• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Lesson 4. Setting Up Gateway Services > Virtual Private Networking

Virtual Private Networking

A virtual private network (VPN) provides a solution for encrypting transactions. VPN is a way to use an unsecure network, such as the Internet, as the transit for private network traffic. This traffic remains private because the transactions are encrypted. The result is that you can remotely connect to a private network as if the remote computer were attached directly to that private network.

With a VPN, your organization can securely connect branch offices over the Internet, allow verified remote mobile users to access private resources from any connection on the Internet, and link multiple LANs together over great distances.

Once the VPN service is configured, users create the tunnel by opening a connection. In Mac OS X, this is usually done with Internet Connect with the VPN client configured to contact the VPN server. Once a connection is made to the server over an unsecure connection, the user is prompted to authenticate. After the user authenticates properly, the VPN server issues the client a new IP address within the range of the secure network. At that point, all further private network transactions are routed through the tunnel using the new IP address.

Basic VPN Configuration

Before configuring VPN, you need to decide on the authentication method you will use. The MS-CHAPv2 authentication is a fairly simple user name/password authentication model using a hash of the user's password. However, this challenge/response means of authenticating may not provide the level of security your organization requires.

As an additional measure of security, you can use other authentication methods that provide a more robust level of security, such as two-factor authentication, where the password is a combination of something the user has (a token) and something the user knows (a personal identification number, or PIN), or Kerberos authentication if your Mac OS X server is acting as a Kerberos Key Distribution Center (KDC).

If you choose to use an authentication method other than the default MS-CHAPv2 method, you will need to follow the configuration instructions from the author of the method. Typically this involves copying configuration or preference files from the server running the method, then manually changing the VPN settings to use the files to read information from the server (AuthenticatorEAPPlugins and AuthenticatorProtocols keys). If you plan to use the default authentication method, you can skip this process and proceed to enable the transport protocols.


See http://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/MacOSX_ACE_51.pdf for an example of the type of configuration necessary to enable alternate authentication methods for VPN.

To enable and configure VPN service, choose VPN from the Computers & Services list in Server Admin and click Settings. You'll see two tabs representing your two choices for a transport protocol: Layer Two Tunneling Protocol (L2TP) and Point-to-Point Tunneling Protocol (PPTP). Your choice of transport protocols depends on the client operating systems you want to support. Although PPTP is more compatible, L2TP has more robust security. The configuration for VPN is stored in /Library/Preferences/SystemConfiguration/com.apple. RemoteAccessServers.plist.

Each of these tabs permits the entry of an IP address range. The L2TP has the stronger authentication scheme, the ability to define a shared secret (eight or more alphanumeric characters with punctuation), and the ability to allocate a range of IP addresses that will be given to VPN clients.

Under PPTP, you select the encryption key and allocate a range of IP addresses.


If the IP address range that you define is not already served by a DHCP server, you will need to go to the Client Information pane and define the network mask and DNS server that will be given out with the IP address by the VPN service. Furthermore, if both L2TP and PPTP are used, make sure that both protocols use separate, nonoverlapping IP address ranges.

VPN Client Information Configuration

In the Client Information pane, you need to create network routing definitions if you want the users connecting to you to have access to various networks. In the image below, the first two definitions specify that connections to the range and the range will be routed to the private network, and the private DNS server will handle DNS requests. The third definition specifies that connections to the range will be public and the VPN server, which in this case is also the public DNS server, will handle DNS requests.

Troubleshooting VPN

Once you have configured the VPN service in Server Admin, you use netstat to verify that the routing tables were built accurately. On the command line, type netstat -rn to view the routing tables and verify custom network routing definitions. You can also type netstat -an to view the state of all sockets and verify that UDP port 500 is listening for requests.

In Mac OS X running the VPN client, you can review the state of the pppd process to verify that you are receiving the correct parameters from the server. For example, typing ps -auxww | grep pppd will show you the specific configuration used by the VPN session. You can also use tcpdump to view the packets before and after they are encrypted.

The VPN logs provide a good starting point for troubleshooting; you can view them in Server Admin. You can set the detail level for the logs in the Logging pane as either nonverbose (indicate only conditions that require immediate attention) or verbose (indicate all activity). You can also customize the schedule to archive the logs.

  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint