This is something I've wanted to set up for some time, having Googled and read through an old thread on the macosxhints forums, I decided it was time for a proper how-to on configuring a secure L2TP VPN under Mac OS X 10.4 client.
If you're interested in this, read on for the details...
First of all, you need to create the file /Library -> Preferences -> SystemConfiguration -> com.apple.RemoteAccessServers.plist, with this content. Notes:
- This is an old-style plist for ease of reading; both old- and new-styles will work just fine.
- The IPv4:DestAddressRanges property specifies the beginning and end of a free range of addresses on your local network which will be handed out to clients.
- Authentication is against the VPN servers netinfo database, only members of the netinfo group specified by the DNSACL:Group property will be granted access.
$ sudo touch /var/log/ppp/vpnd.log
Now you need to create an entry for the IPSec shared secret in the system keychain:
$ sudo security add-generic-password -a com.apple.ppp.l2tp \
-s com.apple.net.racoon -p "mysecret" /Library/Keychains/System.keychain
Change mysecret to something secure, but don't forget it -- you won't be able to read it back from the system keychain (no, really). Finally, start vpnd (no need for sudo, as it's setuid root):
$ vpnd
If you want vpnd to start at boot, you should add the following to /etc/hostconfig (note that I've not tried rebooting yet to confirm this works):
VPNSERVERS=-YES-
Open up Console.app and monitor system.log. You should see something like the following at the bottom (I've trimmed the date/time for a narrower display):
... banshee vpnd[22134]: Server 'com.apple.ppp.l2tp' starting...n
... banshee vpnd[22134]: Loading plugin /System/Library/Extensions/L2TP.pppn
... banshee vpnd[22135]: Server 'com.apple.ppp.l2tp' moved to backgroundn
... banshee vpnd[22135]: Listening for connections...n
Now, on to the VPN client. Open up Internet Connect.app, and create a new L2TP VPN. Edit its configuration as follows:
- 'Server Address' to be the IP address of your VPN server.
- 'Account Name' to be the user account on the server you're using to authenticate (must be a member of the admin group with the configuration given).
- 'User Authentication' to 'Password' with your account's password.
- 'Machine Authentication' to 'Shared Secret' with the shared secret you added to the servers system keychain earlier (mysecret in the example).
... banshee vpnd[22135]: Incoming call... Address given to client = 10.66.20.120n
... banshee pppd[22144]: pppd 2.4.2 (Apple version 233-0-2) started by isometry, uid 0
... banshee pppd[22144]: L2TP incoming call in progress
... banshee pppd[22144]: L2TP connection established.
... banshee pppd[22144]: Connect: ppp0 <--> socket[34:18]
... banshee pppd[22144]: local IP address 10.66.20.64
... banshee pppd[22144]: remote IP address 10.66.20.120
Good luck!
[robg adds: I haven't tested this one.]

