9 Replies Latest reply: May 3, 2012 3:40 AM by flowirin
flowirin Level 1 Level 1 (10 points)

i'm attempting to add a VPN to an existing 10.6.7 server.

 

unfortunately, the way it was set up was to have en0 as the primary, lan address and en1 as the WAN address.

we are running OD, AFP, ichat, ical and a bunch of network licensing daemons on en0, and serving web pages out through en1

 

it appears that i cannot respond to VPN requests through en1, and i cannot find a way to force the VPN server to listen on en1 through editing the com.apple.remoteaccessservers.plist file. maybe i have the format wrong? the references i have found are from 10.4 and do not have that file in xml format.

 

is there a way to do this?

 

if there isn't, can i change the IP address of en1 and en0 around without screwing up the existing services? i'm concerned that my SSL secured OD will fall over, since the whole thing is pretty delicate, it appears, and maybe it has a hard coded reference to the interface in there somewhere?

 

help much appreciated, and i'll post my solution if, as is typical here, i have to work it out myself.

 

oh for accurate documentation...


2x xserve, 30x MacBook, 3x MacBook Pro, 10x iMac, 20x eMac, 30x PC, Mac OS X (10.6.6), mix intel/PPC
  • 1. Re: com.apple.remoteaccessservers.plist can i chose the interface?
    flowirin Level 1 Level 1 (10 points)

    failed attempt:

    i backed up /Library/Preferences/SsystemConfiguration/com.apple.RemoteAccessServers.plist

    then replaced the original file's contents with an example file taken from 10.4 with the Addresses comment.

    when i restarted the service the file was converted to XML, giving me what looks like a correct format for the addresses key:

     

                    <dict>

                            <key>Addresses</key>

                            <array>

                                    <string>xxx.xxx.xxx.xxx</string>

                            </array>

                            <key>DNS</key>

     

    this was pretty much what i was expecting , but its good to be sure.

    unfortunately, it hasn't helped.

    the service , as before, picks up the incoming call, and issues an IP address. it then repeats this 3 or 4 times before the client fails with a "server does not respond" error. the server then logs the issued ip addresses as hanging up.

    the only difference is that the primary interface no longer responds to vpn requests

    is this a routing thing?

  • 2. Re: com.apple.remoteaccessservers.plist can i chose the interface?
    flowirin Level 1 Level 1 (10 points)

    the failed connection attempt client log:

     

    4/05/11 3:35:31 PM          pppd[2322]          pppd 2.4.2 (Apple version 412.4) started by sysadmin, uid 501

    4/05/11 3:35:31 PM          pppd[2322]          L2TP connecting to server 'xxx.xxx.xxx.en1' (xxx.xxx.xxx.en1)...

    4/05/11 3:35:31 PM          pppd[2322]          IPSec connection started

    4/05/11 3:35:31 PM          racoon[2240]          Connecting.

    4/05/11 3:35:31 PM          racoon[2240]          IKE Packet: transmit success. (Initiator, Main-Mode message 1).

    4/05/11 3:35:31 PM          racoon[2240]          IKE Packet: receive success. (Initiator, Main-Mode message 2).

    4/05/11 3:35:31 PM          racoon[2240]          IKE Packet: transmit success. (Initiator, Main-Mode message 3).

    4/05/11 3:35:31 PM          racoon[2240]          IKE Packet: receive success. (Initiator, Main-Mode message 4).

    4/05/11 3:35:31 PM          racoon[2240]          IKE Packet: transmit success. (Initiator, Main-Mode message 5).

    4/05/11 3:35:31 PM          racoon[2240]          IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).

    4/05/11 3:35:31 PM          racoon[2240]          IKE Packet: receive success. (Initiator, Main-Mode message 6).

    4/05/11 3:35:31 PM          racoon[2240]          IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).

    4/05/11 3:35:31 PM          racoon[2240]          IKE Packet: transmit success. (Information message).

