Home Forums OS X Server and Client Discussion Questions and Answers Isolate VPN listener to a single interface?

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • December 31, 2005 at 9:34 pm #364597
    BestMacs
    Participant

    Hi, folks… wondering if anyone has seen this and knows what to edit.

    Until last night, I had been successfully running Tiger’s VPN service on an Xserve with clients connecting from all points around the country and accessing all of our internal network services.

    Last night, I activated the second Ethernet card. Since that moment, VPN connections fail to connect. The server and the client negotiate, but the server quickly uses up its pool of allocated IP addresses on that one connection and eventually it times out. The connection never gets to an authentication stage.

    I tried a large number of techniques to fix this, but found only one that makes a difference: If I disable en0, VPN comes back to life on en1. (We want VPN connections on the IP assigned to en1, but I’ve reversed this and it doesn’t matter.) Once I reenable en0, we’re dead in the water.

    We had the same issue with DHCP, but I modified the bootps.plist so that bootpd only listens on en0. I think this is the right solution for this issue but cannot find where to specify a port (or IP address) to listen on.

    Anyone know where Apple is hiding this thing? TIA.

    January 1, 2006 at 11:05 pm #364601
    BestMacs
    Participant

    en0 is higher than en1. Following your hunch, I tried flipping them and it worked on the first try. Nice thinking. If you guys end up doing a MacWorld get together next week, I owe you a beer (or n/a bev of your choice.) Big Grin

    January 2, 2006 at 9:43 pm #364607
    steve
    Participant

    it does actually say this in the manual.

    there is a picture , and it clearly shows that you MUST put network connections in en0, before en1, therefore by default the services should be on en0, or en1 but only if en0 is enabled & connected.
    personally , i think it is bloody stupid.
    same with AFP, you cannot set the ‘IF’ it listens on.

    Just make sure that if your OD &AFP are running , that your filrewall is also configured, and running, and you have a default “deny any to any” as your last rule.

    January 4, 2006 at 12:15 am #364623
    BestMacs
    Participant

    Joel,

    I think what you just said about routing explains a number of other issues that we’re seeing with the server and having its two interfaces on the same subnet. Today I started to see Open Directory freak out and I think it’s because of this same behavior. Perhaps DNS queries coming into 192.168.0.2 on en0, and then going back out on 192.168.0.4 on en1 (which is now primary)?

    Sounds like the simplest thing will be to purge the second interface. It just doesn’t work the way I expected it to.

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.