windows VM.

Now I am trying to get VNC to connect from Windows to the iMac. This Just Works too... I have downloaded the latest version of realVNC (the free version) and installed it into Windows on the laptop. I have activated Screen Sharing in Preferences on the iMac, and set a VNC password.

When I try to connect using RealVNC, I enter the host name, I get another window asking for the password, then when I hit Enter, I get a bright flash of dark as VNC seems to open a screen window then ka-foopa - it is gone. In Task Manager, the client has disappeared.

I have seen a lot of messages doing a lot of discussion about this, and it does not look good. If I wanted to muck about with stuff just for the fun of it, I could have saved a lot of dough and switched to Linux.

It is nearly 2011, and this stuff should all be working by now - VPN and VNC have been around for a decade and it still needs witchcraft to get it to work. Why is that?

Imac/MacBook, Mac OS X (10.6.3)
  • Antonio Rocco Level 6 Level 6 (10,390 points)
    Hi

    +"When I try to connect using RealVNC . . . then when I hit Enter, I get a bright flash of dark as VNC seems to open a screen window then ka-foopa - it is gone"+

    RealVNC Viewer by default has a low setting for its Graphics Option. You need to change this (click the options button) to the highest possible resolution. I always assign a different password for the 'VNC Viewers may control this computer with password' option. Works every time for me.

    Q1 - I can confirm in my experience that it does indeed work. I don't bother with Screen Sharing itself as I prefer the additional Control features (assuning ARD) you get with Remote Management.

    Q2 - I've re-read your post a number of times and it's not clear to me if what you're trying to do involves OSX Server or OSX Server's VPN Service?

    Along with many others I have no problems at all with VPN or VNC regardless of platform. On the other hand (and assuming you do actually mean OSX Server's VPN Service) I stopped using OSX Server's VPN/Firewall/NAT Services since 10.5 as I found them unreliable and liable to break for no obvious reason. Having said that the Services can struggle if there's a 3rd-Party Firewall/Router involved. You have to configure the Firewall correctly. Additionally the features you want may not be there? Depends on what you're using? If it was me I would let the Firewall/Router handle it. Provided it's capable of doing so?

    Another alternative is to wait until some of the guys who persevere with this post. Camelot and Leif are two names that come to mind. Perhaps you should search/browse the Forum and see what comes up. As you're probably aware your's is not the first post that discusses this.

    My 2p.

    Tony
  • ploughguy Level 1 Level 1 (0 points)
    Tony,
    Thank you for your very snappy reply. And so full of good news, too.

    You have solved my Question 1 problem - I foolishly tried to conserve bandwith by selecting 16k colours instead of the full palette. Probably because I though it would be quicker. Indeed not. It made it deader, instead. So that works, and I thank you hugely for your suggestion.

    As for question 2, there is no OS X Server involved at all. My VPN goes from my laptop, via a 3G USB dongle to my ADSL router, which is a Billion Bipac something. So the client end is at the laptop, and the server end of the VPN is in the router. Once the VPN is up, I can access my entire office network. The ultimate target system is an iMac running Snow Leopard desktop edition.

    The problem I am having (and I know that I am not the only one) is convincing OS X to route stuff through the VPN connection. It connects, but nothing flows. The configuration at the router is good enough that Windows can connect instantly and reliably and with no messing around with config or routes - it just worked.

    Furthermore, OS X can connect to the VPN from the laptop through a wired ethernet connection. It just seems to hate the 3G for some reason. In the past, on the other hand, I have managed to get it to connect to other VPNs. I have tried using route add -net to force the use of the VPN, but it does not help, which leads me to believe there is some other problem.

