L2TP VPN Error: "MPPE required but peer negotiation failed"

I wanted to follow up with a few things...
First, I'm so mad that I am about to take a hammer to this thing...
Secondly, I found this post:
http://www.lostcreations.com/blog/20071209-9
which suggests that l2tp should work after successfully connecting to a PPTP connection first. I can report that it does not.

Why did my VPN connection work every time and then get sporadic today then stop all together, where my other MB doesnt have the issue at all? Makes NO SENSE!!!!

I had this problem too - Mac OS Server X 10.4.11, Leopard 10.5.1 client machines. I did a bit of googling around and finally fixed it by creating a patched pppd file for the OS X server. Below the sources of the info I collected:

* More info about the error: this seems to be relevant:

http://pptpclient.sourceforge.net/howto-diagnosis.phtml#mppe_rbp

* The Source code to Darwin (which underlies Mac OS X):

http://www.opensource.apple.com/darwinsource/

I fetched the pppd source code from the Mac OS X 10.4.11 section; downloaded the .tar.gz file for ppp-233.18

You might need to be registered with Apple to get access to the source code. I am a developer, so I got access, but I don't know how/if it works for non-developers.

Once I had the source code downloaded and expanded to my computer, I patched the file Helpers/pppd/ccp.c and disabled the 'if' statement spread over 4 lines around line 996. This is a total hack - I have a vague idea what I am doing, but I did not study the source closely - so let's say I got lucky. (Actually, it's more of an educated guess).

Then I recompiled just the pppd tool target (deployment configuration) using Xcode 3.0, and then replaced the old pppd on my Mac OS X server. With the newly compiled pppd copied in my admin user's home directory, this was the sequence I executed on the Mac OS X server

<login as an admin user>
<start Terminal command-line tool>
sudo bash
<enter your password>
mv /usr/sbin/pppd /usr/sbin/pppd.original
chmod 4511 pppd
chown root:wheel pppd
mv pppd /usr/sbin/pppd
Ctrl-D
Quit terminal

And from then on, my L2TP connection started working! No more "MPPE required but peer negotiation failed" in my logs etc...

I know that this is probably totally unhelpful for many people who don't have development experience, but I am not sure what the legalities are of distributing a patched pppd. Furthermore, I am not prepared to take any responsibility - this is really mucking around deep in the system, so if you do like I did, you're on your own; if things go awry, there's no one to blame but yourself.

If someone at Apple is reading this and can shed some light on what the legalities are, I might be able to make the patched pppd available (without any warranties whatsoever).

Just an update:
This error appears to be user-specific. If I try and connect with my user (a local account that is an admin tied to an OpenDirectory login) then it fails. If I use the local admin account then it works fine.

Even if I edit the plist file to not require MPPE, it does not make a difference ... suggesting that its looking at something at the user level, NOT the system level.

This helped me connect to a 10.5.1 (now updated to 10.5.2 server) with a 10.5.2 client. After disabeling the MPPE the client connects without problems.

That got me triggered: I tried the same and indeed, it was user specific.

After that I tried throwing away some settings in the user that did not work, which was not successful. What did work, however, was throwing away old VPN PPP and Shared Secret Keys from the Keychain. After removing ALL of them, and then adding a new VPN configuration I got L2TP working.

Be careful to remember your passwords and shared secret if you follow this route.

I got the whole thing working by removing all the PPP and Shared Secret Keys YMMV.

I solved mine a bit differently.. It seems that vpnaddkeyagentuser does not delete the keychain items mentioned below when you run it, nor does it delete the users. So if you have run it multiple times in the past (blush) you will end up with multiple instances of the keychain item, and also the user.

Delete both the entire list of com.apple.ras keychain items and the VPN MPPE Key users (this may appear to not work, but you are deleting them one at a time. Since they all have the same name and UID, it appears that they are not going away.)

Once you have cleaned out the sins of the past, run vpnaddkeyagentuser again, and you should end up with one com.apple.ras keychain item, and one VPN MPPE Key user.

I suspect that each of you have also had problems with the Tiger server that you have upgraded from... Every once in a while, connecting to VPN would cause a five minute or longer hang in all authentications, causing the entire OS to not allow new connections to open ports, although all old connections would be fine.

I am having no luck. I followed your suggestion and I seem to be missing something.

I upgraded to Leopard server, running 10.5.2. I am running it as an OD Master and DNS appears to be solid. I can resolve everything forwards and backwards.

The specific problem I am seeing is when I run the vpnaddkeyagentuser /LDAPv3/127.0.0.1 command I get a "Keychain Not Found" error. The error message is "a keychain cannot be found to store "vpn_xxxx". I have an option to cancel or reset to defaults.

I have gone through the reset to default but it did not seem to do anything helpful. In the /library/keychains folder I have a system.keychain and 5 copies of System renamed1.keychain (1-5). I don't see any instances of com.apple.ras and I have no VPN MPPE key users.

It sounds like you have bigger problems than just VPN not working. I am not certain how to handle them. As for the instances of com.apple.ras, they would be inside the keychain. Use ARD or VPN to use the keychain gui to see the lines I am referring to. ( I don't know the commands for the cli keychain access)

Clearing out the keychain worked for me as well.

I've never been successful getting OS X to authenticate with my Cisco PIX 515e at work until this week when I finally upgraded from version 6.3.5 to version 7.2.3. Initially, I was getting the MPPE error but after clearing out existing passphrases and VPN account leftover from previous attempts, I finally got it working!

May 15 18:52:44 MacBook pppd[14358]: pppd 2.4.2 (Apple version 314) started by root, uid 501
May 15 18:52:44 MacBook pppd[14358]: L2TP connecting to server 'pix.server.com' (xxx.xxx.28.194)...
May 15 18:52:47 MacBook pppd[14358]: IPSec connection started
May 15 18:52:49 MacBook pppd[14358]: IPSec connection established
May 15 18:52:49 MacBook pppd[14358]: L2TP connection established.
May 15 18:52:49 MacBook pppd[14358]: Connect: ppp0 <--> socket[34:18]
May 15 18:52:52 MacBook pppd[14358]: MPPE required but peer refused
May 15 18:52:52 MacBook pppd[14358]: Connection terminated.
May 15 18:52:52 MacBook pppd[14358]: L2TP disconnecting...
May 15 18:52:52 MacBook pppd[14358]: L2TP disconnected

I am surprised that this is not corrected yet. I have to use both PPTP and L2TP connections to connect to different servers, so deleting keychain items, or tampering with the MPPE is not an option. What I have to add is that it seems mostly a client problem as the server cannot respond to something not required!
On the other hand, connecting from windows machine to the standard Leopard L2TP VPN server is successful and working. It looks like that in development one cannot make his mind whether change the client or the server side to respond correctly when asked for something not required. Anyway this must be fixed soon as it renders numbers of standard Leopard configuration useless for VPN connections from Leopard mobile users.