Link to home
Start Free TrialLog in
Avatar of Member_4228183
Member_4228183

asked on

How do I configure my router/firewall allow connections into my Snow Leopard Server's VPN?

I have a Snow Leopard Server behind a Cisco RVS4000 router/firewall. I have everything on the server working well except for the VPN. For what ever reason, I can connect to my VPN while in the LAN but outside of the LAN I can not connect to my VPN. I have tried turning off the firewall and opening up all the ports on the RVS4000 but still can not connect to the VPN. What am I missing and how do I get the RVS4000 to allow me to connect to the VPN running on my server from outside my LAN?
Avatar of arnold
arnold
Flag of United States of America image

You need to setup a port forward/map a port from your cisco to the ip of your server.
i.e. ipsec port UDP 500 to ip_of_server udp port 500.
pptp port TCP port 1723 to ip_f_server tcp port 1723
tcp 1701 for l2tp.
you may need to do the same for port 4500 nat-translation for ipsec and 10000 for l2tp.

The router has built-in vpn.  Which vpn do you have setup on the server?
you can not have both. i.e. ipsec on the cisco and on the server unless one creates an initial and the other connects through it. tunnel within tunnel.
the first gets you to the server,  the seconds gets you further along depending on the configuration.
Avatar of Member_4228183
Member_4228183

ASKER

The Cisco VPN is off (and I never set it up), as for port forwarding, I have all the ports forward to the server but it still won't work and I can't figure out why.
One of the possibilities might be that inbound traffic is being blocked by your ISP.
I have not tested if the ISP is blocking VPN in but they do not block any other traffic in.
You didn't tell us which kind of VPN are you trying to use yet.
  • PPTP needs GRE to be forwarded (that's protocol 47), in addition to port 1723/tcp.
  • Some routers have a special setting called "VPN passthru" or "PPTP passthru" which switches off any internal processing, and forwards any VPN traffic to a single server.
  • Port 10000/tcp is TCP NAT-T and very uncommen, AFAIK it is only used by Cisco VPN. Never heard of it in conjunction with L2TP.
  • NAT-T (4500/udp) needs not to be forwarded. That is why it is used - the local IP addresses of VPN client and/or server are wrapped into an additional framing, so the packets can be forwarded based on that info.

Sorry about that, as of now we can connect to the LAN using PPTP but we can't connect back out to get to the Internet. I am trying to set up L2TP though and that is what will not connect at all.
I do have VPN passthrough enabled if that chnages anything.
I suppose it is L2TP/IPsec then (1701/tcp, 500/udp, 4500/udp). However, I do not understand "we can't connect back out  to get to the Internet".
 
I have DVZ set on the router/firewall to point to the server so i don't think it's a port issue.

As for "we can't connect back out to the  Internet." connecting to the VPN using PTPP does work (where L2TP, what we want to use, does not) but once connected we can not access anything that is not on the LAN.
ASKER CERTIFIED SOLUTION
Avatar of Qlemo
Qlemo
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Qlemo: Thanks, you made me aware of something I did not notice to start with but I still want to have all traffic to go through the VPN. Now how I set any of that up or set up the Network Routing Definitions for the VPN, I have no idea about. I have attached a photo of what the Network Routing Definitions settings looks like on the server.

I still have the original problem though, as well as the Routing Definitions one that you brought up, of why my router wont like anyone connect to the VPN under L2TP.
Screen-shot-2009-10-22-at-8.54.0.png
Well I think we got it. We used the following Network Touting Definition settings:

Network Address      ||       Network Mask         ||        Network Type
--------------------------------------------------------------------------------
192.168.1.0            ||       255.255.255.0       ||        Public
192.168.1.103        ||       255.255.255.0       ||        Public