Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: Configure a secure L2TP VPN Network
This is something I've wanted to set up for some time, having Googled and read through an old thread on the macosxhints forums, I decided it was time for a proper how-to on configuring a secure L2TP VPN under Mac OS X 10.4 client.

If you're interested in this, read on for the details...

First of all, you need to create the file /Library -> Preferences -> SystemConfiguration -> com.apple.RemoteAccessServers.plist, with this content. Notes:
  • This is an old-style plist for ease of reading; both old- and new-styles will work just fine.
  • The IPv4:DestAddressRanges property specifies the beginning and end of a free range of addresses on your local network which will be handed out to clients.
  • Authentication is against the VPN servers netinfo database, only members of the netinfo group specified by the DNSACL:Group property will be granted access.
You'll also want to touch the logfile:
$ sudo touch /var/log/ppp/vpnd.log
Now you need to create an entry for the IPSec shared secret in the system keychain:
$ sudo security add-generic-password -a com.apple.ppp.l2tp \
 -s com.apple.net.racoon -p "mysecret" /Library/Keychains/System.keychain
Change mysecret to something secure, but don't forget it -- you won't be able to read it back from the system keychain (no, really). Finally, start vpnd (no need for sudo, as it's setuid root):
$ vpnd
If you want vpnd to start at boot, you should add the following to /etc/hostconfig (note that I've not tried rebooting yet to confirm this works):
VPNSERVERS=-YES-
Open up Console.app and monitor system.log. You should see something like the following at the bottom (I've trimmed the date/time for a narrower display):
... banshee vpnd[22134]: Server 'com.apple.ppp.l2tp' starting...n
... banshee vpnd[22134]: Loading plugin /System/Library/Extensions/L2TP.pppn
... banshee vpnd[22135]: Server 'com.apple.ppp.l2tp' moved to backgroundn
... banshee vpnd[22135]: Listening for connections...n
Now, on to the VPN client. Open up Internet Connect.app, and create a new L2TP VPN. Edit its configuration as follows:
  • 'Server Address' to be the IP address of your VPN server.
  • 'Account Name' to be the user account on the server you're using to authenticate (must be a member of the admin group with the configuration given).
  • 'User Authentication' to 'Password' with your account's password.
  • 'Machine Authentication' to 'Shared Secret' with the shared secret you added to the servers system keychain earlier (mysecret in the example).
Hit OK, and then Connect. At this point, back on the VPN server, you should be prompted to allow pppd access to the keychain entry you created earlier; click "Allow Always". All things being well, you're client is now connected. Console.app should show something like the following:
... banshee vpnd[22135]: Incoming call... Address given to client = 10.66.20.120n
... banshee pppd[22144]: pppd 2.4.2 (Apple version 233-0-2) started by isometry, uid 0
... banshee pppd[22144]: L2TP incoming call in progress
... banshee pppd[22144]: L2TP connection established.
... banshee pppd[22144]: Connect: ppp0 <--> socket[34:18]
... banshee pppd[22144]: local  IP address 10.66.20.64
... banshee pppd[22144]: remote IP address 10.66.20.120
Good luck!

[robg adds: I haven't tested this one.]
    •    
  • Currently 2.63 / 5
  You rated: 1 / 5 (8 votes cast)
 
[119,398 views]  

10.4: Configure a secure L2TP VPN | 52 comments | Create New Account
Click here to return to the '10.4: Configure a secure L2TP VPN' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Configure a secure L2TP VPN
Authored by: veloso on Jun 20, '06 08:13:05AM

This should work fine, since the L2TP server is basicaly the same on Mac OS X server and client.

Note that you should open UDP port 4500 (for NAT-T if your client or server is behind NAT,) port 500 (IKE), and possibly allow IP protocol 50 (ESP).



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: digistil on Jun 20, '06 08:34:36AM

The link to "com.apple.RemoteAccessServers.plist" gives me a 404...can anyone help me out?