    4/05/11 3:35:31 PM          racoon[2240]          IKEv1 Information-Notice: transmit success. (ISAKMP-SA).

    4/05/11 3:35:31 PM          racoon[2240]          IKE Packet: receive success. (Information message).

    4/05/11 3:35:32 PM          racoon[2240]          IKE Packet: transmit success. (Initiator, Quick-Mode message 1).

    4/05/11 3:35:32 PM          racoon[2240]          IKE Packet: receive success. (Initiator, Quick-Mode message 2).

    4/05/11 3:35:32 PM          racoon[2240]          IKE Packet: transmit success. (Initiator, Quick-Mode message 3).

    4/05/11 3:35:32 PM          racoon[2240]          IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).

    4/05/11 3:35:32 PM          pppd[2322]          IPSec connection established

    4/05/11 3:35:52 PM          pppd[2322]          L2TP cannot connect to the server

    4/05/11 3:35:52 PM          racoon[2240]          IKE Packet: transmit success. (Information message).

    4/05/11 3:35:52 PM          racoon[2240]          IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).

    4/05/11 3:35:52 PM          racoon[2240]          IKE Packet: transmit success. (Information message).

    4/05/11 3:35:52 PM          racoon[2240]          IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

     

    the changes in the com.apple.remoteaccessservers.plist file has stopped access to the primary interface (so at least i know it has done SOMEthing):

     

    4/05/11 3:42:30 PM          pppd[2352]          pppd 2.4.2 (Apple version 412.4) started by sysadmin, uid 501

    4/05/11 3:42:30 PM          pppd[2352]          L2TP connecting to server 'xxx.xxx.xxx.en0' (xxx.xxx.xxx.en0)...

    4/05/11 3:42:30 PM          pppd[2352]          IPSec connection started

    4/05/11 3:42:30 PM          racoon[2240]          Connecting.

    4/05/11 3:42:30 PM          racoon[2240]          IKE Packet: transmit success. (Initiator, Main-Mode message 1).

    4/05/11 3:42:30 PM          racoon[2240]          IKE Packet: receive success. (Initiator, Main-Mode message 2).

    4/05/11 3:42:30 PM          racoon[2240]          IKE Packet: transmit success. (Initiator, Main-Mode message 3).

    4/05/11 3:42:30 PM          racoon[2240]          IKE Packet: receive success. (Initiator, Main-Mode message 4).

    4/05/11 3:42:30 PM          racoon[2240]          IKE Packet: transmit success. (Initiator, Main-Mode message 5).

    4/05/11 3:42:30 PM          racoon[2240]          IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).

    4/05/11 3:42:30 PM          racoon[2240]          IKE Packet: receive success. (Initiator, Main-Mode message 6).

    4/05/11 3:42:30 PM          racoon[2240]          IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).

    4/05/11 3:42:30 PM          racoon[2240]          IKE Packet: transmit success. (Information message).

    4/05/11 3:42:30 PM          racoon[2240]          IKEv1 Information-Notice: transmit success. (ISAKMP-SA).

    4/05/11 3:42:31 PM          racoon[2240]          IKE Packet: transmit success. (Initiator, Quick-Mode message 1).

    4/05/11 3:42:34 PM          racoon[2240]          IKE Packet: transmit success. (Phase2 Retransmit).

    4/05/11 3:42:37 PM          racoon[2240]          IKE Packet: transmit success. (Phase2 Retransmit).

    4/05/11 3:42:40 PM          racoon[2240]          IKE Packet: transmit success. (Phase2 Retransmit).

    4/05/11 3:42:43 PM          racoon[2240]          IKE Packet: transmit success. (Phase2 Retransmit).

    4/05/11 3:42:46 PM          racoon[2240]          IKE Packet: transmit success. (Phase2 Retransmit).

    4/05/11 3:42:49 PM          racoon[2240]          IKE Packet: transmit success. (Phase2 Retransmit).

