Skip navigation

Lion Server VPN, Can Connect Locally, Not Remotely

33016 Views 70 Replies Latest reply: Oct 31, 2012 6:43 AM by tehcid RSS
  • Berudus Calculating status...

    I installed Lion as an upgrade from 10.6.8.  After installing Lion Server, VPN would not work from my iPhone 4 to my iMac server over 3G or Wifi.  I tried everything.  I decided to do a clean install of Lion.  After the intall was done, my iPhone connected on the first try.

     

    I then decided to restore the same iMac to a Time Machine backup taken just after upgrading to Lion, and now I'm having the same problems I originally had.  Something is wrong with Lion.  This is obvious because doing a fresh install allowed VPN to work and reverting to a backup restored the same problem.

  • topping Calculating status...
    Currently Being Moderated
    Aug 8, 2011 1:27 AM (in response to ScottM)

    I'm getting the same problem, can connect to the server over the local network, not from remote.  Have spent a few days trying to figure this out.  Have a lot of experience with Linux and FreeBSD admin back in the day, as well as OS-X desktop use and debugging.  This is a complete stumper!

     

    There are zero firewall issues, I've counted packets with tcpdump on both sides and everything is getting through.  The router on the Lion server side is set to forward everything, on the client side, it's set as the "DMZ host" (forwarding everything).

     

    Can anyone see anything in my configuration?

     

    bash-3.2# serveradmin fullstatus vpn

    vpn:servicePortsAreRestricted = "NO"

    vpn:readWriteSettingsVersion = 1

    vpn:servers:com.apple.ppp.pptp:AuthenticationProtocol = "MSCHAP2"

    vpn:servers:com.apple.ppp.pptp:CurrentConnections = 0

    vpn:servers:com.apple.ppp.pptp:enabled = no

    vpn:servers:com.apple.ppp.pptp:MPPEKeySize = "MPPEKeySize128"

    vpn:servers:com.apple.ppp.pptp:Type = "PPP"

    vpn:servers:com.apple.ppp.pptp:SubType = "PPTP"

    vpn:servers:com.apple.ppp.pptp:AuthenticatorPlugins = "DSAuth"

    vpn:servers:com.apple.ppp.l2tp:AuthenticationProtocol = "MSCHAP2"

    vpn:servers:com.apple.ppp.l2tp:CurrentConnections = 0

    vpn:servers:com.apple.ppp.l2tp:enabled = yes

    vpn:servers:com.apple.ppp.l2tp:startedTime = "2011-08-08 08:09:30 +0000"

    vpn:servers:com.apple.ppp.l2tp:Type = "PPP"

    vpn:servers:com.apple.ppp.l2tp:SubType = "L2TP"

    vpn:servers:com.apple.ppp.l2tp:AuthenticatorPlugins = "DSAuth"

    vpn:servers:com.apple.ppp.l2tp:pid = 4059

    vpn:servicePortsRestrictionInfo = _empty_array

    vpn:health = _empty_dictionary

    vpn:logPaths:com.apple.ppp.pptp_ServerLog = "/var/log/ppp/vpnd.log"

    vpn:logPaths:com.apple.ppp.pptp_PPPLog = "/var/log/ppp/vpnd.log"

    vpn:logPaths:vpnLog = "/var/log/ppp/vpnd.log"

    vpn:configured = yes

    vpn:state = "RUNNING"

    vpn:setStateVersion = 1

     

    Logs are here:

     

    2011-08-08 04:21:58 EDT          Incoming call... Address given to client = 204.152.97.199

    Mon Aug  8 04:21:58 2011 : Directory Services Authentication plugin initialized

    Mon Aug  8 04:21:58 2011 : Directory Services Authorization plugin initialized

    Mon Aug  8 04:21:58 2011 : L2TP incoming call in progress from '108.46.128.137'...