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN - link to plist doesn't work
Authored by: jhb on Jun 20, '06 08:56:53AM

ditto. other files posted at macosxhints.com/dlfiles also don't work.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: isometry on Jun 20, '06 09:14:18AM

I've reported the dud link to robg. In the meantime, here's my current configuration:


/* Refer to http://images.apple.com/server/pdfs/Command_Line_v10.4.pdf */
{
    ActiveServers = ("com.apple.ppp.l2tp"); 
    Servers = {
        "com.apple.ppp.l2tp" = {
            Server = {
                VerboseLogging = 1;
                MaximumSessions = 128;
                Logfile = "/var/log/ppp/vpnd.log"; 
            };
            IPSec = {
                SharedSecretEncryption = "Keychain";
                SharedSecret = "com.apple.ppp.l2tp";
                LocalIdentifier = "";
                LocalCertificate = "";
                AuthenticatedMethod = "SharedSecret";
                IdentifierVerification = "None";
                RemoteIdentifier = "";
            };
            L2TP = {Transport = IPSec; }; 
            IPv4 = {
                DestAddressRanges = ("10.66.20.120", "10.66.20.129"); 
                OfferedRouteMasks = (); 
                OfferedRouteAddresses = (); 
                OfferedRouteTypes = (); 
                ConfigMethod = Manual; 
            }; 
            DNS = {
                OfferedSearchDomains = ("internal");
                OfferedServerAddresses = ("10.66.20.2");
            }; 
            Interface = {
                SubType = L2TP;
                Type = PPP;
            }; 
            PPP = {
                LCPEchoFailure = 5; 
                ACSPEnabled = 1;
                VerboseLogging = 1; 
                AuthenticatorACLPlugins = (DSACL);
                AuthenticatorEAPPlugins = (EAP-KRB);
                AuthenticatorPlugins = (DSAuth);
                LCPEchoInterval = 60; 
                LCPEchoEnabled = 1; 
                IPCPCompressionVJ = 0; 
                AuthenticatorProtocol = (MSCHAP2);
                Logfile = "/var/log/ppp/vpnd.log";
            };
            DSACL = {Group = vpn; };
        }; 
    }; 
}


[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: DamienMcKenna on Jun 20, '06 08:35:20AM

FAQ time: will this let me connect to a Windows 2003-driven VPN? If not, any suggestions on how to do so? I know I can spend $80 on software for it but I don't work from home very often so I can't justify the expense. Thanks.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: isometry on Jun 20, '06 09:16:24AM

This tip is for setting up your 10.4 Client machine as a VPN server.
To connect to a Windows 2003 VPN, you just need to set up an appropriate VPN profile in Internet Connect.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: outZider on Jun 20, '06 02:05:13PM

No need to spend money, the Internet Connect application will allow you to connect to a Windows based L2TP or PPTP connection. Just get the information from your network administrator, and fill in the same details in Internet Connect. :)



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: isometry on Jun 20, '06 09:10:46AM

A couple of follow-up tips...

First, my statement "only members of the netinfo group specified by the DNSACL:Group property will be granted access" seems to be wrong, or at least it's not acting as advertised for me using a group created with dseditgroup. All suitably configured users will be able to authenticate.

Secondly, adding VPNSERVER=-YES- to /etc/hostconfig seems to have no effect under 10.4 Client. You'll need to start the server manually, or create a launchd service.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN - authentication failed
Authored by: jhb on Jun 20, '06 11:02:32AM

everything seems to work as described, until I try to connect from a client. then I fail MS-CHAP authentication according to the client's log, and CHAP authentication according to the server's log. I have a /etc/ppp/chap-secrets on the server. any ideas? thanks.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN - authentication failed
Authored by: isometry on Jun 23, '06 11:41:40AM

With the configuration I posted /etc/ppp/chap-secrets isn't used - users are authenticated against the netinfo database. However, I think I probably know the fix:

  1. Open a Terminal

  2. Type the following (where username is your username):

    $ dscl . read /users/username AuthenticationAuthority
  3. If your AuthenticationAuthority is currently set to just ;ShadowHash;, then you need to extend it. Change it with the following command:

    $ sudo dscl . change /users/username AuthenticationAuthority ;ShadowHash; ;ShadowHash;HASHLIST:<SALTED-SHA1,SMB-NT,SMB-LAN-MANAGER>
  4. If you changed the authentication authority value, then reset your password (possibly to what it already is):

    $ passwd

After you've done the above, it should work :)

Post a follow-up either way to let me know whether this helped.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN - authentication failed
Authored by: isometry on Jun 23, '06 06:56:56PM

Sorry, I forgot to shell escapes. The command above should be:


$ sudo dscl . change /users/username AuthenticationAuthority \
  ';ShadowHash;' \
  ';ShadowHash;HASHLIST:<SALTED-SHA1,SMB-NT,SMB-LAN-MANAGER>'


[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: signal15 on Jun 20, '06 11:07:17AM

Has anyone figured out how to force the built-in VPN client to use different IPSec proposals? Is there a .plist file I can create or modify to make my own custom VPN settings?

