VPN problem - can someone help me with "default gateway" issues?

Question

Level 2

219 points

VPN problem - can someone help me with "default gateway" issues?

I've got a Mac OS X Server Tiger at work, with VPN service running. I'm tunneling in from a Mac Panther laptop. The problem is that when on the VPN, I can get to targets on the office's intranet (such as our Exchange server via IMAP), and I can get to some websites (yahoo.com for example by http), but I can't get to some services such as "telnet pop.gmail.com 995" (google mail). My IT guys have not been able to configure their intranet and firewall such that both internal and all external targets are reachable. After playing with this on a Windows VPN server, they furthermore tell me that the problem is on my client end, and that I should be able to select "default gateway" on my VPN client setup on my laptop. I however don't see any options like this on the Network Connect application. Can someone tell me anything about this - is there a setting like this somewhere on the VPN client? Or, does anyone know the right settings on the server to allow both internal and all external targets to be seen? The IT guy said the Apple VPN server was handing out weird addresses they couldn't anticipate to let through the firewall (outbount). Any help would be greatly appreciated...

Thanks,

Mike

G4

Posted on Dec 16, 2005 12:42 PM

Reply

Answer 1

Best reply

David White17

Level 2

165 points

Dec 17, 2005 2:22 AM in response to Michael Levin

Hi Michael

Can you give more details about
"The IT guy said the Apple VPN server was handing out weird addresses they couldn't anticipate to let through the firewall (outbount)"

Do you mean IP addresses?

The default gateway and IP addresses are given to the client from the server, when you have connected via vpn, if you look in system preferences, network, you should see an interface called VPN, and in there it will display the IP address assigned by the VPN server and the Router (default gateway) address.

Regards

David

To many ! Mac OS X (10.4.3)

Reply

Answer 2

Dec 17, 2005 6:27 PM in response to Michael Levin

Quickest Answer is that more than likely the IT 'Guys' are blocking non-standard ports outbound. To test this, 'go' to work, hop on any machine (that is not VPN'ed in) and attemt your telnet://pop.gmail.com:995/ and I am 99.9% sure it will not work, therefore proving that the VPN attempt will not work either.

-----Begin Quote
The problem is that when on the VPN, I can get to targets on the office's intranet (such as our Exchange server via IMAP), and I can get to some websites (yahoo.com for example by http), but I can't get to some services such as "telnet pop.gmail.com 995" (google mail).
-----End Quote

To clarify that, are you on your laptop attempting this or remotly controling a machine on the corporate network? I think you are on your laption attempting to so some nont corporate access things ;D so the second thing you should do is to set a private address range on the Mac OS X Server such that you will only use the VPN Tunnel when you need resources in that range, otherwise you will use your Internet connection (which will more than likely not be blocking outbound anything)

To do this, open Server Manager on the OS X Server (or Use yours and connect it to that server), Hilight VPN, then click the Setting tab (at the bottom) next Click the Settings tab (at the top now) and make a PRIVATE network routing definition which will be your corporate address(s) such as 192.168.x.y and mask of 255.255.255.0 (or whatever the intenral address setup of the corporate network is)

I always stop and restart any chagnes after saving and you should now be able to access all the internet now as you will only talk to the corporate LAN via the tunnel only when you truly need them.

Peter

PowerMac G5 DP 2.5Ghz Mac OS X (10.4.3)

Reply

Answer 3

Michael Levin Author

Level 2

219 points

Dec 18, 2005 12:04 PM in response to David White17

Hi Michael

Can you give more details about
"The IT guy said the Apple VPN server was handing out
weird addresses they couldn't anticipate to let
through the firewall (outbound)"

Do you mean IP addresses?

I think that's what he means. I'm forwarding him a copy of this to make sure, but yes - I bet that's what he's saying.

Mike

Reply

Answer 4

Michael Levin Author

Level 2

219 points

Dec 18, 2005 12:12 PM in response to Peter Scordamaglia

Quickest Answer is that more than likely the IT
'Guys' are blocking non-standard ports outbound. To
test this, 'go' to work, hop on any machine (that is
not VPN'ed in) and attemt your
telnet://pop.gmail.com:995/ and I am 99.9% sure it
will not work, therefore proving that the VPN attempt
will not work either.