    Mon Aug  8 04:21:58 2011 : L2TP received SCCRQ

    Mon Aug  8 04:21:58 2011 : L2TP sent SCCRP

    2011-08-08 04:21:59 EDT          Incoming call... Address given to client = 204.152.97.200

    Mon Aug  8 04:21:59 2011 : Directory Services Authentication plugin initialized

    Mon Aug  8 04:21:59 2011 : Directory Services Authorization plugin initialized

    Mon Aug  8 04:21:59 2011 : L2TP incoming call in progress from '108.46.128.137'...

    Mon Aug  8 04:21:59 2011 : L2TP received SCCRQ

    Mon Aug  8 04:21:59 2011 : L2TP sent SCCRP

    2011-08-08 04:22:01 EDT          Incoming call... Address given to client = 204.152.97.201

    Mon Aug  8 04:22:01 2011 : Directory Services Authentication plugin initialized

    Mon Aug  8 04:22:01 2011 : Directory Services Authorization plugin initialized

    Mon Aug  8 04:22:01 2011 : L2TP incoming call in progress from '108.46.128.137'...

    Mon Aug  8 04:22:01 2011 : L2TP received SCCRQ

    Mon Aug  8 04:22:01 2011 : L2TP sent SCCRP

    2011-08-08 04:22:05 EDT          Incoming call... Address given to client = 204.152.97.202

    Mon Aug  8 04:22:05 2011 : Directory Services Authentication plugin initialized

    Mon Aug  8 04:22:05 2011 : Directory Services Authorization plugin initialized

    Mon Aug  8 04:22:05 2011 : L2TP incoming call in progress from '108.46.128.137'...

    Mon Aug  8 04:22:05 2011 : L2TP received SCCRQ

    Mon Aug  8 04:22:05 2011 : L2TP sent SCCRP

    2011-08-08 04:22:09 EDT          Incoming call... Address given to client = 204.152.97.203

    Mon Aug  8 04:22:09 2011 : Directory Services Authentication plugin initialized

    Mon Aug  8 04:22:09 2011 : Directory Services Authorization plugin initialized

    Mon Aug  8 04:22:09 2011 : L2TP incoming call in progress from '108.46.128.137'...

    Mon Aug  8 04:22:09 2011 : L2TP received SCCRQ

    Mon Aug  8 04:22:09 2011 : L2TP sent SCCRP

    2011-08-08 04:22:13 EDT          Incoming call... Address given to client = 204.152.97.204

    Mon Aug  8 04:22:13 2011 : Directory Services Authentication plugin initialized

    Mon Aug  8 04:22:13 2011 : Directory Services Authorization plugin initialized

    Mon Aug  8 04:22:13 2011 : L2TP incoming call in progress from '108.46.128.137'...

    Mon Aug  8 04:22:13 2011 : L2TP received SCCRQ

    Mon Aug  8 04:22:13 2011 : L2TP sent SCCRP

    2011-08-08 04:22:17 EDT          Incoming call... Address given to client = 204.152.97.205

    Mon Aug  8 04:22:17 2011 : Directory Services Authentication plugin initialized

    Mon Aug  8 04:22:17 2011 : Directory Services Authorization plugin initialized

    Mon Aug  8 04:22:17 2011 : L2TP incoming call in progress from '108.46.128.137'...

    Mon Aug  8 04:22:17 2011 : L2TP received SCCRQ

    Mon Aug  8 04:22:17 2011 : L2TP sent SCCRP

    2011-08-08 04:22:18 EDT             --> Client with address = 204.152.97.199 has hungup

    2011-08-08 04:22:19 EDT             --> Client with address = 204.152.97.200 has hungup

    2011-08-08 04:22:21 EDT             --> Client with address = 204.152.97.201 has hungup

    2011-08-08 04:22:25 EDT             --> Client with address = 204.152.97.202 has hungup

    2011-08-08 04:22:29 EDT             --> Client with address = 204.152.97.203 has hungup

    2011-08-08 04:22:33 EDT             --> Client with address = 204.152.97.204 has hungup

    2011-08-08 04:22:37 EDT             --> Client with address = 204.152.97.205 has hungup

  • topping Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 8, 2011 1:44 AM (in response to topping)

    Also, here's some more config:

     

    bash-3.2# more /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist<?x ml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

