Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: nick.welsh
nick.welsh Author
User level: Level 1
0 points

VPN not working outside of local network

I am running the OS X Mountain Lion server. I also have Verizon FiOS as my ISP. I can see the wiki, install my profiles to my devices, and most of everything that I have enabled seems to work, except VPN. I turn it on, configure my FiOS router to forward the ports: 500, 1701, 1723, and 4500, which I found on this page. If I try to connect my iPad Mini (WiFi only, iOS 7) to my VPN server, it will try to connect for a few seconds and then give me an error (see below). If I connect to my local network and change the server to the IP address of my server, it will connect just fine. If I try with my server's domain outside of my network, I jut get that error. My server's VPN log does not show any connections when done outside of my local network. When done locally with the local IP, it works just fine and I see the log has more info about devices connecting. I'm wondering if it is just me making a simple mistake or if FiOS is blocking the ports needed.


Here is the error that I am getting:

User uploaded file

OS X Mountain Lion (10.8.5)

Posted on Oct 14, 2013 12:25 PM

Reply
3 replies
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
116,637 points

Oct 14, 2013 1:29 PM in response to nick.welsh

Depending on the exact set-up of your network, L2TP via IPSec requires UDP ports 500, 1701 and 4500 and the IP-ESP protocol, which is IP protocol 50; ESP; that's the full-on L2TP / IPSec when behind NAT. Other than ESP (which is protocol 50 and not port 50), these are all UDP ports, and not TCP ports. (Specifically, IPSec expects UDP port 500 and ESP (protocol 50) for site to site non-NAT. L2TP expects UDP port 500, UDP port 1701 and UDP port 4500 when behind NAT.)


Some gateway devices have a VPN passthrough setting, which can help. (Not all have a way to enable pass through for protocols.)


TCP 1723 is used for PPTP. Not for L2TP / IPSec.


As compared with L2TP / IPSec, PPTP is less secure, but usually easier to get going and particularly around NAT.


If you have Back To My Mac enabled on your gateway device, then you can't use a VPN. With AirPort Extreme and Time Capsule, you have to turn off Back To My Mac.


As for whether FiOS firewall blocks might be involved, probe each of the ports with the following Terminal.app netcat (nc) command:


nc -zu 10.20.30.40 target-udp-port


where your public static IP address is substituted for 10.20.30.40 in that command.


FWIW, I've been in a few of these discussions, and this forum search should get you some additional reading material.

Reply
User profile for user: Cool Games
Cool Games
User level: Level 1
0 points

Oct 31, 2013 1:46 PM in response to nick.welsh

My config is iPhone 5s LTE to Verizon FIOS with OS X 10.8.5 Sever 2.2.2 on MacBook Pro

(awaiting success reported with V3.0 on 10.9)


nc -zu seams confusing

Stated on 10.9 Developer man nc(1)


CAVEATS UDP port scans will always succeed (i.e. report the port as open), rendering the -uz combination of flags relatively useless.


Also myforwarding rules are SOURCE 500

Found on Verizon FIOS Actiontec MI424Wr Rev C Firmware 4.0.16.1.56.0.10.14.4

at Advanced under Port Forwarding Rules


IPSec
UDP500 -> 500
ESP
AH



when using Actiontec MI424-WR rules from factory for IPSec against recomended definition at


Defining Forwarding Rules PDf


10.The "Source Ports:" default setting of "ANY" should not be changed

(The source port setting of ANY is absolutely required for all port forwarding)




What will this do ?


DMZ works so I assume it must be somewhere in Forwarding Rules ?

Reply
User profile for user: Cool Games
Cool Games
User level: Level 1
0 points

Oct 31, 2013 2:16 PM in response to Cool Games

Another possibility ?


More data at Server V3.0

Provide VPN service through an Internet router


I sent feedback to have it explained more clearly !

I am lost with out a picture of the systems.

The words get in the way.


Ask users to change their intranet addresses


You can ask VPN users to change the IP addresses on their home networks so the first three numbers of their IP address are different from the ones on your intranet.


For example, if your intranet IP addresses begin with 192.168.1, ask VPN users to use IP addresses beginning with 192.168.2 on their home networks.



How do I "Ask VPN Users" when I am the only VPN user who just travels with a laptop to another location ?

Reply

VPN not working outside of local network

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up