    4/05/11 3:42:52 PM          racoon[2240]          IKE Packet: transmit success. (Phase2 Retransmit).

    4/05/11 3:42:55 PM          racoon[2240]          IKE Packet: transmit success. (Phase2 Retransmit).

    4/05/11 3:42:58 PM          racoon[2240]          IKE Packet: transmit success. (Phase2 Retransmit).

    4/05/11 3:43:01 PM          pppd[2352]          IPSec connection failed

    4/05/11 3:43:01 PM          racoon[2240]          IKE Packet: transmit failed. (Information message).

    4/05/11 3:43:01 PM          racoon[2240]          IKEv1 Information-Notice: transmit failed. (Delete ISAKMP-SA).

  • 3. Re: com.apple.remoteaccessservers.plist can i chose the interface?
    Linc Davis Level 10 Level 10 (117,940 points)

    I've had no luck connecting to a Snow Leopard L2TP server with the built-in client, and I don't think I'm doing anything wrong. So I use PPTP instead, which works fine.

  • 4. Re: com.apple.remoteaccessservers.plist can i chose the interface?
    flowirin Level 1 Level 1 (10 points)

    so, the clue is on the server:

     

    2011-05-04 15:56:55 NZST          Loading plugin /System/Library/Extensions/L2TP.ppp

    2011-05-04 15:56:55 NZST          Listening for connections...

    2011-05-04 15:57:40 NZST          Incoming call... Address given to client = xxx.xxx.xxx.0

    Wed May  4 15:57:40 2011 : Directory Services Authentication plugin initialized

    Wed May  4 15:57:40 2011 : L2TP incoming call in progress from 'yyy.yyy.yyy.42'...

    2011-05-04 15:57:41 NZST          Incoming call... Address given to client = xxx.xxx.xxx.1

    Wed May  4 15:57:41 2011 : Directory Services Authentication plugin initialized

    Wed May  4 15:57:41 2011 : L2TP incoming call in progress from 'yyy.yyy.yyy.42'...

    2011-05-04 15:57:43 NZST          Incoming call... Address given to client = xxx.xxx.xxx.2

    Wed May  4 15:57:43 2011 : Directory Services Authentication plugin initialized

     

    etcetera, until hangup.

    it appears the Directory Services Authentication plugin is failing on en1.

  • 5. Re: com.apple.remoteaccessservers.plist can i chose the interface?
    flowirin Level 1 Level 1 (10 points)

    pptp is not an option. its inherently insecure and exposes my users. much rather struggle on and get this working as it should.

    the l2tp system works as expected on interface en0, not on en1.

  • 6. Re: com.apple.remoteaccessservers.plist can i chose the interface?
    Linc Davis Level 10 Level 10 (117,940 points)

    PPTP is not insecure; only Microsoft's implementation of it. If you use strong passwords, it's as safe as anything else.

  • 7. Re: com.apple.remoteaccessservers.plist can i chose the interface?
    flowirin Level 1 Level 1 (10 points)

    thanks for your input.

     

    i'm really keen on getting this L2TP VPN working on en1. anyone else maanged it?

  • 8. Re: com.apple.remoteaccessservers.plist can i chose the interface?
    SPKlein Level 1 Level 1 (0 points)

    Flowirin, did you ever find a solution to this, i have the same issue.

     

    thanks.

  • 9. Re: com.apple.remoteaccessservers.plist can i chose the interface?
    flowirin Level 1 Level 1 (10 points)

    nope. in the end i swapped over the primary and secondary interfaces.
    that was a mission.

    i had to backup and rebuild the kerberos database replacing all references to the original primary interface with the new one, so that my LDAP server still worked. not straightforward. i had to kick and rebind all my clients too (although that was scriptable through ARD)

    however, the VPN would not work in any other way.

     

    apple? *****.

     

    still, its working no