            <key>ActiveServers</key>

            <array>

                    <string>com.apple.ppp.l2tp</string>

            </array>

            <key>Servers</key>

            <dict>

                    <key>com.apple.ppp.l2tp</key>

                    <dict>

                            <key>DNS</key>

                            <dict>

                                    <key>OfferedSearchDomains</key>

                                    <array/>

                                    <key>OfferedServerAddresses</key>

                                    <array>

                                            <string>208.78.27.4</string>

                                            <string>208.78.2.238</string>

                                    </array>

                            </dict>

                            <key>IPSec</key>

                            <dict>

                                    <key>AuthenticationMethod</key>

                                    <string>SharedSecret</string>

                                    <key>IdentifierVerification</key>

                                    <string>None</string>

                                    <key>LocalCertificate</key>

                                    <data>

                                    </data>

                                    <key>LocalIdentifier</key>

                                    <string></string>

                                    <key>RemoteIdentifier</key>

                                    <string></string>

                                    <key>SharedSecret</key>

                                    <string>com.apple.ppp.l2tp</string>

                                    <key>SharedSecretEncryption</key>

                                    <string>Keychain</string>

                            </dict>

                            <key>IPv4</key>

                            <dict>

                                    <key>ConfigMethod</key>

                                    <string>Manual</string>

                                    <key>DestAddressRanges</key>

                                    <array>

                                            <string>204.152.97.192</string>

                                            <string>204.152.97.254</string>

                                    </array>

                                    <key>OfferedRouteAddresses</key>

                                    <array/>

                                    <key>OfferedRouteMasks</key>

                                    <array/>

                                    <key>OfferedRouteTypes</key>

                                    <array/>

                            </dict>

                            <key>Interface</key>

                            <dict>

                                    <key>SubType</key>

                                    <string>L2TP</string>

                                    <key>Type</key>

                                    <string>PPP</string>

                            </dict>

                            <key>L2TP</key>

                            <dict>

                                    <key>Transport</key>

                                    <string>IPSec</string>

                            </dict>

                            <key>PPP</key>

                            <dict>

                                    <key>ACSPEnabled</key>

                                    <integer>1</integer>

                                    <key>AuthenticatorACLPlugins</key>

                                    <array>

                                            <string>DSACL</string>

                                    </array>

                                    <key>AuthenticatorEAPPlugins</key>

                                    <array>

                                            <string>EAP-KRB</string>

                                    </array>

                                    <key>AuthenticatorPlugins</key>

                                    <array>

                                            <string>DSAuth</string>

                                    </array>

                                    <key>AuthenticatorProtocol</key>

                                    <array>

                                            <string>MSCHAP2</string>

                                    </array>

                                    <key>DisconnectOnIdle</key>

                                    <integer>1</integer>

                                    <key>DisconnectOnIdleTimer</key>

                                    <integer>7200</integer>

                                    <key>IPCPCompressionVJ</key>

                                    <integer>0</integer>

                                    <key>LCPEchoEnabled</key>

                                    <integer>1</integer>

                                    <key>LCPEchoFailure</key>

                                    <integer>5</integer>

                                    <key>LCPEchoInterval</key>

                                    <integer>60</integer>

                                    <key>Logfile</key>

                                    <string>/var/log/ppp/vpnd.log</string>

                                    <key>VerboseLogging</key>

                                    <integer>1</integer>

                            </dict>

                            <key>Radius</key>

                            <dict>

                                    <key>Servers</key>

                                    <array>

                                            <dict>

                                                    <key>Address</key>

                                                    <string>1.1.1.1</string>

                                                    <key>SharedSecret</key>

                                                    <string>1</string>

                                            </dict>

                                            <dict>

                                                    <key>Address</key>

                                                    <string>2.2.2.2</string>

                                                    <key>SharedSecret</key>

                                                    <string>2</string>

                                            </dict>

                                    </array>

                            </dict>

                            <key>Server</key>

                            <dict>

                                    <key>LoadBalancingAddress</key>

                                    <string>1.2.3.4</string>

                                    <key>LoadBalancingEnabled</key>

