VPN using Mac OS X and Linksys RV042
January 17, 2007These days Bikerpapa often needs to doctor computers for the clueless secretaries in a remote site about 300 miles away. It’s too far to drive and too expensive to fly for minute IT problems, so Bikerpapa wants to experiment with a VPN solution that allows him to sit at home and fix things right away for those secretaries when something goes wrong. If certain problems can be taken care that way, then Bikerpapa can save his company some travel expenses. And the secretaries get their problems solved much faster, too. Best of all, Bikerpapa can sit at home and diagnose problems with a good cup of latte in his hand. Slow cruisin’ indeed.
The thought of using VPN occurred to me when the remote site finally got a broadband satellite internet connection last week. After some casual usage, I thought it was still a bit slow compared to normal ADSL in the cities but the speed is probably adequate for VPN sessions consisting of low bandwidth tasks such as firing up ssh shells on remote servers that reside on the remote site’s LAN.
In this guide Bikerpapa sets up a remote client to gateway VPN using Mac OS X Tiger 10.4 and the Linksys RV042 VPN router. Since Bikerpapa has never setup a VPN before, he encountered many pitfalls along the way. Now that I’ve got something basic working, I hope this guide that might be of use to some clueless VPN soul somewhere using the same OS and hardware.
- Hookup the VPN router with a real IP address: the Linksys manual doesn’t mention jack about this, but it is extremely important that the VPN router get a real IP address (i.e. an IP address reachable directly from anywhere on the internet) from the ISP instead of the usual 10.0.1.* or 192.168.1.* address obtained by DHCP from a ADSL/Cable Modem with NAT enabled. If your ISP requires PPPoE to establish a session, make sure it is your VPN router doing the PPPoE connection. This case requires you to have installed your ADSL modem running “Bridge mode” (instead of “Router mode”) beforehand. Of course, you will also need to enter the necessary PPPoE info (username, password) into your VPN router. (Don’t worry about the VPN settings just yet. Read on.)
- Which VPN client on Mac OS X? To establish VPN tunnels between a client computer running Mac OS X, and RV042, you need a VPN client on Mac OS X that is capable of doing either IPsec (not the same thing as L2TP over IPsec) or PPTP, since those are the only two VPN protocols that RV042 supports.
- PPTP: The good news is that PPTP is supported by Apple in Mac OS X Tiger’s Internet Connect application. The bad news is that to use PPTP your Mac client computer must not be hidden behind a NAT gateway in order for it to work. Also PPTP is less reportedly less secure than IPsec but for the road warrior who is not likely to establish a VPN connection 24/7 it is probably OK.
-
IPsec: VPN Tracker ($90 USD) by equinux supports IPsec. (A 30-day trial version is available.) The good news is that your Mac client can be behind a NAT gateway and still work, thanks to IPSec. The bad news is that VPN Tracker is quite pricey for what it does
, but probably because there isn’t much competition out there. (Hint to Mac developers!). But I do want to give equinux credit for simplifying the VPN process; the setup is a snap because equinux provide easy-to-follow setup guides for many different VPN routers.
Update: IPsec: IP Securitas 3.0 also works, albeit one needs to play around with the setup to get the software working with RV042. Right now the program is in release candidate and the good news is that it is donation-ware. VPN Tracker is much easier to setup and the phase 1/2 negotiation process seems much faster than IP Securitas 3.0. But once IP Securitas connects, it works fine and that is what I recommend for now since it is free. (I do recommend a donation to keep the authors motivated.)
General:
Remote IPsec Device: remoteserver.ip
Local Side Endpoint Mode: Host
Local Side IP Address:
Remote Side Endpoint Mode: Network
Remote Side Network Address: (e.g.) 192.168.1.0
Remote Side CIDR: 24
Phase 1:
Lifetime: 8 hours
DH Group: 768(1)
Encryption: DES
Authentication: MD5
Exchange Mode: Aggressive
Proposal Check: Strict
Nonce Size: 16
Phase 2:
Lifetime: 8 hours
PFS Group: 768(1)
Encryption: check DES/3DES/AES 256/AES 192/AES 128
Authentication: check HMAC MD5
ID:
Local Identifier: FQDN ( (e.g.) enter "vpntracker" in the blank textbox)
Remote Identifier: Address
Authentication Method: Preshared Key
Preshared Key: (e.g.) secretkey
DNS:
Use default values
Options:
Check only the following: IPSec DOI / SIT_IDENTITY_ONLY / Initial Contact / Generate Policy / Support Proxy / Request Certificate / NAT-T: Disable
Notes:
- The RV042 features a built-in PPTP server but you need to install the latest firmware. (Firmware version 1.3.7.10 or later.)
