Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: pmlst097
pmlst097 Author
User level: Level 1
10 points

which ports need to be public for vpn l2tp access through the firewall

I have setup VPN L2TP on my macbook pro, I can access the VPN on my iPad locally just fine. When I try to access it through the internet, externally, I receive the message ( on my iPad) "The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your administrator". I suspect this is due to my router ( apple time capsule ) and its built in firewall. I should be able to put in a rule to allow the ports through. which ports are necessary?

MacBook Air (13-inch Mid 2013), OS X Mavericks (10.9)

Posted on Oct 26, 2013 12:07 PM

Reply
5 replies
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
116,181 points

Oct 26, 2013 12:27 PM in response to pmlst097

On Time Capsule and AirPort Extreme, shut off the Back To My Mac and enable VPN Passthrough. That'll have the proper ports enabled for you.


As for your question:


Depending on the exact set-up of the network, L2TP requires UDP ports 500, 1701 and 4500 and the IP-ESP protocol, which is IP protocol 50; ESP.


Other than ESP (which is protocol 50 and not port 50), these are UDP ports, and not TCP.


It is common for L2TP passthrough to fail when more than one connection is active.


As compared with L2TP, PPTP is usually easier to get going when there's NAT around, though PPTP is less secure than L2TP.


Use of an external firewall-gateway with an embedded VPN server is recommended. (NAT passthrough is something best avoided.)


Also ensure your ISP is not blocking VPN connections. There are ISPs that block server-oriented ports on the residential service tier. (If you're on a business-class tier, ignore this.)

Reply
User profile for user: pmlst097
pmlst097 Author
User level: Level 1
10 points

Oct 29, 2013 8:58 AM in response to pmlst097

I was able to get it to work a few days ago, externally through the internet, then it stopped working. when I look at the log in osx server I can see the ipad client communicating with the osx server. Interesting too is that osx server alters the settings in my timecapsule to allow the necessary ports through. I suspect there is a trace or diagnostic that can be activated to show what is wrong

Reply
User profile for user: pmlst097
pmlst097 Author
User level: Level 1
10 points

Oct 29, 2013 9:14 AM in response to pmlst097

I recreated the error and the log on the server side is as below


racoon[324]: Connecting.

racoon[324]: IPSec Phase 1 started (Initiated by peer).

racoon[324]: IKE Packet: receive success. (Responder, Main-Mode message 1).

racoon[324]: >>>>> phase change status = Phase 1 started by us

racoon[324]: IKE Packet: transmit success. (Responder, Main-Mode message 2).

racoon[324]: IKE Packet: receive success. (Responder, Main-Mode message 3).

racoon[324]: IKE Packet: transmit success. (Responder, Main-Mode message 4).

racoon[324]: Connecting.

racoon[324]: IKE Packet: transmit success. (Phase 1 Retransmit).

--- last message repeated 3 times ---

kernel[0]: Sandbox: xcscredd(138) deny file-read-metadata /Users

--- last message repeated 16 times ---

sandboxd[115] ([138]): xcscredd(138) deny file-read-metadata /Users

Reply

which ports need to be public for vpn l2tp access through the firewall

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up