                                    <integer>0</integer>

                                    <key>Logfile</key>

                                    <string>/var/log/ppp/vpnd.log</string>

                                    <key>MaximumSessions</key>

                                    <integer>128</integer>

                                    <key>VerboseLogging</key>

                                    <integer>1</integer>

                            </dict>

                    </dict>

                    <key>com.apple.ppp.pptp</key>

                    <dict>

                            <key>DNS</key>

                            <dict>

                                    <key>OfferedSearchDomains</key>

                                    <array/>

                                    <key>OfferedServerAddresses</key>

                                    <array/>

                            </dict>

                            <key>IPv4</key>

                            <dict>

                                    <key>ConfigMethod</key>

                                    <string>Manual</string>

                                    <key>DestAddressRanges</key>

                                    <array/>

                                    <key>OfferedRouteAddresses</key>

                                    <array/>

                                    <key>OfferedRouteMasks</key>

                                    <array/>

                                    <key>OfferedRouteTypes</key>

                                    <array/>

                            </dict>

                            <key>Interface</key>

                            <dict>

                                    <key>SubType</key>

                                    <string>PPTP</string>

                                    <key>Type</key>

                                    <string>PPP</string>

                            </dict>

                            <key>PPP</key>

                            <dict>

                                    <key>ACSPEnabled</key>

                                    <integer>1</integer>

                                    <key>AuthenticatorACLPlugins</key>

                                    <array>

                                            <string>DSACL</string>

                                    </array>

                                    <key>AuthenticatorEAPPlugins</key>

                                    <array>

                                            <string>EAP-RSA</string>

                                    </array>

                                    <key>AuthenticatorPlugins</key>

                                    <array>

                                            <string>DSAuth</string>

                                    </array>

                                    <key>AuthenticatorProtocol</key>

                                    <array>

                                            <string>MSCHAP2</string>

                                    </array>

                                    <key>CCPEnabled</key>

                                    <integer>1</integer>

                                    <key>CCPProtocols</key>

                                    <array>

                                            <string>MPPE</string>

                                    </array>

                                    <key>DisconnectOnIdle</key>

                                    <integer>1</integer>

                                    <key>DisconnectOnIdleTimer</key>

                                    <integer>7200</integer>

                                    <key>IPCPCompressionVJ</key>

                                    <integer>0</integer>

                                    <key>LCPEchoEnabled</key>

                                    <integer>1</integer>

                                    <key>LCPEchoFailure</key>

                                    <integer>5</integer>

                                    <key>LCPEchoInterval</key>

                                    <integer>60</integer>

                                    <key>Logfile</key>

                                    <string>/var/log/ppp/vpnd.log</string>

                                    <key>MPPEKeySize128</key>

                                    <integer>1</integer>

                                    <key>MPPEKeySize40</key>

                                    <integer>0</integer>

                                    <key>VerboseLogging</key>

                                    <integer>1</integer>

                            </dict>

                            <key>Radius</key>

                            <dict>

                                    <key>Servers</key>

                                    <array>

                                            <dict>

                                                    <key>Address</key>

                                                    <string>1.1.1.1</string>

                                                    <key>SharedSecret</key>

                                                    <string>1</string>

                                            </dict>

                                            <dict>

                                                    <key>Address</key>

                                                    <string>2.2.2.2</string>

                                                    <key>SharedSecret</key>

                                                    <string>2</string>

                                            </dict>

                                    </array>

                            </dict>

                            <key>Server</key>

                            <dict>

                                    <key>Logfile</key>

                                    <string>/var/log/ppp/vpnd.log</string>

                                    <key>MaximumSessions</key>

                                    <integer>128</integer>

                                    <key>VerboseLogging</key>

                                    <integer>1</integer>

                            </dict>

                    </dict>

            </dict>

            <key>VPNHost</key>

            <string></string>

    </dict>

    </plist>

  • ScottM Calculating status...
    Currently Being Moderated
    Aug 8, 2011 3:30 AM (in response to topping)

    Yeah, same exact issue here.  I know for a fact that it's nothing to do with routers or networks - it's something to do with Lion Server, but I haven't been able to pin it down.  The same devices work fine with Snow Leopard Server, but with Lion I get the same issue you do.