I'd like to get this thing connecting to a Juniper NetScreen device with L2TP over IPSec. It theoretically should do it, but I cannot get it working.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: Smokin Jake on Jun 20, '06 11:47:50AM

Apple creates the config file in
/private/etc/racoon/remote/xxx.xxx.xxx.xxx.conf

where xxx.xxx.xxx.xxx is the IP of the remote location. The file only exists while Internet Connect is running.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: erikv on Jun 21, '06 01:34:56PM

Any way to tell it to listen on a specific hardware interface? (i.e. have built-in ethernet and Airport and want VPN server to listen to built-in ethernet only)

---
erikv



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: isometry on Jun 22, '06 01:22:55AM

Try adding the following to your .plist, within the "com.apple.ppp.l2tp" section:

Addresses = ("192.168.10.1");

Where 192.168.10.1 is the address you want the server to listen on.

This isn't documented in the Apple Server documentation, but is referred to in the thread I referenced in the tip. I've not tested it.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: erikv on Jun 22, '06 09:29:16AM

Tried the above setting (added "Addresses") and the IP address of built-in ethernet (public IP address). As soon as I enable AirPort (with a private IP address inside my wireless router), VPN clients are unable to connect.

Any ideas?

---
erikv



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: erikv on Jun 23, '06 08:56:19AM

I added both the internal and external IPs to "Addresses" and it now works.

---
erikv



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN - Not on MacIntel?
Authored by: torqt on Jun 21, '06 04:50:02PM

I've been testing this on a 1.66Ghz core duo Mac mini this afternoon with little success. The hint worked perfectly on my G5 PoweMac.

In following all of the steps on the Mac mini I get to the point where com.apple.ppp.l2tp is starting and then it eventually logs an error:

Jun 21 17:21:17 MacMini kernel[0]: (default pager): [KERNEL]: no space in available paging segments
Jun 21 17:22:17 MacMini vpnd[396]: Error while processing ip address range 10.66.20.120\n
Jun 21 17:22:17 MacMini vpnd[396]: Error while reading PPP preferences\n
Jun 21 17:22:17 MacMini vpnd[396]: Error processing prefs file\n

Does anyone have any idea what might be the issue here?



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN - Not on MacIntel?
Authored by: torqt on Jun 21, '06 05:40:09PM

Followup:

- Copied over the vpnd executable from /usr/bin/vpnd on my PowerMac to the Mac mini.
- ran vpnd from Terminal
- system.log in Console indicated that vpn was now listening for connections but then quit with the following error:

Jun 21 18:20:42 MacMini vpnd[407]: L2TP plugin: cannot configure secure transport (cannot add policy out).\n
Jun 21 18:20:42 MacMini vpnd[407]: Unable to initialize vpn plugin\n
Jun 21 18:20:42 MacMini vpnd[407]: Server 'com.apple.ppp.l2tp' stopped\n

I'm wondering copying over the plist file from the PowerMac and editing it a bit would allow vpnd to run?



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN - Not on MacIntel?
Authored by: isometry on Jun 22, '06 01:26:45AM

You need to change the following section:

DestAddressRanges = ("10.66.20.120", "10.66.20.129");

Change the two addresses to the end-points of a range of addresses on your LAN that should be handed out to VPN clients upon connection. The range above is valid for my LAN, but you'll likely need to change it to something like:

DestAddressRanges = ("192.168.0.100", "192.168.0.120");

[ Reply to This | # ]
10.4: Configure a secure L2TP VPN - Not on MacIntel?
Authored by: torqt on Jun 22, '06 09:40:12AM

Right. I did that. While troubleshooting this problem I guess at some point I left the original numbers in there and tried to run it.

However, I did change the IP range to fit my network and I still had the same error.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN - Not on MacIntel?
Authored by: isometry on Jun 23, '06 11:44:37AM

Please post the full error when its running with your "correct" configuration :)



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: davelentz on Jun 22, '06 01:43:31PM
Hokay -- it seemed straightforward enuff -- but maybe not. My setup is that the VPN server is behind an Airport Extreme router (using the ethernet connection to the router), and the client is connecting via either wireless (from either outside the LAN or within it through the router) or wired (from outside the LAN through the router).

I setup entries in the port mapping table in the Airport to route traffic to ports 500, 4500 (I don't see a way of telling the Airport which are UDP vs TCP ports) on the NAT address of the server.

I also opened up access to UDP port 4500 and TCP port 500 in the Firewall section of the Sharing pref panel on both client and server.

