10.8 Server (VPN Secure Internet Gateway) setup question

Similar Messages

• HELP: SPA-3102 Gateway Setup Question

  Hello,
  I would like to set up the SPA-3102 to do the following:
  1.  The adaptor is registered to one SIP account
  2.  The adaptor can make outgoing calls through two or more SIP accounts which are not registered.
  3.  Calls to local numbers and emergency numbers are routed to PSTN
  4.  Calls to SIP phones are routed to the registered SIP account
  5.  Calls to long distance and international numbers are routed to the registered SIP account. 
  6.  If we dial with a prefix, calls to long distance and international numbers are routed to the 2nd SIP account which is not registered.
  Currently, we have 1, 3, 4, and 5 working. But 6 is not working. Is 6 possible?  If so, could someone help me with an instruction of how to set it up?
  Thanks,
  AVS

  You setup the second sip account in one of the gateway fields. Let us assume you are using gateway 1, the sip provider is voipbuster, and your userid is avs. Gateway 1:
  [email protected]
  GW1 Auth ID: avs
  GW1 Password: your_password
  GW1 NAT Mapping Enable: (same as you have on Line tab)
  In the example above the provider's sip proxy is sip.voipbuster.com. In the example above avs and your_password are the userid and password for a specific account at the provider.
  You put a prefix element in the dial plan, let us assume you put #8 for the prefix and wish a 2d dial tone after you dial #8:
  |<#8,xx.<:@gw1>|
  You dial #8 and you get a new dial tone, you dial the number and the number is sent to the gateway provider for call termination. The sip provider that you use must allow you to make calls without registration. Some providers don't allow making calls without registration.
  Message Edited by hw on 06-12-2008 11:45 AM

• Solaris 10 VPN server/gateway setup

  Hi all,
  I have a V20z running Solaris 10 at home, and I would like to set it up as a VPN server. The Solaris 10 is behind a router with a reserved private IP assigned by DHCP and port forwarding set up for only SSH at the moment. The router has a static external IP.
  I'm not exactly sure what the terms are for what I'm trying to do, but this is basically it:
  When I am out of town or overseas, I want to be able to connect from my laptop running OS X or Linux to my Solaris 10 server at home, and have the S10 server act as a proxy(?) (gateway?) for all the traffic from my laptop; for example, if I was in a place where nytimes.com was blocked and wanted to be able to browse from my laptop by having the Solaris 10 server proxy (transparently) my requests and forward the responses back to me. I hope I'm explaining this ok...
  I have searched a lot online for how to do this, and I have found a lot of info, but nothing that really ties it all together. I'm pretty comfortable working in the shell and doing config stuff, but it would be a huge help if anyone could explain all the pieces I need to snap together to get this working.
  These are my questions:
  1. What is what I have described called? Just "VPN" or "VPN router," or "VPN gateway"?
  2. What software do I need on my Solaris 10 server to do this?
  A lot of what I read pointed me to OpenVPN, but I am not clear if OpenVPN alone would enable me to use the public web via the VPN.
  If not, then what would I need to have on the server to enable incoming requests over the VPN connection to be rerouted to the public internet?
  3. I'm sure I can figure this out if I can just get the server VPN working, but if anyone happens to know, I'd appreciate it:
  Built into OS X Networking Prefs I have the ability to add a VPN interface of either of these 2 types:
       "PPTP"
       "L2TP over IPsec"
  From what I have read so far, it seems like IPsec is likely the only reasonable choice, but the option of "L2TP over IPsec" confuses me since I haven't read that they are required to be used together.
  Will this option work for connecting to my Solaris VPN server or will I need a 3rd-party app?
  Any guidance would be a tremendous help.
  Thanks guys!
  Jamie

  Mobile IP???
  Assuming that you had the right security in place you could have the "Home" box export it's display back to the "Roving" box and then just run a web browser over X. Something like SSH with X forwarding.
  alan

• VPN Server won't route VPN client to gateway

  We have a WIndows 7 VPN client that successfully connects with the 2012 VPN server and can access servers and resources on the remote 96.0 LAN; however, the VPN client can not access the 96.1 default gateway and thus no subnets outside of 96.0. 
  Use default gateway on remote network is NOT checked, but does not work with it checked either. 
  RRAS on the VPN server does allow for routing IPv4 and is setup to assign addresses via DHCP.

