X.4.2 Server – VPN – Netgear WGR614 / Missing Articles

[neilmcg]

I had been reading the articles on mTunnel and VPN on the old version of the site, but now when I search on the site I cannot find them, unless I google.
Anyway, I cannot now find a post I had read about a terminal mod using the Tiger VPN server behind an existing hardware router/firewall. Hints pls.

The basic setup is as follows;
G4 Sawtooth;
Built-in Ethernet,
additional Dlink DFE-530TX Ethernet card,
Mac OS X 10.4.2 Server,
Netgear WGR614v5,
Alcatel Speed Touch DSL.

The Netgear is connected to a SpeedTouch DSL modem, the router is running the DHCP, NAT, etc. it is serving both wireless and cat5 to a small network of imacs and powerbooks.
(If the macs are connected to the DSL modem directly, restarts seem to make the modem go flakey/hang, however the Netgear runs happily away, and has been preventing any loss of service/reset of the modem).

I’d like to set the Server up to offer VPN services, keeping it behind the Netgear (i.e. without placing it between the netgear and the DSL modem.)
Gateway Setup Assistant wants the Server to sit up front, but I’d really prefer not to set it up that way.

Is this possible? Any replies gratefully appreciated.

[neilmcg]

I’m writing this as a follow-up to my own message. I did not really find many hints on the web, so –
After a lot of experimenting (head scratching), I have successfully got it running for both dial-up and DSL based clients.
It only validates that it is running as a test, the firewall is not yet enabled or any services added or ID Certificates implemented.
Here is how I managed it.

(I did not use the Gateway Assistant, it wants to make the Server the DHCP and NAT.)
The Netgear router is acting as (a) DHCP & NAT, with address 192.168.1.1 (b) it is assigning addresses in the range of 192.168.1.10 -> 192.168.1.100

Netgear firmware version is upto date at 1.0.7_1.0.6

I opened the following ports on the Netgear for port forwarding to the server (I’m going to experiment later, switching them off one-by-one to see it the built-in VPN support claimed by Netgear actually works)

TCP/UDP 500, 1701, 1723, 4500, 10000

1. Firstly under System preferences>Network, I set the Built-in Ethernet to a Manual IP address something like 192.168.1.70
2. I set the PCI Ehernet card to DHCP, it immediately picked up an IP from the Netgear.
3. Using the application “Server Admin” > VPN, I have set the following settings;
Tab >L2TP
Enable L2TP over IPsec
Starting IP Address 192.168.1.101
Ending IP Address 192.168.1.150
PPP Authentication MS-CHAPv2
Enter a Shared Secret
Tab >PPTP (I don’t really want PPTP, but L2TP did not seem to want to work until I enabled PPTP as well – strange)
Enable PPTP
Starting IP Address 192.168.1.101
Ending IP Address 192.168.1.150

Tab > Client Information
DNS Servers 192.168.1.1 (i.e. the Netgear)

4. Start the Service

Now all you have to do is go into “Internet Connect” on your client machine and set up the L2TP connection
(a) Server Address (is your external IP address, not LAN)
(b) Account Name (the admin login for the server, until you add users on the server and appropriate ACL’s)
(c) Password (Admin login password)

An options panel will open and you have to put in the “Shared secret” from step 3.

Now, save the configuration.

Connect.

You should be logged in. If it does not work, try and configure a PPTP session, it will connect, then try the L2TP again, it should now work.

I hope this is of some help. Good Luck

[nerdtech]

I will give this a shot – I was just wondering if you have any other updates to this, since posting these entries.

I just picked up a Belkin router – and need to get this going, since my static IP is going away. I am planning on using the Belkin router to do the routing/NAT/DHCP, but I do want to be able to VPN in…

Physically, are all of your LAN stations off of a switch, connected to the LAN port on your server?

This is what I am thinking, as far as physical set-up goes:

DSL –[x.x.x.x]–> Router –[192.168.0.x]–> OS X Server –[10.0.0.x]–> Switch –> LAN machines

Does this make sense? Because the server certainly cannot deal with a dynamic IP straight off of the DSL line.

Therefore, the router would provide a static IP to the server – and also use DDNS to make sure that the network as a whole is reachable…

[neilmcg]

Do be honest – I have long given-up on using the VPN server in OS X – the best solution was the buy a Netgear FVS338 and access it through IPSecuritas.
I’ve found the speed and reliability flawless.

You can also connect it to LDAP/Radius if you want to tie access into your user accounts.

[Author]

Posts