Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: buckster
buckster Author
User level: Level 4
2,819 points

L2TP VPN, 2 ethernet ports, Mac Mini Server

I have a Mac Mini server running 10.6.8 offering VPN services.


This box is an Open Directory replica.


It is also the primary DNS server on the LAN.


This Mini has onboard ethrnet connected to the LAN, using 192.x.x.x


It aslo has USB Ethernet connected to a switch in our DMZ. The USB Ethernet has a real-world IP address of 72.x.x.x


VPN offered is L2TP over IPSEC, with Directory Service authentication using MS-Chap v2



VPN works GREAT using L2TP IF the USB Ethernet is set as the primary network interface.


That means USB Ethernet must be listed at the top in the 'Service Order' in System Preferences > Network. If it is not listed as the primary network interface the following errors show repeatedly in the VPN log on the server:



2012-07-23 14:57:35 EDT Incoming call... Address given to client = 192.168.0.253

Mon Jul 23 14:57:35 2012 : Directory Services Authentication plugin initialized

Mon Jul 23 14:57:35 2012 : Directory Services Authorization plugin initialized

Mon Jul 23 14:57:35 2012 : L2TP incoming call in progress from '166.147.112.201'...

Mon Jul 23 14:57:35 2012 : L2TP received SCCRQ

Mon Jul 23 14:57:35 2012 : L2TP sent SCCRP

2012-07-23 14:57:36 EDT --> Client with address = 192.168.0.248 has hungup


But having USB Ethernet listed at the top is inconvenient for other reasons, since running


sudo changeip -checkhostname


returns the external IP Address of the server listed.


This munges communication with the OD Master on the LAN and screws with some 3rd party servers that refer to the OD Master and Replica on the LAN.


My questions...


Is it expected that the L2TP VPN must be on the primary interface (can't find any info from Apple on this but see some rumors on the web)?


Can I switch it to the secondary by any means?


If not, how do I make this setup work well, keep the OD replica in sync and keep other services which refer to the OD replica happy?


Thanks,


b.

Mac OS X (10.6.8)

Posted on Jul 23, 2012 1:11 PM

Reply
3 replies
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Jul 24, 2012 2:27 PM in response to buckster

I ran a 10.6 Server with two Ethernet connections in a similar manner to what you are trying. However I avoided the problem your experiencing by handling the DNS aspect differently.


It is not clear from your post but are you using the same domain name internally and externally? That is a 'real' domain name? There is nothing wrong with doing this (I did myself) and this approach is referred to as a 'split-horizon' DNS configuration. However you need to have two different DNS servers involved, one handling the internal side of things, and one handling the external side of things.


I did this by having my internal DNS server on a different (internal) server which happened to be my Open Directory Master. I then had my external DNS server handled by my ISP, however you could do this yourself on a second computer which could be your Open Directory Replica as now.


What you need to do however is to tell both of your Ethernet interfaces on your VPN/OD Replica to use your internal DNS server. You would then define a hostname in the internal DNS zone which uses the internal IP address. The external DNS server would point to the external public IP address instead. As you are only using the internal DNS server to actually do lookups yourself it will correctly resolve for Open DIrectory purposes.


If your going to act as the fullblown DNS server for your domain for the rest of the Internet to use, then it would be the NS Server that you would advertise publically. This will not interfere with internal use as you should tell all your internal devices to use the separate internal DNS server.

Reply
User profile for user: buckster
buckster Author
User level: Level 4
2,819 points

Jul 24, 2012 3:41 PM in response to John Lockwood

Hi John Lockwood,


Thanks for your answer.

It is not clear from your post but are you using the same domain name internally and externally? That is a 'real' domain name?

Yes, I am doing split-horizon DNS.


Our internal DNS server (running on this same box) has the A name defined internally, resolving to 192.x.x.x


Our ISP handles the 'real-world' A name for the server externally, resolving to the external address to 72.x.x.x


What you need to do however is to tell both of your Ethernet interfaces on your VPN/OD Replica to use your internal DNS server. You would then define a hostname in the internal DNS zone which uses the internal IP address.


Both interfaces do refer to the internal DNS. And I have defined the internal hostname on the internal DNS as an A name, resolving ot 192.x.x.x.


The problem is that the external interface MUST be listed first for VPN to work, ie. IP address is 72.x.x.x


So, when ethernet port 72.x.x.x looks itself up on the internal server it does not get resolved internally - it is forwarded for lookup at ISP level.


And, since it is listed first, it becomes the server's primary IP address for OD purposes.


Server admin does allow for multiple IP addresses to be set for a single A name. This would seem to be a good option. But, in trying this, the DNS server sometimes passes out the 72.x.x.x to internal clients, and sometimes 192.x.x.x. There does not seem to be a way to control this.


Thanks for the advice so far. I hope I am missing something 🙂


b.

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Jul 24, 2012 6:05 PM in response to buckster

I have done this setup at two different sites with no issues. I have the external interface as the top one like you.


I have the same host name for the VPN server used internally and officially by the public IP address for the Internet, e.g. server1.example.com is the host name both internally and externally.


Internally it will resolve to a 192.168.x.x style address, externally it will resolve to a public IP address. Externally the reverse DNS lookup of the external IP address resolves to the server1.example.com address, internally the 192.168.x.x address resolves to it. On the server itself changeip -checkhostname shows the external IP address and the DNS and hostnames both matching as in this example server1.example.com


Having checked the DNS settings I am actually surprised at one issue. While I can see that on the VPN server which is set as discussed to only use the internal DNS server, when I do a lookup of server1.example.com I get as expected the internal IP address. When I do a reverse lookup of the internal IP address I do get server1.example.com as expected but as I have not defined a reverse PTR for the external IP address I am surprised it is correctly resolving it to the server1.example.com (i.e. correct) hostname. This reverse PTR will be defined on my ISP but my server it only supposed to be using my internal DNS server and as mentioned I have not (yet) defined that entry.


I think the important thing is to use the same host name for this server both externally and internally.

Reply

L2TP VPN, 2 ethernet ports, Mac Mini Server

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up