I had a spot of confusion over whether the OfferedServerAddresses or Addresses parameters in the plist should reflect the router address or the internal NAT address of the server. I reasoned that with the port mapping in place, the client should try and connect to the router address (since that's all that exists outside the LAN), and the vpn server plist should use only internal NAT addresses (i.e., 192.168.1.x).

This failed miserably -- until I figured that maybe sitting in front of the server and trying to connect wirelessly via the "outside door" was the issue, and tried to connect with the client connecting to the local NAT address of the server. That got me to the point where I could at least make a connection (but failed to authenticate). I suppose that when I am connecting from outside my LAN, I'll need to setup a separate Internet Connect VPN profile using the router address (which the port mapping will connect to my server's local NAT address). Odd, since ssh will allow me to wirelessly locally connect the iBook to the server using either the (portmapped) router ip address or direct using the NAT address of the server.

Anyhow, now I can connect, but don't get past the authentication -- here's what shows in the log ...

... Bifrost pppd[2936]: L2TP incoming call in progress
... Bifrost pppd[2936]: L2TP connection established.
... Bifrost pppd[2936]: Connect: ppp0 <--> socket[34:18]
... Bifrost pppd[2936]: Peer myuserid failed CHAP authentication
... Bifrost pppd[2936]: Connection terminated.

I wonder ... I have sshd configured so as to eliminate password exchanges in favor of Public Key Authentication (as described in http://www.macdevcenter.com/lpt/a/5022) -- is it possible that is interfering with vpnd's password authentication?

[ Reply to This | # ]
10.4: Configure a secure L2TP VPN -- authentication problems
Authored by: davelentz on Jun 22, '06 03:16:35PM

OK, maybe this is it -- I seem to have nothing relating to DNSACL in Netinfo.

When you say "only members of the netinfo group specified by the DNSACL:Group property will be granted access", should this group be an existing group in Netinfo?

And looking at the plist example, the last entry is:
DSACL = {Group = vpn; };

Should that be DSNACL? or should I be looking for a DSACL entry in Netinfo (which doesn't exist either)?



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN -- authentication workaround
Authored by: davelentz on Jun 22, '06 07:18:10PM

OK -- based on an old hint (there are certainly a lot of different interpretations of the plist file floating about) for vpn under 10.3 client, I took out the line:
AuthenticatorProtocol = (MSCHAP2);
-- this is supposed to remove ANY user authentication and rely only on the shared secret, so that a good VPN connection by a valid user is all that is required.

Not the way I intend to operate, but just to see how things go --

-- and also changed
DSACL = {Group = vpn; };
to
DSACL = {Group = admin; };

(just to get around my not having setup a vpn group -- things are slowly becoming a bit clearer)

And lo and behold, I connect and can see the webserver on the vpn server and no other webservers from a browser on the vpn client! It appears that it works.

I then tried enabling ACL support on the boot volume via the command:
sudo /usr/sbin/fsaclctl -p / -e

And put the MSCHAP2 authentication back in the plist, to see if I could force the user password validation, but no dice.
Same authorization failure as before.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN -- authentication workaround
Authored by: andrew.paier on Jul 31, '10 09:46:18AM
I could not figure out on my 10.6 install how to get MSCHAP working. When it was in place I got the "CHAP authentication Failed" error. I could not get around this. If I removed MSCHAP you could log in, but you could be any user you wanted as long as you knew the shared secret. I changed the line

                AuthenticatorProtocol = (MSCHAP2);
to

                AuthenticatorProtocol = (PAP);
And now you need the shared secret and your password correct.

[ Reply to This | # ]
10.4: Configure a secure L2TP VPN -- authentication workaround
Authored by: jimma on Dec 15, '11 07:01:29AM

For anyone trying (as I was) to get this working in 10.7, this is the fix that worked for me. No need to use dscl to change the local user account's password encryption.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: isometry on Jun 23, '06 11:49:05AM

Please see my follow-up to jhb's comment above regarding getting CHAP authentication working.

There's no need to enable ACLs on your boot drive, DSACL is meant to authorize based upon membership of a Directory Services group, but as I noted in an earlier comment doesn't appear to work.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: Dirk Becker on Jul 07, '06 02:05:07PM

In your original message and some other places you refer to DNSACL (added N) - could that be the problem? Both plist files that you posted use DSACL though which is mentioned in the CommandLine pdf.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: Smokin Jake on Jun 23, '06 03:02:54PM

The command line did not work for me; it complained about something near a ";".
But once the replacement line was entered in Netinfo via the Gui ";ShadowHash;HASHLIST:<..etc ..>" it worked.

