| 1 |
On Monday 15 May 2017 20:57:50 Kai Krakow wrote: |
| 2 |
> > Of course the server will have to be accessible over port 500 for the |
| 3 |
> > clients to be able to get to it, but this is a port forwarding/DMZ |
| 4 |
> > network configuration exercise at the server end. |
| 5 |
> |
| 6 |
> Oh wait... So I need to forward port 500 and 4500 so NAT-T does work |
| 7 |
> properly? Even when both sides are NATed? I never got that to work |
| 8 |
> reliably for one side NATed, and it never worked for both sides NATed. |
| 9 |
> And my research in support forums always said: That does not work... |
| 10 |
|
| 11 |
Well, I haven't presented a complete topology of a proposed network |
| 12 |
architecture because I don't know what the OP's set up is. I assumed in the |
| 13 |
above statement that the VPN gateway is running on the same (probably NAT'ed) |
| 14 |
server as the ftp service. Therefore port 500 won't be accessible from the |
| 15 |
Internet unless forwarded. If the VPN gateway is public facing then no port |
| 16 |
forwarding is necessary. Site to site IPSec VPN needs only port 500 to set up |
| 17 |
the tunnel. |
| 18 |
|
| 19 |
I have used mobile clients to VPN gateway connections, using IPsec tunnels |
| 20 |
with the client side NAT'ed and the link was very reliable. Even when the |
| 21 |
mobile clients were connected using unreliable WiFi the tunnel would be re- |
| 22 |
established when the WiFi link connectivity was restored. Key to keeping the |
| 23 |
connection up is to enable Dead-Peer-Detection, or set up some regular ping |
| 24 |
between the peers if either side does not support DPD. IKEv2 is better than |
| 25 |
IKEv1 and it also allows client roaming (MOBIKE). |
| 26 |
|
| 27 |
Anyway, this is probably getting off topic. Lee, please start a new thread |
| 28 |
with VPN specific questions if you need help to get it going. There are quite |
| 29 |
a few examples on the interwebs for configuring OpenVPN and various |
| 30 |
implementations of IKE/IPSec VPNs. For the latter I recommend StrongSwan |
| 31 |
which has extensive documentation and example configurations. |
| 32 |
|
| 33 |
Saying all this, I would still stick with ftps/filezilla and get the users |
| 34 |
trained. When things don't work troubleshooting ought to be simpler. ;-) |
| 35 |
|
| 36 |
-- |
| 37 |
Regards, |
| 38 |
Mick |
Archives