|
|
10.4: Configure a secure L2TP VPN
Hokay -- it seemed straightforward enuff -- but maybe not. My setup is that the VPN server is behind an Airport Extreme router (using the ethernet connection to the router), and the client is connecting via either wireless (from either outside the LAN or within it through the router) or wired (from outside the LAN through the router).
I setup entries in the port mapping table in the Airport to route traffic to ports 500, 4500 (I don't see a way of telling the Airport which are UDP vs TCP ports) on the NAT address of the server. I also opened up access to UDP port 4500 and TCP port 500 in the Firewall section of the Sharing pref panel on both client and server. I had a spot of confusion over whether the OfferedServerAddresses or Addresses parameters in the plist should reflect the router address or the internal NAT address of the server. I reasoned that with the port mapping in place, the client should try and connect to the router address (since that's all that exists outside the LAN), and the vpn server plist should use only internal NAT addresses (i.e., 192.168.1.x). This failed miserably -- until I figured that maybe sitting in front of the server and trying to connect wirelessly via the "outside door" was the issue, and tried to connect with the client connecting to the local NAT address of the server. That got me to the point where I could at least make a connection (but failed to authenticate). I suppose that when I am connecting from outside my LAN, I'll need to setup a separate Internet Connect VPN profile using the router address (which the port mapping will connect to my server's local NAT address). Odd, since ssh will allow me to wirelessly locally connect the iBook to the server using either the (portmapped) router ip address or direct using the NAT address of the server. Anyhow, now I can connect, but don't get past the authentication -- here's what shows in the log ... ... Bifrost pppd[2936]: L2TP incoming call in progress ... Bifrost pppd[2936]: L2TP connection established. ... Bifrost pppd[2936]: Connect: ppp0 <--> socket[34:18] ... Bifrost pppd[2936]: Peer myuserid failed CHAP authentication ... Bifrost pppd[2936]: Connection terminated. I wonder ... I have sshd configured so as to eliminate password exchanges in favor of Public Key Authentication (as described in http://www.macdevcenter.com/lpt/a/5022) -- is it possible that is interfering with vpnd's password authentication?
10.4: Configure a secure L2TP VPN -- authentication problems
OK, maybe this is it -- I seem to have nothing relating to DNSACL in Netinfo.
10.4: Configure a secure L2TP VPN -- authentication workaround
OK -- based on an old hint (there are certainly a lot of different interpretations of the plist file floating about) for vpn under 10.3 client, I took out the line:
10.4: Configure a secure L2TP VPN -- authentication workaround
I could not figure out on my 10.6 install how to get MSCHAP working. When it was in place I got the "CHAP authentication Failed" error. I could not get around this. If I removed MSCHAP you could log in, but you could be any user you wanted as long as you knew the shared secret. I changed the line
to
And now you need the shared secret and your password correct.
10.4: Configure a secure L2TP VPN -- authentication workaround
For anyone trying (as I was) to get this working in 10.7, this is the fix that worked for me. No need to use dscl to change the local user account's password encryption. |
SearchFrom our Sponsor...Latest Mountain Lion HintsWhat's New:HintsNo new hintsComments last 2 daysNo new commentsLinks last 2 weeksNo recent new linksWhat's New in the Forums?
Hints by TopicNews from Macworld
From Our Sponsors |
|
Copyright © 2014 IDG Consumer & SMB (Privacy Policy) Contact Us All trademarks and copyrights on this page are owned by their respective owners. |
Visit other IDG sites: |
|
|
|
Created this page in 0.05 seconds |
|