[macosx-unix] VPN/Firewall 10.4.7(server)
Isaac Levy
ike at lesmuug.org
Sat Sep 9 13:56:07 EDT 2006
Hi All,
I just solved a problem for a client this week with a VPN and a
firewall/router, the problem had 2 parts. I'm no expert in VPN's,
but my experience here could help.
--
The first part was pretty tricky, one end of the VPN subnet sits
behind a NAT.
IPSEC traffic runs at layer 3 (where routing and switches usually run
the show), it's lower level than TCP or UDP in the network stack.
Therefore, we had to setup their router/firewall behind the NAT,
(behind a Cisco PIX), so that it would foreword ESP (or AH) packets
to our subnet router.
I don't know that this part will be relevant to your setup, I guess
it only would if your Mac itself is setup with some funky NAT- the
ESP and AH packets are below the firewall's reach.
http://doc.m0n0.ch/handbook/ipsec-behindfirewall.html
--
Then, we had to openin up port 500, for UDP packets for ISAKMP and
IKE- an important part of how VPN tunnels are formed. Opening up
port 500 using ipfw is the easy part on your mac- or you could even
use the Firewall panel in System Preferences to open it up.
http://www.networksorcery.com/enp/protocol/isakmp.htm
http://www.networksorcery.com/enp/protocol/ike.htm
Hope this helps-
Best,
.ike
On Sep 8, 2006, at 10:21 AM, Brian Redman wrote:
> Search for VPN in <http://docs.info.apple.com/article.html?
> artnum=106439> and try opening the indicated ports.
>
> ber
>
> On Sep 8, 2006, at 7:44 AM, Stephen Meli wrote:
>
>> This is what ipfw is showing me:
>>
>> 12317 allow log logamount 1000 tcp from any to any dst-port 1723
>>
>>
>> On 9/8/06 12:14 AM, "Brian Redman" <ber at easthouston.org> wrote:
>>
>>> Hello, Stephen. I don't squat about VPN but...
>>>
>>> When you enable your firewall, what does "ipfw list" show? If
>>> there's nothing obvious you can start deleting rules until you can
>>> make the connection, then add them back to find which of them
>>> prevented it.
>>>
>>> ber
>>>
>>> On Sep 7, 2006, at 10:17 PM, Stephen Meli wrote:
>>>
>>>> Hi,
>>>>
>>>> Was just wondering if anyone can help me resolve a VPN/Firewall
>>>> issue. I am
>>>> trying to make an out going VPN connection and with the OS X
>>>> firewall
>>>> enabled I am not able to do so. If I disable the firewall I can
>>>> make the
>>>> connection with no issues.
>>>>
>>>> As far as my firewall settings go I have the VPN PPTP set to allow
>>>> for TCP
>>>> on port 1723 which is the port I need to use. I went into the
>>>> advanced tab
>>>> and tried setting up an allow action for ports 1723 as well but
>>>> that didn't
>>>> work either. Any help would be appreciated.
>>>>
>>>> Thanks,
>>>> Stephen
>>>>
>>>>
>>>> _______________________________________________
>>>> macosx-unix mailing list
>>>> macosx-unix at lesmuug.org
>>>> http://lesmuug.org/mailman/listinfo/macosx-unix
>>>>
>>>
>>
>>
>> _______________________________________________
>> macosx-unix mailing list
>> macosx-unix at lesmuug.org
>> http://lesmuug.org/mailman/listinfo/macosx-unix
>>
>
> _______________________________________________
> macosx-unix mailing list
> macosx-unix at lesmuug.org
> http://lesmuug.org/mailman/listinfo/macosx-unix
>
More information about the macosx-unix
mailing list