3 Replies Latest reply: Oct 31, 2013 2:16 PM by Cool Games
nick.welsh Level 1 Level 1 (0 points)

I am running the OS X Mountain Lion server. I also have Verizon FiOS as my ISP. I can see the wiki, install my profiles to my devices, and most of everything that I have enabled seems to work, except VPN. I turn it on, configure my FiOS router to forward the ports: 500, 1701, 1723, and 4500, which I found on this page. If I try to connect my iPad Mini (WiFi only, iOS 7) to my VPN server, it will try to connect for a few seconds and then give me an error (see below). If I connect to my local network and change the server to the IP address of my server, it will connect just fine. If I try with my server's domain outside of my network, I jut get that error. My server's VPN log does not show any connections when done outside of my local network. When done locally with the local IP, it works just fine and I see the log has more info about devices connecting. I'm wondering if it is just me making a simple mistake or if FiOS is blocking the ports needed.

 

Here is the error that I am getting:

VPN Error.PNG


OS X Mountain Lion (10.8.5)
  • MrHoffman Level 6 Level 6 (12,980 points)

    Depending on the exact set-up of your network, L2TP via IPSec requires UDP ports 500, 1701 and 4500 and the IP-ESP protocol, which is IP protocol 50; ESP; that's the full-on L2TP / IPSec when behind NAT.   Other than ESP (which is protocol 50 and not port 50), these are all UDP ports, and not TCP ports.  (Specifically, IPSec expects UDP port 500 and ESP (protocol 50) for site to site non-NAT.  L2TP expects UDP port 500, UDP port 1701 and UDP port 4500 when behind NAT.)

     

    Some gateway devices have a VPN passthrough setting, which can help.  (Not all have a way to enable pass through for protocols.)

     

    TCP 1723 is used for PPTP.  Not for L2TP / IPSec.

     

    As compared with L2TP / IPSec, PPTP is less secure, but usually easier to get going and particularly around NAT.

     

    If you have Back To My Mac enabled on your gateway device, then you can't use a VPN.  With AirPort Extreme and Time Capsule, you have to turn off Back To My Mac.

     

    As for whether FiOS firewall blocks might be involved, probe each of the ports with the following Terminal.app netcat (nc) command:

     

    nc -zu 10.20.30.40 target-udp-port

     

    where your public static IP address is substituted for 10.20.30.40 in that command.

     

    FWIW, I've been in a few of these discussions, and this forum search should get you some additional reading material.

  • Cool Games Level 1 Level 1 (0 points)

    My config is iPhone 5s LTE to Verizon FIOS with OS X 10.8.5 Sever 2.2.2 on MacBook Pro

    (awaiting success reported with V3.0 on 10.9)

     

    nc -zu seams confusing

    Stated on 10.9 Developer man nc(1)

     

    CAVEATS UDP port scans will always succeed (i.e. report the port as open), rendering the -uz combination of flags relatively useless. 

     

    Also myforwarding rules are SOURCE 500

    Found on Verizon FIOS Actiontec MI424Wr Rev C Firmware 4.0.16.1.56.0.10.14.4

    at Advanced under Port Forwarding Rules

     

    IPSec
    UDP500 -> 500
    ESP
    AH

     

     

    when using Actiontec MI424-WR rules from factory for IPSec against recomended definition at

     

    Defining Forwarding Rules PDf

     

    10.The "Source Ports:" default setting of "ANY" should not be changed

    (The source port setting of ANY is absolutely required for all port forwarding)

     

     

     

    What will this do ?

     

    DMZ works so I assume it must be somewhere in Forwarding Rules ?

  • Cool Games Level 1 Level 1 (0 points)

    Another possibility ?

     

    More data at Server V3.0

    Provide VPN service through an Internet router

     

    I sent feedback to have it explained more clearly !

    I am lost with out a picture of the systems.

    The words get in the way.

     

    Ask users to change their intranet addresses

     

    You can ask VPN users to change the IP addresses on their home networks so the first three numbers of their IP address are different from the ones on your intranet.

     

    For example, if your intranet IP addresses begin with 192.168.1, ask VPN users to use IP addresses beginning with 192.168.2 on their home networks.

     

     

    How do I "Ask VPN Users" when I am the only VPN user who just travels with a laptop to another location ?