VPN (on OS X 10.4.11) - Behind two firewalls

Question

How do I properly route VPN traffic past two firewalls?

Network setup: DSL Modem/Gateway/Router(FW1) >> Router(FW2) >> VPN Server
Ports open on both routers/firewalls:
- L2TP (UDP 500, 1701, 4500)
- PPTP (TCP 1723)

FW1: 192.168.1.x FW2: 192.168.2.x (VPN server is on this network)

Am I missing support for other protocols through the firewall (non-port related)? If I DMZ FW2 from FW1, then user can connect. <-- Is this the only solution?

score 0 · Accepted Answer · edited Jul 03 '12 at 23:48

0

Using double NAT causes problems with VPN and is bad practice in general. I would remove FW2 or change it to bridge mode. Either way, you need to eliminate the double NAT situation.

edited Jul 03 '12 at 23:48

MDMarra

100,734
32
197
329

answered May 09 '12 at 23:01

P. Corelli

16

Apologies for the belated response. Double NAT was indeed the issue. Fixed now. Of course, the server died as soon as I got this figured out. Off to new challenges. – Crusty Barnacle Sep 09 '12 at 17:37

score 0 · Answer 2 · answered Jul 03 '12 at 23:44

Maybe, should you start by checking /private/var/log/ppp/ on the client and /var/log/ppp/vpn.log on the server

Also the official documentation notices : "When configuring VPN,make sure the firewall allows VPN traffic on needed ports with the following settings: Enable GRE, ESP, VPN L2TP (port 1701), and VPN ISAKMP/IKE (port 500)." (http://manuals.info.apple.com/en_US/NetworkSvcs_v10.6.pdf)

Might be related to those two protocols so: GRE ESP

VPN (on OS X 10.4.11) - Behind two firewalls

2 Answers2