Skip navigation

PPTP VPN errors, 10.7

30549 Views 33 Replies Latest reply: May 25, 2012 8:00 AM by RoseValley RSS
  • UptimeJeff Level 4 Level 4 (3,390 points)
    Currently Being Moderated
    Jan 22, 2012 1:55 PM (in response to UptimeJeff)

    I need to clarify.

     

    replacing vpnd does not fix the MPPE issue described in this thread

     

    but does fix the CCP issue a described in this thread:

    https://discussions.apple.com/thread/3415822?start=0&tstart=0

     

    Jeff

  • bobgeo Calculating status...
    Currently Being Moderated
    Feb 1, 2012 8:26 PM (in response to UptimeJeff)

    So, I had the same issue after upgrading to 10.7.3, but I did get it working. In Lion server, we are running only the L2TP, but the upgrade today to 10.7.3 somehow messed things up. Previously, in Snow Leopard, I believe we were running L2TP and PPTP. Anyway, been running L2TP in Lion since it was released without issue.

     

    After upgrade today to 10.7.3, I was getting no VPN connection with the error in the Log files of the Server of "DSAuth plugin: Failed to retrieve MPPE encryption keys from the password server." then some type of Fatal error in the log.

     

    First, I tried the things mentioned here: http://support.apple.com/kb/HT4748

     

    But, the terminal command would not run properly for me. So, next, I turned off vpn and then turning it back on. I also, switched from L2TP to both L2TP & PPTP; and then back to L2TP. Then, I restarted the server. Lastly, I tried running the terminal command again; and this time it ran okay.

     

    VPN in L2TP mode is running fine after that command took hold. Note that the Apple doc discusses PPTP, but it fixed my L2TP issue; so I say run the command even if you are only L2TP.

  • Rob Rocket Level 2 Level 2 (305 points)
    Currently Being Moderated
    Feb 8, 2012 4:24 AM (in response to bobgeo)

    Thanks, had 3 Servers which had the vpn auth issue after applying the 10.7.3 combo update. No way, to get them to accept vpn connetions (chap auth failed). I also added a new user, switched vpn on/off before applying the terminal commands found in your link.

     

    now everyhting is back up again and works...

     

    Thanks

    Rob

  • KNicklow Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 8, 2012 6:02 AM (in response to Rob Rocket)

    I had a VPN working fine until that update, now it's not working anymore. Really inconsistent behavior based around the server not being viewable by clients.

  • bobgeo Level 1 Level 1 (25 points)
    Currently Being Moderated
    Feb 8, 2012 12:31 PM (in response to KNicklow)

    Ours has been working really well, and we run a fair amount through that vpn pipe.

     

    You should take a look at the Logs in Server app and watch what happens to them when you try to VPN in. This is how I started figuring out my original problem. See if you can make heads or tails from those logs; and/or do some searches on the errors that pop-up in the logs.

     

    Also, take a look at that link, you may want to run the command anyway.

  • KNicklow Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 10, 2012 6:37 AM (in response to bobgeo)

    bobgeo wrote:

     

    Ours has been working really well, and we run a fair amount through that vpn pipe.

     

    You should take a look at the Logs in Server app and watch what happens to them when you try to VPN in. This is how I started figuring out my original problem. See if you can make heads or tails from those logs; and/or do some searches on the errors that pop-up in the logs.

     

    Also, take a look at that link, you may want to run the command anyway.

     

    I went ahead and tried to run the command that's shown on this page:

     

    http://support.apple.com/kb/HT4748

     

    I went ahead and logged into the root and received this message:

     

    mycatie:~ root# pwpolicy -a "DAdmin" -u "VPN MPPE Key Access User" -setpolicy "isSessionKeyAgent=1"

    Password:

    Setting policy for VPN MPPE Key Access User

     

     

    ***Error: eDSAuthFailed : (-14090) for dsDoDirNodeAuth

     

     

    ***Error: eDSAuthFailed : (-14090) for dsDoDirNodeAuth

      Method = dsAuthMethodStandard:dsAuthSetPolicyAsRoot

    mycatie:~ root#

     

    Do you have any idea what the error I'm receiving is indicative of?