     

    I've got a standalone box, no Open Directory, no NAT, no firewalls blocking anything, all packets make it in and out, it's purely something that's not clicking into place on the Lion side.

  • Asajj Ventress Calculating status...
    Currently Being Moderated
    Aug 8, 2011 3:47 AM (in response to ScottM)

    I had the same issues. After days it appeard time machine was the issue with my system.

     

    Using Time machine gave the same issues as stated above and no clear path why it wasn't working. Firewall, routers, all was tried by local Mac techs but without a solution. De clean install made the difference. It takes a lot of manual backup action, but than it works like it should.

     

    The problem was solved by installing a clean OSX lion by pressing  command + R and a clean OSX server Lion from the Apps application.

     

    Hope this helps.

  • topping Level 1 Level 1 (0 points)

    I've reinstalled at least four times just last night alone.  I started to worry that the apple registration servers would think that I was creating illegal copies of the software and stopped registering the machine each time. 

     

    My first install was on the machine while it was at home, then I brought it to the colo.  I found it's important to have the reverse DNS correct when the software is first installed.  A lot of elements such as server certificates are generated using this information.  In order to get this working perfectly, I had my DHCP server issue an IP address based on Ethernet MAC address, one that was already set up with the correct forward and reverse DNS.  It's also probably ok just to make sure that the network configuration is precise before installing the server bundle.

     

    As for time machine, I've never activated it, open Open Directory and tested that I can connect to the L2TP VPN over the local network.  So I think this is a different problem, although it sounds like the VPN is very fickle. 

  • Christopher Pressey Calculating status...
    Currently Being Moderated
    Aug 8, 2011 9:26 AM (in response to topping)

    Have you downgraded your Airport Base Station / TimeCapsule Firmware as noted here (posted earlier in this thread by pjuger):

     

    http://blog.fusedevelopments.com/2011/07/lion-server-vpn-and-time-capsule-as.htm l

     

    Downgrading to 7.4.2 resolved all of these issues for me, without having to reinstall anything.

  • topping Level 1 Level 1 (0 points)

    Hi Christopher, thanks for your response, my server is behind a Vyatta router (http://www.vyatta.com).  So there's no base station or time capsule involved.  And as I noted in there, I've confirmed that each packet (typically about 25 in all) reaches each side.

     

    To say this a different way, those two items might also be contributing to a problem, but it's not the only problem in play here :-)

  • nikos_1283 Calculating status...
    Currently Being Moderated
    Aug 11, 2011 11:32 AM (in response to ScottM)

    Hi everyone, just wanted to say that I'm also struggling with the VPN issues mentioned here, on a fresh install of 10.7 server on a Xserve. L2TP connection attempts make the server provide multiple IP addresses to the clients without going further. I tried with my two MBP, my iMacs (10.7), an iPhone and a PC using Windows 7 on various networks and ISP, they all fail with the same log messages. Yet, I'm able to connect locally (which is not very useful for a VPN...).

     

    I tried to connect using PPTP but MPPE keys are said to be missing, despite the fact that I recreated the VPN user account using the appropriated commands. It took me months to get VPN working properly with Apple support on 10.6 server (then they suddenly released a software update that fixed the issue)... And here we go again with Lion. Why did you break something that was (finally) working well!!?

  • Christopher Pressey Level 1 Level 1 (85 points)
    Currently Being Moderated
    Aug 11, 2011 11:49 AM (in response to topping)

    Hmm.. well, I'm able to successfully connect to the Lion VPN using Airport firmware 7.4.2, but not with 7.5.x - this leads me to think it's a configuration issue within the firmware versioning of the airport router, not the Lion VPN. The only thing I can suggest would be to find out out the difference(s) between the two Airport firmware versions and seeing if any of the 7.4.2 firmware settings  can be applied to your Vyatta router.

  • topping Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 11, 2011 11:50 AM (in response to nikos_1283)

    So in your experience, was it just a big black box, that you got no feedback or notification, then one day it just started working? 