    You probably don't need a static route to get the traffic to the other subnets. Is the VPN router also the router for subnets? If it is, the packets should be delivered directly to any client in an attached subnet. You do have the remotes
  using their own subnet? If not, Bing of Google off subnet addressing. You need that to be able to route the VPN traffic at the central site.
    What you do need is a static route at the router which is the gateway router for the LAN segment to send the traffic to the VPN server, not to your Internet gateway (which would be the default behaviour. Whether the Internet gateway
  is the VPN server or another router depends on your network config).
    Exactly how you set it up depends on how your local network is configured. I haven't done that sort of thing lately, but you probably have to use the IP address of the VPN demand-dial interface as the target address of the route command rather than
  the RRAS internal interface.
  Bill

• Do I need a security license to setup VPN on router?

  Hi All.
  I'm trying to setup VPN connections on 2 different routers and I'm not sure about that Do I need a security license to setup VPN connection on router?
  First one is 1941-K9 site-to-site.
  Second one is 887G-K9, EasyVPN connection.
  Both of them don't work properly. What do I need to check on both routers to see if they're abled for vpn connection, maybe some commands as well.
  Thanks in advance.
  Regards,

  yes, for VPN you need a security-license.
  The 1941 should show the following line:
  rtr-01#sh ver | b Technology
  Technology Package License Information for Module:'c1900'
  Technology    Technology-package          Technology-package
                Current       Type          Next reboot 
  ipbase        ipbasek9      Permanent     ipbasek9
  security      securityk9    Permanent     securityk9
  data          None          None          None
  The 887 comes by default with the "Advanced Security" feature-set. That's all you need for that device.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Securing Internet Connection on Internet Gateway Router

  Hi,
  I am looking for some suggestion as to how many different security features that should should be implemented on IOS based Internet Gateway Router.
  What are the different ways hackers attack, DoS attack, Worm Attack can be prevented on IOS routers.
  I know it is a broad question, but a list of essential measures on IOS would be helpful.
  Fawad

  Hello,
  I would recommend:
  -Stateful inspection
  -uRPF checks
  -ACL's
  -Connection limits
  With that you will cover the essentials but of course as you know you need way more than a device to protect a network.
  Regards,
  Julio

• Mountain Lion server vpn setup

  I have OSX Mountain Lion with server.  I use dynamic dns with dyndns.org.  I have a Virgin Media Router in modem only mode connected to a Time Capsule that provides DHCP and NAT.  I have all the correct ports open on the Time Capsule (500, 1701, 1723 and 4500).
  I have set up the Server VPN but every time I try to connect wither from within my LAN or externally I get the message:
  The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.
  I have tried everything I can think of (including trying VPN Configurator) but cannot get the VPN to work.  Any advice welcome.

  I had the same issue: 
  The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.
  PPTP was connecting from a PC without problem but trying to use L2TP (IPSec) from an iMac gave the above message.  I resolved this by:
  I went into Server > VPN and turned the service off for 30 seconds and turned it back on, all working.
  The wonder of OSX Server.  Lots of buggy problems.
  Steve H

• Can you help me solve my Leopard Server VPN madness?