     

    Also, where can I find the log files related to the VPN service?

  • bobgeo Level 1 Level 1 (25 points)
    Currently Being Moderated
    Feb 10, 2012 10:22 AM (in response to KNicklow)

    Hi KNicklow,

     

    I think you have the command wrong, specifically, the "VPN MPPE Key Access User" should look more like "vpn_e35274859xxxxxxxxx". Go back to that link and use the Workgroup Manager to see this Short Name. I know the document says you can use Server app to see this, but I could not find it via Server app.

     

    When you run the command, I did not get anything returned back, it just showed me a new prompt, almost as if nothing happened, but something clearly did.

     

    Also, make sure that "DAdmin" is correct using Workgroup manager. Use the Short Name that is listed in Workgroup Manager.

     

    Try again!

     

    Bob

  • KNicklow Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 10, 2012 11:01 AM (in response to bobgeo)

    Thanks for the recommendations.

     

    I tried it again and the command was accepted. Unfortunately, the VPN is still busted. It seems that with L2TP connections "Authentication Fails", but users can get through. With PPTP, I get a response of "no server response". I'll keep working with it I guess and see what I get.

  • bobgeo Level 1 Level 1 (25 points)
    Currently Being Moderated
    Feb 10, 2012 11:12 AM (in response to KNicklow)

    Make sure you have the right ports opened up on your router.

     

    For L2TP - Public and Private UDP ports of: 500,1701,4500

    For PPTP - Public and Private TCP ports of: 1723

    Both of these going to the private IP address of your server. Power cycle the router.

     

    Then on the server, also do the whole turn off the vpn and turn it back on. Maybe turn it off, restart the computer, and then turn it back on.

     

    Also, try creating new Configuration Profile for the VPN in Server App and use that one.

  • KNicklow Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 10, 2012 2:13 PM (in response to bobgeo)

    Well, good news. Turns out the PPTP port wasn't forwarded for some reason. I'm still getting Authentication Failed, but now it's consistent between the two protocols. I suppose now it's just a matter of figuring out why it's failing.

  • bobgeo Level 1 Level 1 (25 points)
    Currently Being Moderated
    Feb 10, 2012 2:26 PM (in response to KNicklow)

    This should be solvable. Check this out: https://discussions.apple.com/thread/3202997?start=30&tstart=0

     

    Specifically, what "Silberg" did. Try his steps and make sure that for the vpn, you are using the short name.

     

    Also, if no luck there, check out some of the other posts there, like from "LEK2". In addition, now that the problem is down to "Authentication Failed", you can search on just that issue for Lion Server.

     

    If that does not work, I am thinking something simple like the password is wrong or what-not. Let us know what happens.

  • KNicklow Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 13, 2012 5:08 AM (in response to bobgeo)

    Thanks for the great Tips. I don't really have time to mess with it today, but I'm hoping to get another crack at it in the next few days. I'll report my findings when I have some.

     

    Thanks!

  • KNicklow Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 13, 2012 1:24 PM (in response to bobgeo)

    I'm still working on it, but it's continuing to fail authentication; here's the log:

     

    2012-02-13 16:05:03 ESTIncoming call... Address given to client = 10.0.0.152

    Mon Feb 13 16:05:03 2012 : Directory Services Authentication plugin initialized

    Mon Feb 13 16:05:03 2012 : Directory Services Authorization plugin initialized

    Mon Feb 13 16:05:03 2012 : L2TP incoming call in progress from 'Our Public IP Address'...

    Mon Feb 13 16:05:03 2012 : L2TP received SCCRQ

    Mon Feb 13 16:05:03 2012 : L2TP sent SCCRP

    Mon Feb 13 16:05:03 2012 : L2TP received SCCCN

    Mon Feb 13 16:05:03 2012 : L2TP received ICRQ

    Mon Feb 13 16:05:03 2012 : L2TP sent ICRP

    Mon Feb 13 16:05:03 2012 : L2TP received ICCN

    Mon Feb 13 16:05:03 2012 : L2TP connection established.

