On Monday 15 May 2017 20:57:50 Kai Krakow wrote: > > Of course the server will have to be accessible over port 500 for the > > clients to be able to get to it, but this is a port forwarding/DMZ > > network configuration exercise at the server end. > > Oh wait... So I need to forward port 500 and 4500 so NAT-T does work > properly? Even when both sides are NATed? I never got that to work > reliably for one side NATed, and it never worked for both sides NATed. > And my research in support forums always said: That does not work...
Well, I haven't presented a complete topology of a proposed network architecture because I don't know what the OP's set up is. I assumed in the above statement that the VPN gateway is running on the same (probably NAT'ed) server as the ftp service. Therefore port 500 won't be accessible from the Internet unless forwarded. If the VPN gateway is public facing then no port forwarding is necessary. Site to site IPSec VPN needs only port 500 to set up the tunnel. I have used mobile clients to VPN gateway connections, using IPsec tunnels with the client side NAT'ed and the link was very reliable. Even when the mobile clients were connected using unreliable WiFi the tunnel would be re- established when the WiFi link connectivity was restored. Key to keeping the connection up is to enable Dead-Peer-Detection, or set up some regular ping between the peers if either side does not support DPD. IKEv2 is better than IKEv1 and it also allows client roaming (MOBIKE). Anyway, this is probably getting off topic. Lee, please start a new thread with VPN specific questions if you need help to get it going. There are quite a few examples on the interwebs for configuring OpenVPN and various implementations of IKE/IPSec VPNs. For the latter I recommend StrongSwan which has extensive documentation and example configurations. Saying all this, I would still stick with ftps/filezilla and get the users trained. When things don't work troubleshooting ought to be simpler. ;-) -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
