Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: andruz
andruz Author
User level: Level 1
0 points

why can only one device connect via VPN to my offsite server computer when coming from the same external IP address?

I can log in via any of my devices to my server computer but when I try to use two devices from the same IP address, one always kicks the other off. This happens even if I log in to the VPN using two different user accounts. I can't find any setting in the server interface that allows me to change this limitation.


More than one device can log in if they are originating from different external locations.


I am using L2TP protocol.


Any advice?

OS X Mountain Lion (10.8.2)

Posted on Jan 5, 2013 8:57 PM

Reply
Question marked as Best reply
User profile for user: FromOZ
FromOZ
User level: Level 3
554 points

Posted on Jan 6, 2013 5:17 AM

This is as designed / a limitation of VPNs, nothing to do with any restriction / fault on the Apple / Apple server side.


I will make some assumptions here that your situation is the same as described below.


The root cause for this is the fact of NAT (Network Address Translation). With NAT every device in a local LAN (Site A / Site B) below has a private IP address which is not routable on the Internet. One of the reasons for having NAT is that the IP version 4 address range is very limited. To get around this NAT devices were invented.


The NAT device, which typically is also the device facing the Internet and acting as a router, has two interfaces: one in the LAN and one in the WAN (Internet).


(because the forum software only has very narrow width my nice text diagram below gets messed up 😠 Copy and paste it to a fixed text notepad text editor to see it properly)



Site A NAT Device Internet NAT Device Site B



192.168.1.10---+ +---192.168.2.20

| |

192.168.1.11---+----192.168.1.1 + 123.456.789<---->987.654.321 + 192.168.2.1---+----192.168.2.21

| |

192.168.1.12---+ +---192.168.2.22



VPN tunnels (over the Internet) are tunnels established between Internet legal IP addresses, not private address range IP addresses. Now the fact that VPNs can route traffic between two devices that have private addresses is because the NAT device may support VPN passthrough. So you may be device 192.168.1.10 in Site A above and you are going to address 192.168.2.20 on the right (actually you are going to address 987.654.321 on the right) and all is well and good. The VPN tunnel is working fine until device 192.168.1.11 at your site says it wants to VPN to any device in site B. The VPN says the device behind Internet IP 123.456.789 (that my VPN tunnel is built up with) has changed, what do I do? I boot off the original device.


It's the many IPs behind the one IP (NAT) that is the problem.


Of course there is a solution for this, and that is to have combination NAT + VPN devices where the VPN tunnel (over the Internet) is done point-to-point over the external (WAN) interfaces of the devices and the device takes the VPN packet, decrypts it, and sends it the private IP address on the local LAN because it is also managing NAT for the local LAN.


If you have the need to establish VPN traffic between sites then you should look at these sort of products.


There are many, many, products that can perform this function, from the not-very-good to top-of-the-line ($$$). They will have different types of WAN interfaces (xDSL, Ethernet etc.) perhaps with LAN WiFi. One good (I don't work for the company, I do use their products) dedicated device is the Juniper SSG (Secure Services Gateway) range. They have models from small to very large, their small office/teleworker model is this one:

http://www.juniper.net/us/en/products-services/security/ssg-series/ssg5/


Again, in summary, the problem you are facing is not something wrong with the VPN setup on the OS X Server, it is because when you connect from a NATed address using VPN passthrough.

View in context
1 reply
Question marked as Best reply
User profile for user: FromOZ
FromOZ
User level: Level 3
554 points

Jan 6, 2013 5:17 AM in response to andruz

This is as designed / a limitation of VPNs, nothing to do with any restriction / fault on the Apple / Apple server side.


I will make some assumptions here that your situation is the same as described below.


The root cause for this is the fact of NAT (Network Address Translation). With NAT every device in a local LAN (Site A / Site B) below has a private IP address which is not routable on the Internet. One of the reasons for having NAT is that the IP version 4 address range is very limited. To get around this NAT devices were invented.


The NAT device, which typically is also the device facing the Internet and acting as a router, has two interfaces: one in the LAN and one in the WAN (Internet).


(because the forum software only has very narrow width my nice text diagram below gets messed up 😠 Copy and paste it to a fixed text notepad text editor to see it properly)



Site A NAT Device Internet NAT Device Site B



192.168.1.10---+ +---192.168.2.20

| |

192.168.1.11---+----192.168.1.1 + 123.456.789<---->987.654.321 + 192.168.2.1---+----192.168.2.21

| |

192.168.1.12---+ +---192.168.2.22



VPN tunnels (over the Internet) are tunnels established between Internet legal IP addresses, not private address range IP addresses. Now the fact that VPNs can route traffic between two devices that have private addresses is because the NAT device may support VPN passthrough. So you may be device 192.168.1.10 in Site A above and you are going to address 192.168.2.20 on the right (actually you are going to address 987.654.321 on the right) and all is well and good. The VPN tunnel is working fine until device 192.168.1.11 at your site says it wants to VPN to any device in site B. The VPN says the device behind Internet IP 123.456.789 (that my VPN tunnel is built up with) has changed, what do I do? I boot off the original device.


It's the many IPs behind the one IP (NAT) that is the problem.


Of course there is a solution for this, and that is to have combination NAT + VPN devices where the VPN tunnel (over the Internet) is done point-to-point over the external (WAN) interfaces of the devices and the device takes the VPN packet, decrypts it, and sends it the private IP address on the local LAN because it is also managing NAT for the local LAN.


If you have the need to establish VPN traffic between sites then you should look at these sort of products.


There are many, many, products that can perform this function, from the not-very-good to top-of-the-line ($$$). They will have different types of WAN interfaces (xDSL, Ethernet etc.) perhaps with LAN WiFi. One good (I don't work for the company, I do use their products) dedicated device is the Juniper SSG (Secure Services Gateway) range. They have models from small to very large, their small office/teleworker model is this one:

http://www.juniper.net/us/en/products-services/security/ssg-series/ssg5/


Again, in summary, the problem you are facing is not something wrong with the VPN setup on the OS X Server, it is because when you connect from a NATed address using VPN passthrough.

Reply

why can only one device connect via VPN to my offsite server computer when coming from the same external IP address?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up