  Hello all,
  I've been having a devil of a time getting Leopard Server's VPN service to work "properly". None of this is mission critical, as it's simply on a home system I'm using as a nat/dns/dhcp/firewall/mail/web server for my Comcast line (with a static IP). But, it is frustrating, because I currently have a 10.4.11 Server fulfilling the same roll. So it seems like Leopard should be able to be made to work. I'm gonna go step by step here with my install process in the hopes that if I'm doing something wrong someone will be kind enough to catch it. Thanks for bearing with me.
  I've installed Leopard Server 10.5 (Mirror door G4, FYI) with the built-in ethernet connected to my Comcast router (with a static external IP). Immediately after 10.5 installs I restart and update everything to 10.5.2, then I install a Sonnet Gigabit NIC, it's drivers, and assign it 192.168.3.1, where it will live as my internal router, server, etc. I turn on DNS and setup an internal ".lan" zone that resolves to 192.168.3.1. Pop into Terminal and confirm that rDNS is in fact working, it is. And check that "changeip -checkhostname" resolves itself correctly (to the external IP).
  Next, turn on the NAT service and run the gateway setup assistant. After a reboot I quickly check that my internal clients with static IPs (192.168.3.10, .20, etc) are working and pulling DNS OK, they are. Jump into the Firewall, and for the moment just open it wide up by accepting all connections. At various times during testing I've configured the firewall to exactly match my 10.4 Server firewall, but for the time being I can just leave it open. I create a Firewall group to cover my 192.168.3.x internal network, and another to handle 192.168.3.60/29 to handle the VPN service I'll setup in a sec. Jump over to the DHCP service where by default gateway setup creates a 192.168.1.x DHCP zone. I delete that and create a new 192.168.3.x zone covering .50-.59. Turn DHCP on and confirm it's working, good, it is.
  Now, here is where the VPN fun begins. The last service I turn on is the VPN service (I've alternatively tried letting Gateway Setup activate it, and just doing it myself, with this same result). I configure it to accept L2TP at 192.168.3.60 - .63. Like I said this is a home server, so I don't need a lot of VPN connections. Finally, when I test the VPN from a 10.5.2 Client (MacBook coming in off a neighbors open wireless network with a 10.0.0.x string) I am able to connect, and I can see/ping/mount/share screen on the server. I can also ping the attached VPN client at 192.168.3.60 from the server. However, I cannot ping or see (In ARD) any other machines on the internal network from the attached VPN client. Likewise from one of the internal systems, say my Mac mini at 192.168.3.10 I cannot ping the attached VPN client at 192.168.3.60. Out of curiosity I've tried doing a rDNS lookup while attached to the VPN and the client isn't able to resolve any of the internal DNS entries.
  So, what gives? As I've mentioned I have exactly this same setup working just fine with Tiger Server. Same NAT, same Firewall, same DNS, and same L2TP VPN setup. For the life of me though, I cannot get attached VPN clients to see the internal network when I put Leopard Server in place. Clearly the internal DNS isn't working for attached VPN clients, although I'm not certain if that is a cause or a symptom. I've setup a network routing definition for the internal private network, which didn't help. I also tried setting up PPTP instead of L2TP, and had the same problem.
  Is anyone having similar problems with Leopard Server's VPN service? If not, could someone hit me with the clue stick and set me right? As I said, in the grand scheme of things this isn't a big deal for me. But, it's just frustrating that I can get so close to updating my home server and just fall short.
  Thanks!