That syntax didn't work, but when I did
% telnet pop.gmail.com 995

I got:

Trying 66.249.83.109...
Connected to gmail-pop.l.google.com.
Escape character is '^]'.

so it did work! I think they've got it opened up for my machine certainly, and possibly for general outbound. But it doesn't work through the VPN.

To clarify that, are you on your laptop attempting
this or remotly controling a machine on the corporate
network? I think you are on your laption attempting
to so some nont corporate access things ;D

right - I'm on my laptop, VPN'd into work. I've got an Entourage client which is trying to download email from my office mail server (IMAP, which is only reachable through the VPN) and from gmail. I want to be able to access USENET newsgroups through my Entourage access to Comcast's newsgroup servers, and my email, all without having to turn the VPN on and off.

so the
second thing you should do is to set a private
address range on the Mac OS X Server such that you
will only use the VPN Tunnel when you need resources
in that range, otherwise you will use your Internet
connection (which will more than likely not be
blocking outbound anything)
To do this, open Server Manager on the OS X Server
(or Use yours and connect it to that server), Hilight
VPN, then click the Setting tab (at the bottom) next
Click the Settings tab (at the top now) and make a
PRIVATE network routing definition which will be your
corporate address(s) such as 192.168.x.y and mask of
255.255.255.0 (or whatever the intenral address setup
of the corporate network is)
and you should now be able to access all the internet
now as you will only talk to the corporate LAN via
the tunnel only when you truly need them.

that sounds like a great fix. I'll try it tomorrow and see if it works.

Thanks!!

Mike

Reply

Answer 5

Michael Levin Author

Level 2

219 points

Dec 19, 2005 5:28 AM in response to Peter Scordamaglia

To do this, open Server Manager on the OS X Server
(or Use yours and connect it to that server), Hilight
VPN, then click the Setting tab (at the bottom) next
Click the Settings tab (at the top now) and make a
PRIVATE network routing definition which will be your
corporate address(s) such as 192.168.x.y and mask of
255.255.255.0 (or whatever the intenral address setup
of the corporate network is)

I checked, and it turns out, they've already tried that! They said that when they did that, there was no external access to anything, only to internal stuff. I also remember that they tried something else which did the opposite - I could get to the outside, but no longer able to see internal targets...

Mike

Reply

Answer 6

Dec 20, 2005 12:10 AM in response to Michael Levin

If the VPN server is to forward IP beyond it's local LAN IP range, ipforwarding needs to be running on it.

Ipforwarding is not normally running on a server that only has a private IP (no firewall and NAT running on it).

You either have to edit the /etc/hostconfig file to say:
ipforwarding=-YES- (Panther)

or add a file called /etc/sysctl.conf saying:
net.inet.ip.forwarding=1

If you just want to try it:
sudo sysctl -w net.inet.ip.forwarding=1
turns it on immediately,

sudo sysctl -w net.inet.ip.forwarding=0
turns it off again.

The default route has to go through the VPN for this to be meaningful.
(I guess that means you don't need to setup a routing definition in the VPN server).

If you want to use a split tunnel setup (only traffic meant for the remote LAN goes into the tunnel and the rest directly out to Internet via your "home" LAN) you must have two routing definitions: one private for the remote LAN IP range (or just the part of it you want VPN users to get to) and one public 0.0.0.0/0.0.0.0.

In Tiger VPN client there is also a setting that tries to override what the VPN server "dictates". I've used it to get a split tunnel fuctionality from a PPTP VPN server that had no routing def. setting possibilities.

Reply

Answer 7

Michael Levin Author

Level 2

219 points

Dec 20, 2005 9:03 AM in response to Leif Carlsson

I'll give this a shot. In the meantime, I was dumb enough to apply the latest system update (10.4.3 I think) and now, people can't connect to my VPN at all! Does anyone know whether there's something in this update that breaks the VPN or needs to be changed?

Reply

Answer 8

Dec 21, 2005 6:09 AM in response to Michael Levin

Yeah, For me just about every update and sometimes a stiff wind will make my VPN server 'forget' its settings.

If you go to Server Admin, you wil lsee that VPN is 'green' (running) but if you go to each tab in settings (and I do mean every one) it has 'forgotten' every one of them, so just resetup the tabs and stop and restart the service and it will come back to life.

Peter

PowerMac G5 Dual 2.5Ghz Mac OS X (10.4.3) Mac OS X Server

Reply