    The work-around solution might be to forget running the 3G from OS X and buy an external 3G router, and cable the laptop into it. It is a bit of a kludge though. And another $200 bit of hardware that I have to cart around. And find a power point for - not ideal.
  • Antonio Rocco Level 6 Level 6 (10,390 points)
    Hi

    Is this the product?

    http://www.billion.com/product/adsl/bipac5200s-firewall-adsl2-router.html

    The one above only seems to support VPN Passthrough? The other Billion products I've googled that do appear to support VPN endpoint are seemingly discontinued? My search was a quick one and there may be something more definitive? If the Router/Firewall supports VPN Passthrough would it be reasonable to assume there's something else on the private side of the Firewall that actually terminates the VPN tunnel?

    Tony
  • MrHoffman Level 6 Level 6 (13,190 points)
    Mac OS X client and Mac OS X Server do operate via VPN.

    Confirm that you're not operating both the source and destination networks in the same subnet; that plays havoc with VPN routing. Specifically, 192.168.0.0/24 and 192.168.1.0/24 are ubiquitous subnets, and are thus poor choices for your target network when VPN services are expected.

    And also test with IP routing configured to send all traffic over the VPN.

    FWIW, you're in the Mac OS X Server forums. [Here is the client networking forum|http://discussions.apple.com/forum.jspa?forumID=1343].
  • ploughguy Level 1 Level 1 (0 points)
    Antonio Rocco wrote:
    Hi

    Is this the product?

    http://www.billion.com/product/adsl/bipac5200s-firewall-adsl2-router.html

    The one above only seems to support VPN Passthrough? The other Billion products I've googled that do appear to support VPN endpoint are seemingly discontinued? My search was a quick one and there may be something more definitive? If the Router/Firewall supports VPN Passthrough would it be reasonable to assume there's something else on the private side of the Firewall that actually terminates the VPN tunnel?



    Tony,
    My unit is a 7404VNOX which is a:

    *BiPAC 7404VNOX 3G/VoIP/802.11n ADSL2+ VPN Firewall Router with PSTN Fixed-line support*

    And remember, my Windows VM connects to it without hassle. In fact, the VPN and the VNC connection stayed up all night. This would imply that the host end of the VPN is just fine.
    Russ
  • ploughguy Level 1 Level 1 (0 points)
    MrHoffman wrote:
    Mac OS X client and Mac OS X Server do operate via VPN.

    Confirm that you're not operating both the source and destination networks in the same subnet; that plays havoc with VPN routing. Specifically, 192.168.0.0/24 and 192.168.1.0/24 are ubiquitous subnets, and are thus poor choices for your target network when VPN services are expected.

    And also test with IP routing configured to send all traffic over the VPN.

    FWIW, you're in the Mac OS X Server forums. [Here is the client networking forum|http://discussions.apple.com/forum.jspa?forumID=1343].


    My humblest apologies for posting into the wrong forum. However, it does seem to be where the smart folks hang out. And they know how to wield an apostrophe when it is appropriate...

    But that's enough self-abasement and fawning.

    The target subnet is indeed a 192.168.1.x network. The laptop, however, is running in isolation - just the 3G router, which gives it a network address of 128.184.178.x with a subnet mask of 255.255.255.0.
  • MrHoffman Level 6 Level 6 (13,190 points)
    That crash certainly looks like a kernel fault, and that's not auspicious. What sort of client software are you using with this USB dongle? The integrated IP and VPN software, or something from the vendor? And does the USB dongle vendor claim Mac OS X support? (If so, they're probably good for a support call.)

    To confirm, the client has no other active connections to a subnet in the 192.168.0.0/16 block, and no static routes set for subnets in that block?

    L2TP classically has interesting problems with NAT (well, most stuff has problems with NAT to some degree or another), which is one of the reasons why having the VPN at the firewall can be the easiest approach. IPSec expects UDP port 500 and ESP (protocol 50) for site to site non-NAT. L2TP expects UDP port 500, UDP port 1701 and UDP port 4500 when behind NAT.

    There's clearly something different in the 3G path; a port or protocol that the Mac VPN client needs is getting blocked.