  Your post actually contains the Key to solve the problem and there is not really a big need for going all the way to use the Property List Editor to fork around /etc/ipfilter/ipaddressgroups.plist.
  There has been much written on this problem but basically you see that most is trial and error and this does include myself and my findings in this post, too, but I think I can further narrow down on what CAUSES this problem and how to fix it.
  First off, we are talking a combination of using NAT (Network Address Translation - bridging an Internet connection on an external network card over to an internal network card), Firewall (which is needed in OS X to be have NAT working because the Firewall "helps" NAT by doing its job, DHCP (for providing dynamic IP addresses to clients on the internal network, don't confuse, DHCP is not providing this service to the VPN clients, that is done by the VPN server), and - last but not least - VPN to provide access to not only to the server but to any machine on the internal network over the outside network card (aka, giving remote clients a chance to connect to the local network over the public Internet in a save and nice way).
  OK. The short story: you can do it ALL in Mac OS X 10.5's Server Admin tool. If it fails it is nearly always the Firewall!
  You can check if this is the case for your setup by temporarily opening the Firewall up to not block any traffic: in Server Admin, click on Firewall -> Settings -> Services -> Edit Service for: any and click "Allow all trafic from "any"", save it (and to be 100% sure, stop and restart the firewall. If your clients can NOW connect at least to the server, it was the firewall. Now don't forget to switch off allowing all traffic from any, or you will be left with an open doors server ready for anybody to explore
  Now what goes wrong in the first place? It appears that the GSA (Gateway Setup Assistant) that is "hidden away" in the NAT settings does something awfully wrong. It will set up all the address groups in the firewall: the any group will remain as it is usually, another one defining the internal network, and a one called VPN-net for VPN.
  What it DOES do wrong here (I am no firewall expert, this is purely trial and error, so please anybody do explain!) is to give the VPN-net exactly the same address range as the internal network. And here seems to be the overall problem.
  When Twintails wrote to add 192.168.3.60/27 as address range for VPN, I realized what he/she did. Writing 192.168.3.60/27 effectively narrows down the address range starting at 192.168.3.33 up to 192.168.3.62. There are millions of subnetmask calculators out on the net, give it a try e.g. here: http://www.subnet-calculator.com/
  So, I looked for what range of address will actually be given out by the VPN server to VPN clients upon connections. Of course you need to make sure that this address range is NOT given out by your DHCP server.
  In my setup, the server is 192.168.1.1, the DHCP server provides addresses from 192.168.1.10 up to 192.168.1.127 (I start with 10 because I have some static addresses for special purposes from 192.168.1.2 to 192.168.1.9. So, this means, anything above 192.168.1.127 is potentially "free" for my VPN connections.
  Next I used the subnetmask calculator to find a narrow address group that matched my purposes. I found 192.168.1.192/26 which effectively gives me a range from 192.168.1.192 to 192.168.1.255 (which is in fact more then I have clients connecting from externally!).
  I went to the Server Admin Tool, and clicked Firewall -> Settings -> Address Group and edited the VPN-net one. First I deleted what was in "Addresses in group" and entered from scratch 192.168.1.192/26. Next - just to make certain because basically this is what Twintails had in his/her post by saying to add a name String with exactly the same information - I overwrote VPN-net by 192.168.1.192/26 and saved. (I THINK that this last step might not really be needed, but I haven't tried).
  Next click Save (basically it should already work, but I always want to be extra sure, so I stoped and immediately thereafter started the firewall again to be 100% certain all new rules are now active.
  And now: it works! Clients can access the server AND the entire local network from remote using VPN.
  One last comment: I have the feeling that (although less safe and less advanced technologicall) PPTP works much better for us then L2TP. So I have switched off L2TP support altogether because it simply NEVER really worked. We are using Mac OS X 10.4 and 10.5 to connect to the 10.5 server using this setup.