Thank very much, before I could only get it working with chap-secrets, or no MSCHAP2.

The DSACL group does'nt appear to restrict the allowed users.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: davelentz on Jun 23, '06 04:22:28PM

I experienced a similar situation, with the same resolution.

I did copy the nightly netinfo db backup off to another disk in a fit of paranoia before plunging forth. Dunno what was up with the command line entry.

But it works GREAT!



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: isometry on Jun 23, '06 07:23:13PM
See my follow-up for the fixed command.

[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: david-bo on Jun 24, '06 03:30:17AM

Would a VPN like this allow Bonjour-packets to be broadcasted between two LAN:s?

---
http://www.google.com/search?as_q=%22Authored+by%3A+david-bo%22&num=10&hl=en&ie=ISO-8859-1&btnG=



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: Dirk Becker on Jul 07, '06 02:17:49PM
I haven't tried yet, but http://www.dns-sd.org looks promising.

[ Reply to This | # ]
10.4: Configure a secure L2TP VPN – no connection
Authored by: FastBlast on Jun 27, '06 04:16:41AM

The installed vpn-server does not respond. I've set-up a mac mini, with 10.4.6 as vpn-server, as described above. System.log and vpnd.log suggest a proper working vpnd. But I can't connect from a client, also 10.4.6. The client does'nt find the server. I've tried it with a direct connection (one ehternet-cable between client and mac mini and self assigned IPs), and also with an WRT54G that is my network-router and also with a swtich, on that only server and client have been connected. But all these tries didn't take any effect, vpnd runs like isolated. All these hardware-configurations were tested in combination with both firewalls on and off. Can I have advice, where my error in configuration and setup might be? Thanks, Chris



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN – no connection
Authored by: davelentz on Jun 27, '06 04:38:08AM

Have you opened up appropriate ports in your OS X firewall (Sharing Prefs) on both machines? UDP 4500 and TCP 500 are what is indicated in an earlier posting.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN – no connection
Authored by: FastBlast on Jun 27, '06 10:53:07AM

Yes, I've done so. However, even if I disable firewalls completely (for testing only), I can't establish an connection! I am at a loss.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN – no connection
Authored by: stewarsh on Aug 23, '06 08:08:40PM

I am in the same boat. VPND doesnt actually open any ports for listening; though it does spawn racoon which does. The problem is that racoon doesn't seem to want to respond to any connections.

As with the previous post, I have no firewalls running as this is a test network.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN – no connection
Authored by: stewarsh on Aug 23, '06 08:35:38PM

As an update, racoon does answer the connection but there is some problem with the auth...I haven't been thru the debug throughly yet.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN – no connection
Authored by: stewarsh on Aug 23, '06 09:30:11PM

Okay...found the problem. It turns out that racoon couldn't retrieve the key from the keychain until it was authorized. I didn't see a way to do this from the command line, so I logged into the console, openned the connnection which popped up the dialog to allow access. After that it was smooth sailing.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN – no connection
Authored by: deelux on Nov 21, '06 01:28:02AM

Hy,

I have the same problem as you: the vpnd server is running (ps -aux matches) but it doesn't respond... I didn't understood the way you use to have it working... "log into the console"... can you explain me ?

Thanks !


Tom



[ Reply to This | # ]
Here's the fix
Authored by: kkL on Nov 15, '07 12:36:12PM
before you run vpnd (kill it with sudo killall vpnd if it's running) you have to run sudo racoon -vF, and it will ask you for keychain access.

[ Reply to This | # ]
Command line manual has been updated
Authored by: keithy on Apr 14, '08 04:32:16AM
The link given above is no longer current

http://manuals.info.apple.com/en/Command_Line_v10.4_2nd_Ed.pdf

[ Reply to This | # ]
It doesn't work for me
Authored by: archangelnix on Jun 30, '06 10:06:12AM

Maybe I am missing something but I have tried it on a G5 and G4 PowerMac and it doens't work for me.

I sudo created the plist and pasted the code from the txt file linked to the article. In the code I changed the IP range to something smaller. (Does it have to be the same IP subnet that my router dishes out? My router issues 192.168.2 and I set it for 10.0.2 in the plist).

I "touched" the log file (which it created since it didn't exist before).

In the command used to create a key I excluded the "\" character as I found it reported an error when I left it in.

