Hello,
I cannot get my L2TP VPN working through my Comcast Business Gateway (Firewall). I have UDP ports 500, 1701, 4500 and ESP protocol forwarded (see attached). VPN does work with Firewall off (DMZ to server). I have also tries opening TCP Port 1723 and GRE but I understand these are for PPTP. Any suggestions?
Thank you.
What's in your server's log for the VPN server? Any errors?
Make sure the Mac OS X Server firewall isn't blocking the ports, if you're using that.
See if PPTP works; that's far more forgiving around NAT traversal than is L2TP.
It's also easier to get a gateway-based VPN going; is that an option here? (You're not dealing with getting a VPN to traverse NAT this way, and particularly given that VPNs and NAT are really trying to do the opposite sorts of things. One's trying to ensure an IP connection is unqiue, and one's trying to map multiple connections to one IP.)
And get your network out of 192.168.1.1/24 (and 192.168.0.1/24), as having the same subnet on both ends of the connection will cause the VPN to encounter IP routing errors. More than a few sites will use 192.168.0.1/24 and 192.168.1.1/24, after all. Move to a subnet somewhere in 172.16.0.0/16 or 10.0.0.0/8 private blocks.
My client machie never gets through to the server so there is no log. Like I said, when turning the Comcast Gateway firewall off there is no problem, the VPN connection works - and will work even if I'm on the same subnet. Note that I would use PPTP, but on new Lion server installs we only have L2TP and I want the additional security layer.
I have five servers that use these SMC Comcast Gateways, I may have to put it into bridge and use my own firewall appliance - maybe use a VPN Router with RADIUS for authentication (anyone recommend one that plays nice with Apple's RADIUS?)
Are you connecting from a business-tier network connection to a residential service tier? That can run into port blocks at the ISP.
Before you go as far as bridged-mode operations for a gateway, open up a port that you can secure at the host (eg: ssh, if you have good passwords, or set up an Apache site on, say, 8080, and see if things are working.)
Run some tests to see if you're being port-blocked, in other words.
Lion Server does have PPTP. You will have to work a little to enable it, as management has unfortunately been removed from the GUI. (I've long ago moved off the hosts to the gateways for VPNs, so I don't tend to tangle with the host-based VPN servers.)
I've successfully run D-Link and Fortigate gateways with embedded VPN servers, as well as gateway products from various other producers. (For smaller sites, I usually don't use RADIUS; that does works, it's somewhat more complex to set up, but it obviously and particularly depends on the RADIUS server always being operational. And when I'm looking to connect a VPN, it can be because the server is down.)
L2TP Comcast SMC Gateway