     

    Especially considering this is a regression, I find it unacceptable that there's no recourse for users other than to just sit on their hands like this.  I went out and spent $1K on hardware last week because I couldn't get Lion booted in XenServer, now I find that it just doesn't work.  I'm really biting my tongue at this point!

  • topping Level 1 Level 1 (0 points)

    Think of Vyatta like a Cisco router.  It takes packets from one interface and forwards them to another.

     

    Consider this snippet from wikipedia:

    The IP Forwarding Algorithm states:

    Given a destination IP address, D, and network prefix, N: if (N matches a directly connected network address) Deliver datagram to D over that network; else if (N does not match a network address and routing table contains route for N) Send datagram to next-hop address listed in the routing table; else if (N does not match a network and routing table does not contain route for N and there exists a default route) Send datagram to default route; else Send forwarding error message;

     

    Note that there's no mention of Apple Airport in there.  :-)

     

    Airport has a standard IP stack.  My guess is that Lion Server acts differently if it happens to see an Airport.  In other words, this is a bug.  I also reviewed the Lion server sales literature and Airport is not a requirement, so if in fact there is a requirement on Airport, we're looking at a documentation bug.

     

    Either way, it's a bug, and Apple needs to get on it.  There's no excuse for Lion Server not to work flawlessly behind any industry standard router that's capable of terabit forwarding speeds.

  • nikos_1283 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 11, 2011 12:12 PM (in response to topping)

    Yep. I spent weekends on the problems I had (VPN connected, clients reachable but not the server itself?!), then I contacted AppleCare and started telling them about the problem. I made bug reports, log records, an image of my system using their dedicated application then... nothing. One day, they released 10.6.6 as far as I remember. I tried (without much hope) the VPN and it worked properly! Unbelievable...

     

    I installed Lion, hoping they wouldn't have destroyed the improvements they made. Sadly, it's even worse. I tried Lion on a small installation before setting it on the production server but (unfortunately) I was not able to test VPN in this configuration. Even if the AppleCare support cost a lot, I'm not very eager to start a new procedure with this not so new problem... I thought that I wouldn't be fooled again with Apple bugged updates (like the 10.6.5, with security breach)... What a mistake! Thinking that Apple would finally take care of its (few) enterprise clients that use their beautiful yet expensive and malfunctioning software and hardware is a huge mistake, apparently!

  • porthosjon Calculating status...
    Currently Being Moderated
    Aug 11, 2011 11:10 PM (in response to nikos_1283)

    Solved!

     

    Using Lion Server on iMac with Airport Extreme Router and iPhone, iPad & MBAir.  Was able to connect VPN locally, but not from iPhone on 3G or any of the 3 from a Clear hotspot.

     

    Troubleshooting:  Turned on default host (DMZ) to my computer and was able to connect from all devices.

     

    What is wrong: Lion's Server App only maps L2TP in Airport Routers for Ports 500, 1701, & 4500

     

    Solution:

    1.     You can either expose your machine to the internet on all ports (really bad idea) by turning on default host

    2.     You can add Port 1723 to the Airport Extreme Port Mappings for L2TP (got this port from Apple KB: http://support.apple.com/kb/ts1629)

     

    Knew there had to be a port hop that wasn't being tracked!

     

    Bug report filed with Apple as well.

  • topping Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 11, 2011 11:46 PM (in response to porthosjon)

    Congrats!

     

    Anytime one is running with a NAT network, they are definitely going to have to run either with a triggered port forwarding setup or DMZ default host to get UDP L2TP packets to the correct destination. 

     

    I can't speak for everyone, but I am not running NAT.  The OSX Server has a dedicated IP address that is completely unfiltered.  In fact, I am not even using an Airport. 

     

    There's still a problem there, but it doesn't seem to be affecting your box.  Your setup was working and had a firewall problem, many of the others of us have an actual problem with our servers.  They are quite distinct!

     

    Cheers

Actions

More Like This

  • Retrieving data ...

Bookmarked By (2)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.