• 10.5 Server : Standard Installation : Newbie Tutorial /  Setup Walk-Through

  Hello all,
  I recently setup OS X Server 10.5 for a client after doing it many times at my home. I could not have possibly done it without the help of this discussion board so thanks to everyone asking and answering questions!
  To help other server newbies easily setup Server 10.5 (as apple claims), I'm hoping to make a basic installation procedure that will always work for newbies. Right now it's not exactly "detailed" - just the basic steps to ensure success.
  Below is my setup procedure that has worked well for me (especially at my house). It's for a Standard installation; and we'll be setting up the server to include Mail (local only), iChat, VPN, File Sharing, iCal, Web Server/Wiki, Apple Remote Desktop access, and Time Machine (may not work well).
  Please let me know if I'm missing something that will help ensure this setup works as perfectly as possible on any system.
  +to help make sure this works, try using all the names i've used below (besides perhaps user names & passwords); like "server.house"+
  *1) Setup Router*
  • ensure router is properly connected to modem/internet
  • router lan address = 10.0.2.1
  • subnet mask = 255.255.255.0
  • dhcp on
  • dhcp server starts at = 10.0.2.9
  • dhcp server ends at = 10.0.2.99
  • dns server (opendns servers) = 208.67.222.222, 208.67.220.220 (not a completely necessary step, but may help ensure it works)
  • port forward to 10.0.2.2 = vpn (udp: 500, 4500; udp/tcp: 50)
  • port forward to 10.0.2.2 = ard (tcp: 5900, 5988; udp/tcp: 3283)
  *2) Install/Setup Server*
  • startup server computer with installation cd and start installation process
  • choose "Standard Installation"
  • setup administrator account with the following settings:
  user name: Administrator
  short name: admin
  password: admin
  • setup network settings (choose manual configuration):
  manual ip address = 10.0.2.2
  subnet mask = 255.255.255.0
  router = 10.0.2.1
  dns server = 10.0.2.2
  search domain = house
  • primary dns server = server.house
  • server name = server
  +choose all the services and let installation complete; wait until desktop loads+
  Verify things are initially okay:
  • Open safari, and type "server.house" in the address bar (ensure wiki appears)
  Good, now:
  • Download latest 10.5 server combo update, install, restart.
  • Run software update until all updates are installed (may require several restarts)
  • Setup a dyndns account for your server, install dyndns software (make sure it's updating via web and the ip address doesn't start with 10.x)
  *3) Setup Server Preferences*
  • open server preferences
  • go to file sharing: turn on file sharing
  • go to vpn: turn on vpn
  shared secret = somethingsecretive
  ip address range = 10.0.2.101 - 10.0.2.199
  • go to users
  • make new user(s) with all options enabled
  +you should now have all services in server preferences enabled (if not, enable them) and user names setup; for good measure, restart the computer again+
  *4) Setup Client Computers*
  +make sure client computers have all software updates installed before proceeding+
  • Open system preferences: network
  • Make a new location called "Server"
  • Set TCP/IP to DHCP
  • DNS Server = 10.0.2.2
  • Search domain = house
  • Click apply
  It's probably a good time to double check that the internet works - open Safari and google something. Good, it works.
  There are two ways to setup the client computers to connect to the server with basically no manual configuration needed:
  First way:
  Go to system preferences: accounts: select user name to associate with server: select "server account" (if available): enter appropriate info for user on server: wait a bit: restart computer
  or (if "server account" isn't available):
  Second way:
  Open finder: applications: utilities: directory utility. once opened, it should automatically find your server. if it doesn't, click the lock, click "plus sign", type = "open directory", server name = server.house, click ok
  • enter appropriate info to connect to server and ensure it's set to automatically setup all services, once finished - restart.
  *5) If the automatic setup didn't work, here's how to manually setup the client workstations:*
  Safari
  • Open Safari and type "server.house" in the address bar, enter user/pass, make sure it connects to wiki.
  iChat
  • add new jabber account
  • jabber id = [email protected]
  • server = server.house
  • port = 5222
  • kerbos = on (you can leave off if you want)
  You can test by connecting to your Jabber account
  VPN
  • open Network in system preferences
  • click lock
  • click "plus sign"
  • interface = VPN
  • vpn type = L2TP over IPSec
  • service name = server
  • server address = your dyndns address
  • click advanced
  • dns server = 10.0.2.2
  • search domain = house
  • click ok
  • click authentication
  • enter user's server password
  • enter "somethingsecretive" in "shared secret"
  • click ok - click apply
  You can test by clicking "connect" - after verified, disconnect.
  _File sharing_
  • Open finder: click "Server" under "Shared"
  • If it connects as guest, click "connect as"
  • enter your server username/password
  Drag a file to and from a folder to make sure file sharing works
  Mail
  • Add new mail account (imap)
  • Incoming mail server = server.house
  • Outgoing mail server = server.house
  • Outgoing authentication = kerberos 5 (or password)
  • user name = [email protected]
  • enter password
  Check to make sure you get the server welcome e-mail and that you can send email to other users on the server.
  *Time Machine* (very problematic at this time)
  • Open Time Machine in System Preferences
  • Click "options"
  • Eliminate as many folders as possible to keep backup times shorter; click done
  • Click "change disk"
  • Select "Server" disk; click "use for backup"
  ** I highly recommend using local SuperDuper! backups and/or Retrospect for networked backups to the server. Other options include the dot mac Backup application or online backups (google it).
  *If you have PCs on your network that you want to be able to connect to the server for file sharing*
  • Open Windows Explorer (my computer)
  • Click tools: map network drive
  • Enter "\\server\public" (or if you setup a user account on the server for the pc user(s) i think you can use "\\server\pcusername" - and follow the next two steps)
  -Click "connect using different user name"
  -Enter pc user account username/password
  • save settings
  Check to make sure the drive shows up and you can move files to/from server
  Helpful info for newbies setting up server 10.5:
  • Apple's Server Resources page with all manuals
  • Probably the most helpful newbie setup discussion
  • Probably the most helpful newbie setup discussion #2
  • Discussion about DNS
  • "Time Machine is a dog... discussion"
  • Manage Central Address Book discussion
  • Leopard to Windows Files Sharing Issues discussion
  • Lynda's 10.5 Server Training Videos (this does cost money and I haven't personally used it, but it looks very helpful)
  I hope that's a good start for people, but I'm sure some setting(s) can be tweaked or I missed something that could make this process go even more smoothly. Lets make this the definitive newbie standard installation setup tutorial.
  -Brian
  corewerkz