    Mon Feb 13 16:05:03 2012 : using link 0

    Mon Feb 13 16:05:03 2012 : Using interface ppp0

    Mon Feb 13 16:05:03 2012 : Connect: ppp0 <--> socket[34:18]

    Mon Feb 13 16:05:03 2012 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x7c6b8d45> <pcomp> <accomp>]

    Mon Feb 13 16:05:03 2012 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x586f613> <pcomp> <accomp>]

    Mon Feb 13 16:05:03 2012 : lcp_reqci: returning CONFACK.

    Mon Feb 13 16:05:03 2012 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x586f613> <pcomp> <accomp>]

    Mon Feb 13 16:05:03 2012 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x7c6b8d45> <pcomp> <accomp>]

    Mon Feb 13 16:05:03 2012 : sent [LCP EchoReq id=0x0 magic=0x7c6b8d45]

    Mon Feb 13 16:05:03 2012 : sent [CHAP Challenge id=0xf1 <731b4c056c570234416d075349301f7f>, name = "mycatie.com"]

    Mon Feb 13 16:05:03 2012 : rcvd [LCP EchoReq id=0x0 magic=0x586f613]

    Mon Feb 13 16:05:03 2012 : sent [LCP EchoRep id=0x0 magic=0x7c6b8d45]

    Mon Feb 13 16:05:03 2012 : rcvd [LCP EchoRep id=0x0 magic=0x586f613]

    Mon Feb 13 16:05:03 2012 : rcvd [CHAP Response id=0xf1 <19e910f590740fc9446a674fdd6b1f7b0000000000000000ccefbf20225325d9d1adc998b9a6c9 dd64b01847272801fa00>, name = "The User ID"]

    Mon Feb 13 16:05:03 2012 : sent [CHAP Failure id=0xf1 ""]

    Mon Feb 13 16:05:03 2012 : CHAP peer authentication failed for The User ID

    Mon Feb 13 16:05:03 2012 : sent [LCP TermReq id=0x2 "Authentication failed"]

    Mon Feb 13 16:05:03 2012 : Connection terminated.

    Mon Feb 13 16:05:03 2012 : L2TP disconnecting...

    Mon Feb 13 16:05:03 2012 : L2TP sent CDN

    Mon Feb 13 16:05:03 2012 : L2TP sent StopCCN

    Mon Feb 13 16:05:03 2012 : L2TP disconnected

    2012-02-13 16:05:03 EST   --> Client with address = 10.0.0.152 has hungup
  • vcacpa Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 16, 2012 12:16 PM (in response to James Spong)

    I find out that the certificate is one of the problem. So: I just wanted to create a CSR and send it to CertCenter, but the self signed certificate of the Lion Server was unpossible short. So, already no organisation name inside. I decided to delete the existing certificate and create the same new with extended options. I checked the extended options and the certificate assistant asks me 1000 questions about exclude and include and I not know anymore what to answer. So, I canceled the process and created a new selfsigned general certificate without extended options marked. And after I did this 10 minutes later my collegue calling me and said, he was thrown out of the VPN-Tunnel to server, if I'm doing something. I said: Yes, I just trying to do a certifcate, but not know what to answer and canceled and probably therefore he was thrown out. I will check with my XP-Notebook.

     

    So, I check and it is true, the PPTP not working anymore: No server found ...

    I thought: I do again this HT4748 and probably then it is working. And so it was: I did the pwpolicy command to the new certifcate and at once the PPTP working again.

     

    So, it depends something on the certificate!

  • vcacpa Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 16, 2012 12:22 PM (in response to James Spong)

    Oh, need still mention: 3 days before I installed my own Mac-Mini OS X Lion Server and buy a certificate from RapidSSL with the CSR I found at that server. But this former certificate at least had an organisation name. And I remember he asking me such things. And this first server is like a wonder: At once all things working. So, if you spend money for a certificate suddenly all things working. For example: When I activated the ODS (opendirectory) inside the Wiki you cannot user calendar element anymore. He tells you, that you need to activate the "Calendar App" at Server App. But there is no point to activate this (like in E-Mail with Webmail). Then I install the official RapidSSL certificate and at once the calendar element working again. So, also this error with the Web-Calender depends on the existance of a public certificate. Isn't it an interesting money machine that is used with this concept: You need a certificate, else your server not right working?

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.