    FWIW, the local [VPN documentation|http://www.deakin.edu.au/services/assets/resources/computing/wire less/userguide-vpn-mac.pdf] is pointing to the use of PPTP, and not to L2TP. Checked with the campus 3G networking folks, to see if they have particular suggestions? And there's a [connection-testing write-up posted|http://discussions.apple.com/message.jspa?messageID=11178175] that might be interesting to try, too.

    And if PPTP won't meet your needs and you want access into all the gazillions of knobs underneath a VPN, there's the IPsecuritas client.
  • ploughguy Level 1 Level 1 (0 points)
    Mr Hoffman, you are right about the kernel fault it gives me the willies.

    _Client software and the dongle_
    The dongle is a Sierra Wireless USB 308 branded as Bigpond Elite 21 (because I am an elite kinda guy) and it has been working well under many circumstances for some time. There is a connection app that is part of the OS X support kit for the USB 308 device.

    For the VPN, I am using OS X's network prefs. The dong turns up in NetPrefs' connection list as USB 308. To make the connection, I start the connection app and it dials and logs into the network.

    Also, I can use it to successfully connect to other VPNs, just not this one so it mostly works.

    I have called the carrier's support desk and they don't provide free support for network apps. However, they do have a paid support product (Telstra Plus) which charges $59 if they solve your problem. I called them and they were very sympathetic until they heard "Mac" but bravely soldiered on until they completely lost interest when I mentioned "VPN".

    _Active Connections_
    According to Network Prefs, the only active connection is the USB 308, and the IP address it is assigned is 124.183.blah. The DNS server addresses automatically set by the connection are 61.something. There is no indication of a 192.168.1 network other than at the target.

    Output from netstat -rn on the client machine indicates that the only active networks are en2 (the USB 308) and lo0. There are no 192.168 routes listed in the routing table.

    L2TP
    We know the L2TP is working (and that the carrier network supports it) because the windows VM on the MacBook can successfully connect using the identical hardware. The only differences are the client software for the USB 308 and the OS.

    PPTP
    We don't use PPTP because (a) Microsoft cooked it up, and (b) L2TP over IPSEC is said to be solidly secure. However I have just taken it for a spin and it is working. So it is a fallback. It can be argued that PPTP must be OK because so many people use it, but you can say that about Windows too, and I won't believe you.

    I have installed IPsecuritas (which I like a lot), I have carefully matched the settings in the router with the settings with IPSecuritas, and it still doesn't work. I suspect that IPSec/L2TP is not meant to be used, but rather just created to be admired from a distance.

    Of course it could be the router. Any company that calls itself Billion is suspect from the the outset, no?

    I will shake their tree and see if they will confess to anything.
    Russ.
  • Leif Carlsson Level 5 Level 5 (4,950 points)
    The built-in XP L2TP client in Windows doesn't expect L2TP server to be behind a NAT router so it will use ESP protocol and port 500 UDP by default, regardless if server, client or both use a private IP (behaviour can be changed in registry if for example connecting to an Apple L2TP VPN server behind NAT).

    Apple built-in L2TP client will use only UDP ports (with ESP encapsulated in UPD packets) if either or both server AND client use a NATed private IP.

    Only if server AND client both have a public IP it will use a similar/the same method to the Windows client (default config) does.

    Your L2TP VPN server must match the settings that the Apple VPN client use for it to have a chance to work, but if the Apple L2TP VPN client connect from behind NAT it will probably not work.

    Apple L2TP client demands MS Chap v2 - your router supports it?

    I can't say what authentication and encryption methods Apple L2TP client use but from your router manual : "Both sides should use the same value"

    In OS X connection attempts is reported to ppp.log.



    As I understand it IPSecuritas doesn't use L2TP (?) but rather "plain" IPSec (ESP protocol and port 500 UDP) so you might try configuring the VPN server with a site-to-site config with the remote client IP expected as 0.0.0.0 / variable and using the IPSecuritas as the VPN client it will probably increase your chances getting it working from OSX.

    Also the "heavier" encryption the harder the router has to work (router CPU must cope or it will have trouble establishing/keeping a connection).


    HTH