  Hi gikku,
  Good idea! I forgot about the web server port forwarding, that will allow the wiki to be seen over the internet.
  One question: what does adding the dyndns address to "Server Admin > web > settings > sites" actually do? I'm not too knowledgeable about Server Admin.
  Thanks,
  Brian
  corewerkz

• Can not use the Gateway setup assistant

  Hello,
  I want to use the Gateway setup assistant from NAT service.
  My Os X server is in french.
  I have a bug, when setting for VPN from the assistant, I can't continue she setup.
  I click on the "continue" button but nothing happens !
  Is this a bug ? Someone got the same result ?
  Thx to help

  No answer ?
  Perhaps it is a bug in french translation.

• VPN and Internet Connection Sharing? (bridging remote networks)

  I'd like to try an experiment and some advice from this list will be useful.
  +Summary: Can a Mac with two interfaces activate VPN and Internet sharing simultaneously to bridge two remote networks?+
  I've created a PPTP VPN server on our XServe at work and opened the appropriate ports on our firewall. This and a second location are linked with standard (but fast) ADSL broadband. I can log in from both Mac and Windows VPN clients at an external location and indeed the experience is just like being at work- printers, file servers and other resources (eg networked Filemaker databases) are all visible. Yay.
  Question: Is it possible to extend this concept further by logging onto our VPN with once interface (eg Airport) +and then+ enabling Internet Sharing through the second interface (eg Ethernet)? Will this allow a small network connected through the second interface to all behave as though they are on the work network, with transparent access to fileservers, printers and so on, without each bothering individually with VPNs and so on? I suspect there are physical boxes that will do this, but it would be wonderful to know if I can get a Mac with two NICs to do the same job, acting as a router between the two networks. Are there any limitations to this? I am happy to tweak under the hood if need be. I just need to know if this is possible, even in theory, and what the limitations might be.
  Thanks.

  Hey Nathan...
  My VPN is down at the moment, but I think your going to have to manually configure all of the "clients" who are sharing the VPN to an IP range that your office uses. When you connect to your VPN, check your network prefs, and you'll see the IP addresses assigned to your VPN are similar to your network at the office. So, in a way, your sharing computer has 2 IP addresses... one from your modem or router at home, and one from the VPN server at the office. It's this 2nd IP address that allows you to appear to be on the network at the office.
  So, if you can find a way to set up your shared clients the same way.... it might work. It will also be VERY helpful if your IP range at home is different from the IP range at the office....192.168... for one...and 10.0.0 for the other. (Whether traffic will pass thru your "sharing server" is a different matter altogether.)
  Now, and I'm really guessing here.. if this works at all... you may be only able to access stuff from the office on your "shared clients" (ie no internet).... the way around that is to set up your VPN to allow VPN clients to pull stuff from the internet from the office thu the VPN... and for the life of me don't remember how that is done. But it will most likely be a bit slow.
  I'd start with the basics... setup one client with a manual IP address/router/dns servers, and try to ping a computer at the office. If this works... at least part of your problem is solved.
  With all that said... it may not work at all. Good Luck!

• OSX Lion Server VPN and Remote Desktop

  I can connect with vpn to my OSX Lion Server from the internet to my home network.
  With remote Desktop I can reach only the server itself not my other clients in the network.
  With my previous environment based on Snow Leopard server that was no problem.
  What could be the problem?

  I have an answer, but it has taken a long time to figure it out.
  I have a Mac Pro, running behind an Airport Extreme 811N router.  I ran OSX Server 10.6x and after I did the upgrade to 7.5.x firmware on my airport the L2PT service died going thru my router.  I simply switched to the PPTP VPN because it appeared to work fine.  Then I upgraded (or downgraded) to 10.7x Server.  When I did that they got rid of PPTP as an option, and my L2PT connections still did not work.  I went looking online for answers, and found alot of references to the 7.5.x firmware.  I ran a test to see if I could connect to the VPN internal to the LAN - thereby bypassing the router as an issue.  It worked flawlessly.  It definately had something to do with the way 7.5.x handles a packet. 
  After several trial/error sessions, I figured out that it was the DCHP service on the Airport Extreme that was causing the problem.  For whatever reason if you have DCHP assign the IP address to your VPN server, it will never work.  I took the server out of the DCHP pool, and gave it a static IP.  Once I did that and correctly configured the interface on my server (be sure to setup the DNS correctly if you use static IP) I was able to get the VPN to work flawlessly.  Was even able to turn the Back to my Mac feature back on.
  Don't know if this helps, but I have personally logged 3 days on this problem over the last 2 months.  I am pleased it is resolved.

