Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: Configure a secure L2TP VPN -- authentication workaround' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Configure a secure L2TP VPN -- authentication workaround
Authored by: davelentz on Jun 22, '06 07:18:10PM

OK -- based on an old hint (there are certainly a lot of different interpretations of the plist file floating about) for vpn under 10.3 client, I took out the line:
AuthenticatorProtocol = (MSCHAP2);
-- this is supposed to remove ANY user authentication and rely only on the shared secret, so that a good VPN connection by a valid user is all that is required.

Not the way I intend to operate, but just to see how things go --

-- and also changed
DSACL = {Group = vpn; };
to
DSACL = {Group = admin; };

(just to get around my not having setup a vpn group -- things are slowly becoming a bit clearer)

And lo and behold, I connect and can see the webserver on the vpn server and no other webservers from a browser on the vpn client! It appears that it works.

I then tried enabling ACL support on the boot volume via the command:
sudo /usr/sbin/fsaclctl -p / -e

And put the MSCHAP2 authentication back in the plist, to see if I could force the user password validation, but no dice.
Same authorization failure as before.



[ Reply to This | # ]
10.4: Configure a secure L2TP VPN -- authentication workaround
Authored by: andrew.paier on Jul 31, '10 09:46:18AM
I could not figure out on my 10.6 install how to get MSCHAP working. When it was in place I got the "CHAP authentication Failed" error. I could not get around this. If I removed MSCHAP you could log in, but you could be any user you wanted as long as you knew the shared secret. I changed the line

                AuthenticatorProtocol = (MSCHAP2);
to

                AuthenticatorProtocol = (PAP);
And now you need the shared secret and your password correct.

[ Reply to This | # ]
10.4: Configure a secure L2TP VPN -- authentication workaround
Authored by: jimma on Dec 15, '11 07:01:29AM

For anyone trying (as I was) to get this working in 10.7, this is the fix that worked for me. No need to use dscl to change the local user account's password encryption.



[ Reply to This | # ]