These days Bikerpapa often needs to doctor computers for the clueless secretaries in a remote site about 300 miles away. It’s too far to drive and too expensive to fly for minute IT problems, so Bikerpapa wants to experiment with a VPN solution that allows him to sit at home and fix things right away for those secretaries when something goes wrong. If certain problems can be taken care that way, then Bikerpapa can save his company some travel expenses. And the secretaries get their problems solved much faster, too. Best of all, Bikerpapa can sit at home and diagnose problems with a good cup of latte in his hand. Slow cruisin’ indeed.
The thought of using VPN occurred to me when the remote site finally got a broadband satellite internet connection last week. After some casual usage, I thought it was still a bit slow compared to normal ADSL in the cities but the speed is probably adequate for VPN sessions consisting of low bandwidth tasks such as firing up ssh shells on remote servers that reside on the remote site’s LAN.
In this guide Bikerpapa sets up a remote client to gateway VPN using Mac OS X Tiger 10.4 and the Linksys RV042 VPN router. Since Bikerpapa has never setup a VPN before, he encountered many pitfalls along the way. Now that I’ve got something basic working, I hope this guide that might be of use to some clueless VPN soul somewhere using the same OS and hardware.
- Hookup the VPN router with a real IP address: the Linksys manual doesn’t mention jack about this, but it is extremely important that the VPN router get a real IP address (i.e. an IP address reachable directly from anywhere on the internet) from the ISP instead of the usual 10.0.1.* or 192.168.1.* address obtained by DHCP from a ADSL/Cable Modem with NAT enabled. If your ISP requires PPPoE to establish a session, make sure it is your VPN router doing the PPPoE connection. This case requires you to have installed your ADSL modem running “Bridge mode” (instead of “Router mode”) beforehand. Of course, you will also need to enter the necessary PPPoE info (username, password) into your VPN router. (Don’t worry about the VPN settings just yet. Read on.)
- Which VPN client on Mac OS X? To establish VPN tunnels between a client computer running Mac OS X, and RV042, you need a VPN client on Mac OS X that is capable of doing either IPsec (not the same thing as L2TP over IPsec) or PPTP, since those are the only two VPN protocols that RV042 supports.
- PPTP: The good news is that PPTP is supported by Apple in Mac OS X Tiger’s Internet Connect application. The bad news is that to use PPTP your Mac client computer must not be hidden behind a NAT gateway in order for it to work. Also PPTP is less reportedly less secure than IPsec but for the road warrior who is not likely to establish a VPN connection 24/7 it is probably OK.
-
IPsec: VPN Tracker ($90 USD) by equinux supports IPsec. (A 30-day trial version is available.) The good news is that your Mac client can be behind a NAT gateway and still work, thanks to IPSec. The bad news is that VPN Tracker is quite pricey for what it does
, but probably because there isn’t much competition out there. (Hint to Mac developers!). But I do want to give equinux credit for simplifying the VPN process; the setup is a snap because equinux provide easy-to-follow setup guides for many different VPN routers.
Update: IPsec: IP Securitas 3.0 also works, albeit one needs to play around with the setup to get the software working with RV042. Right now the program is in release candidate and the good news is that it is donation-ware. VPN Tracker is much easier to setup and the phase 1/2 negotiation process seems much faster than IP Securitas 3.0. But once IP Securitas connects, it works fine and that is what I recommend for now since it is free. (I do recommend a donation to keep the authors motivated.)
General:
Remote IPsec Device: remoteserver.ip
Local Side Endpoint Mode: Host
Local Side IP Address:
Remote Side Endpoint Mode: Network
Remote Side Network Address: (e.g.) 192.168.1.0
Remote Side CIDR: 24
Phase 1:
Lifetime: 8 hours
DH Group: 768(1)
Encryption: DES
Authentication: MD5
Exchange Mode: Aggressive
Proposal Check: Strict
Nonce Size: 16
Phase 2:
Lifetime: 8 hours
PFS Group: 768(1)
Encryption: check DES/3DES/AES 256/AES 192/AES 128
Authentication: check HMAC MD5
ID:
Local Identifier: FQDN ( (e.g.) enter "vpntracker" in the blank textbox)
Remote Identifier: Address
Authentication Method: Preshared Key
Preshared Key: (e.g.) secretkey
DNS:
Use default values
Options:
Check only the following: IPSec DOI / SIT_IDENTITY_ONLY / Initial Contact / Generate Policy / Support Proxy / Request Certificate / NAT-T: Disable
Notes:
- The RV042 features a built-in PPTP server but you need to install the latest firmware. (Firmware version 1.3.7.10 or later.)
Questions:
- Can RV042 reside behind a NAT router and VPN would still work?