I then ran vpnd. I didn't get an error, but when I look in Console I don't see anything, I even checked the VPND log and it was empty. I ran px -ax |grep vpn and it didn't find anything either.

I am running 10.4.7 on both machines. Any pointers?



[ Reply to This | # ]
It doesn't work for me
Authored by: innessco on Jul 03, '06 05:13:40AM

I have just discovered that since upgrading my powerbook g4 to 10.4.7 I can't use L2TP against one of my servers that has been working well for ages. I can however use PPTP which I am waiting to turn off, but due to Apple not letting Nat-T work on PCs (or the other way around) I can't. Oddly I can still use L2TP against another server (both servers xserves on 10.4.6). These xserves also use the site-to-site stuff reasonably (since it is a little unfinished). Whilst I am checking this, I though I might just mention it, incase others have had the same experience with 10.4.7 - note this is just speculation at this stage.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: erikv on Dec 12, '06 10:00:13PM

Latest security update blocks vpnd?

It seems that perhaps the latest security update has broken my vpn config. When a VPN client attempts to access the VPN serving machine, the keychain access dialog pops up with:

"UNKNOWN wants permission to use the "com.apple.net.racoon" item from your keychain."

Only clicking "Allow Once" allows the client to connect to the vpn server, but only for that session. Disconnecting and reconnecting causes the keychain dialog to reappear. Clicking "Allow Always" does not work.

Any ideas on how to fix this?


---
erikv



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: mr_zorg on Jul 18, '08 08:27:32PM
I know this hint is old, but I found this utility that makes everything oh so much easier:

http://sourceforge.net/projects/ivpnd

[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: lenoil on Aug 10, '08 04:31:41PM
I know this hint is old, but I found this utility that makes everything oh so much easier: http://sourceforge.net/projects/ivpnd
Starting with version 2.5, iVPN is no longer open source. It is shareware and is available at http://www.macserve.org.uk/projects/ivpn/

[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: bsdfork on Aug 21, '08 11:25:42AM
iVPN v. 2.4b was available under a modified BSD license, and the project was forked. No changes or updates have been made to the code, but it is still available.

Forked project: http://sourceforge.net/projects/ivpn24bfork/

Also, the 2.4b files from the original project are available on SourceForge's mirrors, but it's unknown for how long.

binary: http://downloads.sourceforge.net/ivpnd/iVPN-2.4b.zip?big_mirror=0

source: http://downloads.sourceforge.net/ivpnd/iVPN-2.4b-src.zip?big_mirror=0

[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: staafk on Mar 16, '11 09:23:43AM

Hi, I have some problems with this I can't fix.
When trying to connect to my VPN I get the following error:


Wed Mar 16 17:10:17 2011 : sent [CHAP Challenge id=0x7f <0c7e4b3f1e3f563158324f6a7f5e2500>, name = "karl.local"]
Wed Mar 16 17:10:17 2011 : rcvd [LCP EchoReq id=0x0 magic=0xde731f4]
Wed Mar 16 17:10:17 2011 : sent [LCP EchoRep id=0x0 magic=0x6059f86b]
Wed Mar 16 17:10:17 2011 : rcvd [LCP EchoRep id=0x0 magic=0xde731f4]
Wed Mar 16 17:10:17 2011 : rcvd [CHAP Response id=0x7f <3b5f0f475fdbb2ec7ae1dd70d9405f4a0000000000000000fa689a82c54b82e3eab0106859d3c7ef24620766b8840a0c00>, name = "karl"]
Wed Mar 16 17:10:17 2011 : sent [CHAP Failure id=0x7f "E=691 R=1 C=0c7e4b3f1e3f563158324f6a7f5e2500 V=0 M=Access denied"]
Wed Mar 16 17:10:17 2011 : CHAP peer authentication failed for karl

I have made changes to my account according to what I have read here about the hash-method but this does not fix my issue.

Following command:
dscl . read /users/karl AuthenticationAuthority

prints


AuthenticationAuthority: ;ShadowHash;HASHLIST:<SALTED-SHA1,SMB-NT,SMB-LAN-MANAGER>


along with a lot of codes.

Does anyone have any idea of what might be wrong here?

Regards

Karl



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN
Authored by: edcroteau on Jul 31, '11 02:19:01PM

Anyone have any luck with this on 10.7 Lion ?

I copied the .plist file from my 10.6 install (which was working as a VPN server) to the Lion System Library but the ownership switch from "system" to "me". Then the launchctl command won't load the .plist file due to "dubious ownership."

Any ideas ?



[ Reply to This | # ]