Questions:
- Can RV042 reside behind a NAT router and VPN would still work?
Slow Cruisin' 
Thank you very much for this post.
Linksys lacks of documentation on how to set up the VPN and thanks to you I discovered a free VPN client for Mac OS X. You saved me precious time.
It’s great that the rv042 has PPTP configuration with firmware upgrade, I just noticed this the other day. I did not have any problems using the PPTP connection from behind a NAT, you should try it again.
I’ve also (after a long long time and v. 3.0) figured out how to get IPSecuritas working with the rv042. The last issue I had was dealing with a NAT, but even that too has been solved, after checking “NAT Traversal” under the “Advanced +” section of the tunnel configuration on the rv042.
I’d almost given up entirely on the rv042 and was going to install Mac OS X server for VPN until I finally figured these things out.
One thing to keep in mind with PPTP vs. IPSec. When you connect with PPTP, all your network traffic will be tunneled through the VPN, even if you’re surfing some place like Google, which doesn’t require the VPN. IPSec on the other hand, only routes the traffic which is destined for the network immediately on the other side of the VPN; normal traffic will be routed over your normal connection. This of course keeps unnecessary traffic off the network you’re VPN’d into.
IPSec question: Has anyone had success getting Exchange Mode “Main” working? This is supposed to be much more secure than “Aggresive”.
I was not able to get the rv042 Going with IPSecuritas following the guidelines above. It does work with PPTP server. Is there anyone else who has IPsec running with IPSecuritas as the client running under Leopard. I would really like to get this going so any info would be very helpful.
Thanks,
DA
Matthew is right abotu PPTP working fine for NAT’ed clients. I use
mine that way all the time. I even use it with my iPhone (which is
what got me to set it up).
However, he’s wrong about routing all traffic through the PPTP
connection. That’s actually an option. On leopard, open network
preferences, select VPN on the left panel, click Advanced, select the
“Options” tab, and the third option under “Session Options:” is “Send
all traffic over VPN connection.” I believe tiger had a similar
option.
Have you had any luck configuring an iPhone to log in to this VPN server? I’m using Mocha VNC Lite on my iPhone which works great at running a local PC (TightVNC) while I’m on the WiFi network, but obviously won’t work away from the office. Has anyone tried this? Does it work with 3G service? Any special setup tips?
Hey thanks! I got this going with our Linksys and IP Securitas with no troubles at all. Appreciate the write-up.
Did you get the IP Securitas to work with an iPhone?
Thanks,
Just passing by.Btw, you website have great content!
_________________________________
Did you know that over 94% of personal computers have hidden corrupt dangerous files with over 150 hidden errors and bugs on them?
Hi !
Please let me know if there is an IP securitas app for iphone ?
I have a linksys running a vpn server (ipsec protocol) but I’m not able to connect with my iPhone 😦
Hi, I just recently purchased an RV042 but am unable to connect to via vpn. I can connect with pptp but would like to be able to use the more secure ipsec.
Can anyone recommend a way to do it? I am looking for a step-by-step tutorial?
Client would be mainly xp-based but a few Mac osx and linuxes as well.
Many thanks, Csaba
Has anyone successfully connected an iphone to the Linksys RV042 using ipsec on 3g?
Thanks! Finally after weeks the right parms for router AND client.
You rock.
I’m truly enjoying the design and layout of your blog. It’s a very easy on
the eyes which makes it much more pleasant for me to come here
and visit more often. Did you hire out a developer to create your theme?
Superb work!
Fantastic items from you, man. I have be aware your
stuff previous to and you’re simply extremely magnificent. I really like what you’ve obtained right here, really
like what you are saying and the best way
during which you assert it. You make it enjoyable and you still take care of to keep it wise.
I cant wait to learn far more from you. This is really a terrific
website.
We arre a group off volunteers and opening a new scheme in our community.
Your web ssite offered uss with valuable info to work on.
You’ve done a formidable job and our whole community will be thankful to you.