Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the '10.4: Configure a secure L2TP VPN' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Configure a secure L2TP VPN
Authored by: davelentz on Jun 22, '06 01:43:31PM
Hokay -- it seemed straightforward enuff -- but maybe not. My setup is that the VPN server is behind an Airport Extreme router (using the ethernet connection to the router), and the client is connecting via either wireless (from either outside the LAN or within it through the router) or wired (from outside the LAN through the router).

I setup entries in the port mapping table in the Airport to route traffic to ports 500, 4500 (I don't see a way of telling the Airport which are UDP vs TCP ports) on the NAT address of the server.

I also opened up access to UDP port 4500 and TCP port 500 in the Firewall section of the Sharing pref panel on both client and server.

I had a spot of confusion over whether the OfferedServerAddresses or Addresses parameters in the plist should reflect the router address or the internal NAT address of the server. I reasoned that with the port mapping in place, the client should try and connect to the router address (since that's all that exists outside the LAN), and the vpn server plist should use only internal NAT addresses (i.e., 192.168.1.x).

This failed miserably -- until I figured that maybe sitting in front of the server and trying to connect wirelessly via the "outside door" was the issue, and tried to connect with the client connecting to the local NAT address of the server. That got me to the point where I could at least make a connection (but failed to authenticate). I suppose that when I am connecting from outside my LAN, I'll need to setup a separate Internet Connect VPN profile using the router address (which the port mapping will connect to my server's local NAT address). Odd, since ssh will allow me to wirelessly locally connect the iBook to the server using either the (portmapped) router ip address or direct using the NAT address of the server.

Anyhow, now I can connect, but don't get past the authentication -- here's what shows in the log ...

... Bifrost pppd[2936]: L2TP incoming call in progress
... Bifrost pppd[2936]: L2TP connection established.
... Bifrost pppd[2936]: Connect: ppp0 <--> socket[34:18]
... Bifrost pppd[2936]: Peer myuserid failed CHAP authentication
... Bifrost pppd[2936]: Connection terminated.

I wonder ... I have sshd configured so as to eliminate password exchanges in favor of Public Key Authentication (as described in -- is it possible that is interfering with vpnd's password authentication?

[ Reply to This | # ]
10.4: Configure a secure L2TP VPN -- authentication problems
Authored by: davelentz on Jun 22, '06 03:16:35PM

OK, maybe this is it -- I seem to have nothing relating to DNSACL in Netinfo.

When you say "only members of the netinfo group specified by the DNSACL:Group property will be granted access", should this group be an existing group in Netinfo?

And looking at the plist example, the last entry is:
DSACL = {Group = vpn; };

Should that be DSNACL? or should I be looking for a DSACL entry in Netinfo (which doesn't exist either)?

[ Reply to This | # ]
10.4: Configure a secure L2TP VPN -- authentication workaround
Authored by: davelentz on Jun 22, '06 07:18:10PM

OK -- based on an old hint (there are certainly a lot of different interpretations of the plist file floating about) for vpn under 10.3 client, I took out the line:
AuthenticatorProtocol = (MSCHAP2);
-- this is supposed to remove ANY user authentication and rely only on the shared secret, so that a good VPN connection by a valid user is all that is required.

Not the way I intend to operate, but just to see how things go --

-- and also changed
DSACL = {Group = vpn; };
DSACL = {Group = admin; };

(just to get around my not having setup a vpn group -- things are slowly becoming a bit clearer)

And lo and behold, I connect and can see the webserver on the vpn server and no other webservers from a browser on the vpn client! It appears that it works.

I then tried enabling ACL support on the boot volume via the command:
sudo /usr/sbin/fsaclctl -p / -e

And put the MSCHAP2 authentication back in the plist, to see if I could force the user password validation, but no dice.
Same authorization failure as before.

[ Reply to This | # ]
10.4: Configure a secure L2TP VPN -- authentication workaround
Authored by: andrew.paier on Jul 31, '10 09:46:18AM
I could not figure out on my 10.6 install how to get MSCHAP working. When it was in place I got the "CHAP authentication Failed" error. I could not get around this. If I removed MSCHAP you could log in, but you could be any user you wanted as long as you knew the shared secret. I changed the line

                AuthenticatorProtocol = (MSCHAP2);

                AuthenticatorProtocol = (PAP);
And now you need the shared secret and your password correct.

[ Reply to This | # ]
10.4: Configure a secure L2TP VPN -- authentication workaround
Authored by: jimma on Dec 15, '11 07:01:29AM

For anyone trying (as I was) to get this working in 10.7, this is the fix that worked for me. No need to use dscl to change the local user account's password encryption.

[ Reply to This | # ]