Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: Configure a secure L2TP VPN' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Configure a secure L2TP VPN
Authored by: isometry on Jun 20, '06 09:10:46AM

A couple of follow-up tips...

First, my statement "only members of the netinfo group specified by the DNSACL:Group property will be granted access" seems to be wrong, or at least it's not acting as advertised for me using a group created with dseditgroup. All suitably configured users will be able to authenticate.

Secondly, adding VPNSERVER=-YES- to /etc/hostconfig seems to have no effect under 10.4 Client. You'll need to start the server manually, or create a launchd service.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN - authentication failed
Authored by: jhb on Jun 20, '06 11:02:32AM

everything seems to work as described, until I try to connect from a client. then I fail MS-CHAP authentication according to the client's log, and CHAP authentication according to the server's log. I have a /etc/ppp/chap-secrets on the server. any ideas? thanks.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN - authentication failed
Authored by: isometry on Jun 23, '06 11:41:40AM

With the configuration I posted /etc/ppp/chap-secrets isn't used - users are authenticated against the netinfo database. However, I think I probably know the fix:

  1. Open a Terminal

  2. Type the following (where username is your username):

    $ dscl . read /users/username AuthenticationAuthority
  3. If your AuthenticationAuthority is currently set to just ;ShadowHash;, then you need to extend it. Change it with the following command:

    $ sudo dscl . change /users/username AuthenticationAuthority ;ShadowHash; ;ShadowHash;HASHLIST:<SALTED-SHA1,SMB-NT,SMB-LAN-MANAGER>
  4. If you changed the authentication authority value, then reset your password (possibly to what it already is):

    $ passwd

After you've done the above, it should work :)

Post a follow-up either way to let me know whether this helped.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN - authentication failed
Authored by: isometry on Jun 23, '06 06:56:56PM

Sorry, I forgot to shell escapes. The command above should be:


$ sudo dscl . change /users/username AuthenticationAuthority \
  ';ShadowHash;' \
  ';ShadowHash;HASHLIST:<SALTED-SHA1,SMB-NT,SMB-LAN-MANAGER>'


[ Reply to This | # ]