This scenario includes a VPN server that is running Microsoft Windows Server 2003.īecause of the way that network address translators translate network traffic, you may experience unexpected results when you put a server behind a network address translator and then use IPsec NAT-T. Therefore, if your virtual private network (VPN) server is behind a network address translator, by default, a Windows-based VPN client cannot make a L2TP/IPsec connection to the VPN server.
I used these steps successfully to configure a client's computer for VPN connectivity to a Mac server.īy default, Windows no longer supports IPsec NAT-T security associations to servers that are located behind a network address translator. I extracted this info from a Microsoft Knowledge Base article.
I haven't worked with Windows 8, but shown below are the steps to configure a Windows 7 client for connecting via VPN to OS X Server.
I've never seen a universal recipe for this, and - given the differences in networking gear - don't expect to see such a recipe anytime soon. TL DR: Learn a little (more) about IP and VPNs, and figure out how your VPN client, your VPN server, and your gateway-router-firewall and other intervening firewalls all play together. The IP routing gets confused, and the VPN won't work or won't work reliably. (If you're on a business-class service tier with your ISP, you can ignore this.)ĭiscussions of ports and protocols used for VPNs are common here in the discussion forums see here, here and here, among other discussions.Īnd FWIW, I don't know, nor particularly use, nor have any recommendations for Windows VPN clients.įWIW: Do not use 192.168.0.0/24 nor 192.168.1.0/24 on your private network, as VPNs use IP routing, and IP routing does not appreciate finding the same IP subnet on both ends of the VPN connection.
There are ISPs that block server-oriented ports on the residential service tier. This requires a mid-grade gateway-router-firewall device, or higher, though those are getting cheaper all the time.Īlso ensure your ISP is not blocking VPN connections. NAT passthrough is something best avoided, and for various reasons. Use of an external gateway-firewall-router with an embedded VPN server is also something I've often recommended. (NAT and VPNs inherently work at cross purposes, and multiple L2TP connections tend to get tangled at the NAT device.)Īs compared with L2TP, PPTP is usually much easier to get going around NAT, though it's also less secure. It is common for L2TP passthrough to fail when more than one connection is active. Note that protocols and ports are different, and some gateway-firewall-router devices can manage and process protocols and VPN pass-through configurations correctly, and some (many?) can't. L2TP expects UDP port 500, UDP port 1701 and UDP port 4500 when behind NAT.IPSec expects UDP port 500 and ESP (protocol 50) for site to site non-NAT.PPTP expects GRE (protocol 47) and TCP port 1723.With OS X Server, you can create profiles to load into OS X systems and iOS systems, but I'm not aware of an analog for creating and loading profiles into Windows that capability exists, but not AFAIK generally from OS X or OS X Server systems.ĭepending on the exact set-up of the network and the particular VPN technology,įor VPN pass-through, I usually end up opening and forwarding the VPN ports from Apple's TS1629 well-known IP ports list manually: In summary, this is trial-and-error, and you'll need to look at each of the parts and determine the proper configuration, This depends on your ISP (some block VPN protocols), on your gateway or firewall (some implement VPN pass-through, some implement VPN servers and usually make this easy, and some just get in the way and block specific ports or protocols), and on the set up of the OS X Server, and on which VPN client you're using.