• Snow Leopard Server VPN and other Servers

  I am thinking of deploying Snow Leopard Server at work using the Mac MiniServer option. We have a few Macs that we would like to manage their settings with. We also have Active Directory. I plan to use Open Directory with the Mac then use kerbos for logins.
  My question is if I use the Snow Leopard Server VPN with the Macs, will the users be able to access other resources on the LAN like Active Directory Shares, Exchange, and internal Intranets? Or only the Snow Leopard Server?
  Thanks,
  WillGonz

  It sounds like you will have 2 different kerberos realms, one in OD and one in AD.
  If you want them to use the same realm (the AD one) you need to look at a "golden triangle" setup.
  If you want to authenticate the VPN connection using Kerberos I suspect you need to be able to reach the KDC server from Internet before the VPN is up. That would mean it needs to have a public IP and same name as on the LAN(?).
  As an alternative a Radius connection for the VPN authentication from the Mac to an AD/Radius server might be possible.

• OS X Server VPN not working

  Hi
  I have had a problem when trying to set up the vpn service on os x server.  I use OS X Mountain Lion server.  The problem is that when I set up the vpn service in the server app, it won't let me connect to the vpn using my public ip address or outside my network.  It will work if I type in the IPV4 address of the server inside the network.  It just won't work outside the network.  I looked up the port number for OS X Server VPN and did the port-forwarding in the router.  Unless i have the port wrong (which is doubt),  why would this not be working.  I am using L2TP to connect to the server but I have also tried PPTP and that did not work either.  I think that the problem must be something with getting the vpn on the internet since it works perfectly fine inside the network. 
  Thanks for any help. 
  Michael

  If you have a port-mirroring switch (I use a Netgear GS105E), it is very handy.
  This is the typical configuration for a VPN. Let us assume L2TP.
  VPN Client (L2TP) -> WAN Router/Firewall (Outside) -> LAN Port Forwarding (inside) -> VPN Server (LNS = OS X server).
  You may not be able decrypt packets, but you can see outer headers. If the WAN Router/Gateway has port mirroring functions, you can watch incoming packets at the WAN Interface. The Router/Gateway should just forward packets to the designated Port/IP.
  If the packets make it past the Router/Gateway,  the Server configuration should be checked. Temporarily, you can turn off the firewall and see if you can get to the OS X server. It will help in pinpointing where the issue might be. Shared secrets should also be checked.
  If you are able to VPN from inside, it is a very strange configuration. Usually coming from inside to inside is not permitted.
  If the clients and servers use the same intranet addresses, for example the client uses 192.168.x.x and the server is also on 192.168.x.x, you will run into issues. You may need to reserve address space for VPN clients.

• There is a problem with the server's security certificate. The security certificate is not from a trusted certifying authority. SAP Business One is unable to connect to the server

  Hello,
  I have an issue with connecting client SB1H on Windows, the scenario is as follows:
  1.- Server:
       Suse Linux Enterprise Server 11.3 kernel version: 3.0.76-0.11 IBM
       NDB and Server are review 69 SP06
  2.- Client:
       Windows 8 Pro Virtual Machine on Microsoft Hyper-V
       SB1H PL 11 version 32bits    
       SAP HANA Studio version 1.0.60
  When I run SB1H the following message appears:
  There is a problem with the server's security certificate. The security certificate is not from a trusted certifying authority. SAP Business One is unable to connect to the server.
  Any idea what could be the solution?

  Hi,
  Please check SAP notes:
     1993392 - Server components setup wizard: New default values for certificates and single sign-on option
  1929288 - Do not configure SSL for XApp during installation or upgrade if XApp is installed on a different machine than the SAP HANA server
  Thanks & Regards,
  Nagarajan