User profile for user: Bergdoll
Bergdoll Author
User level: Level 1
0 points

VPN External Access not working - can I "borrow" your eyes?

Hello all. I'm struggling with setting-up a VPN and starting to wonder what's going on! 🙂

Here's what I have thus far.

1) I've set-up VPN on my OSX Server (10.6) and I can access this via a local client. The client connects, get's an IP in the right range, and is happy.

2) Then, I attempt to connect to my external IP via an external connection and the VPN fails.

My conclusion is that this must be a router issue.

I am using a G-Net router.
I have set-up port-forwarding for:
TCP 50
UDP 500,4500,1701
TCP 1723 (although I am using L2TP and don't really want PPTP as my clients are newer)

I'm at a loss for what I may be missing?

Firewall? - then the local client should fail to connect.
Ports? - I can't think or find any that I am missing.
Authentication? - my local client works with the username/password pair and shared secret

Any ideas?

Many, Mac OS X (10.6.2)

Posted on Mar 19, 2010 11:15 AM

Reply
20 replies
User profile for user: Typo180
Typo180
User level: Level 1
34 points

Mar 20, 2010 4:10 PM in response to Bergdoll

I'm in a similar boat, maybe I can give you some pointers.

1) Check to make sure your server is visible outside your local network. Do you have a static, public IP address?

2) Is DNS set up correctly? Does your host name resolve to the correct IP address and vice versa?

3) Do you have anything in between your server and the outside world? (e.g. is there a firewall running other than what's on your OSX Server?)

4) Try to connect via VPN and then grab the relevant entries from ppp.log on your client and vpnd.log on your server. Post them here and maybe we'll catch the problem.
Reply
User profile for user: Typo180
Typo180
User level: Level 1
34 points

Mar 20, 2010 7:43 PM in response to Typo180

Much obliged to anyone who can give some input. Here's my setup:

-Xserve (Late 2006)
-OS X Server 10.6.2
-dual NICs (one internal, one external)
-DNS, DHCP, VPN (L2TP, PPTP), and Firewall are running with non-overlapping IP ranges in our local subnet.
-IP Forwarding and NAT are enabled on my public NIC
-Ports 500, 4500, 1701, 1723, ESP, and GRE are open on the any group
-Can connect via L2TP from a client on our subnet (192.186.252.X) as well as from our building's wireless network (10.0.0.X), but not from a client outside the building.
-PPTP doesn't work anywhere, but I don't want to use PPTP, just have it on for testing.
-No routing tables set in the VPN panel.
-Authenticating with MS-CHAPv2 and a shared secret.
-Listed our domain in "Search Domains"
-Listed my server 3 times under "DNS Servers" on someone else's recommendation (some people are experiencing a bug where SLS skips the first DNS entry and goes to the second)
-From my Firewall logs, it looks like everything from my client is passing through just fine.

Here are the ppp and vpnd logs from the client and server. I'm going to obscure the public IPs and domains (if you need that info, let me know).

L2TP attempt:

vpnd.log from server (98.212.X.X is the IP of the Time Capsule my client is connected through. my server's internal IP is 192.168.252.12)

2010-03-20 20:26:03 CDT Incoming call... Address given to client = 192.168.252.220
Sat Mar 20 20:26:03 2010 : Directory Services Authentication plugin initialized
Sat Mar 20 20:26:03 2010 : Directory Services Authorization plugin initialized
Sat Mar 20 20:26:03 2010 : L2TP incoming call in progress from '98.212.X.X'...
Sat Mar 20 20:26:03 2010 : L2TP received SCCRQ
Sat Mar 20 20:26:03 2010 : L2TP sent SCCRP
2010-03-20 20:26:03 CDT Incoming call... Address given to client = 192.168.252.221
Sat Mar 20 20:26:03 2010 : Directory Services Authentication plugin initialized
Sat Mar 20 20:26:03 2010 : Directory Services Authorization plugin initialized
Sat Mar 20 20:26:03 2010 : L2TP incoming call in progress from '98.212.X.X'...
Sat Mar 20 20:26:03 2010 : L2TP received SCCRQ
Sat Mar 20 20:26:03 2010 : L2TP sent SCCRP
2010-03-20 20:26:05 CDT Incoming call... Address given to client = 192.168.252.222
Sat Mar 20 20:26:05 2010 : Directory Services Authentication plugin initialized
Sat Mar 20 20:26:05 2010 : Directory Services Authorization plugin initialized
Sat Mar 20 20:26:05 2010 : L2TP incoming call in progress from '98.212.X.X'...
Sat Mar 20 20:26:05 2010 : L2TP received SCCRQ
Sat Mar 20 20:26:05 2010 : L2TP sent SCCRP
2010-03-20 20:26:09 CDT Incoming call... Address given to client = 192.168.252.223
Sat Mar 20 20:26:09 2010 : Directory Services Authentication plugin initialized
Sat Mar 20 20:26:09 2010 : Directory Services Authorization plugin initialized
Sat Mar 20 20:26:09 2010 : L2TP incoming call in progress from '98.212.X.X'...
Sat Mar 20 20:26:09 2010 : L2TP received SCCRQ
Sat Mar 20 20:26:09 2010 : L2TP sent SCCRP
2010-03-20 20:26:17 CDT Incoming call... Address given to client = 192.168.252.224
Sat Mar 20 20:26:17 2010 : Directory Services Authentication plugin initialized
Sat Mar 20 20:26:17 2010 : Directory Services Authorization plugin initialized
Sat Mar 20 20:26:17 2010 : L2TP incoming call in progress from '98.212.X.X'...
Sat Mar 20 20:26:17 2010 : L2TP received SCCRQ
Sat Mar 20 20:26:17 2010 : L2TP sent SCCRP
2010-03-20 20:26:23 CDT --> Client with address = 192.168.252.220 has hungup
2010-03-20 20:26:23 CDT --> Client with address = 192.168.252.221 has hungup
2010-03-20 20:26:25 CDT --> Client with address = 192.168.252.222 has hungup
2010-03-20 20:26:29 CDT --> Client with address = 192.168.252.223 has hungup
2010-03-20 20:26:37 CDT --> Client with address = 192.168.252.224 has hungup

-----------------------------------------------------
ppp.log from client (66.X.X.X is my server's public IP)

Sat Mar 20 20:26:01 2010 : L2TP connecting to server 'server.example.com' (66.X.X.X)...
Sat Mar 20 20:26:01 2010 : IPSec connection started
Sat Mar 20 20:26:01 2010 : IPSec phase 1 client started
Sat Mar 20 20:26:01 2010 : IPSec phase 1 server replied
Sat Mar 20 20:26:02 2010 : IPSec phase 2 started
Sat Mar 20 20:26:03 2010 : IPSec phase 2 established
Sat Mar 20 20:26:03 2010 : IPSec connection established
Sat Mar 20 20:26:03 2010 : L2TP sent SCCRQ
Sat Mar 20 20:26:23 2010 : L2TP cannot connect to the server
------------------------------

and here's a PPTP attempt...

vpnd.log from server

2010-03-20 20:33:55 CDT Incoming call... Address given to client = 192.168.252.249
Sat Mar 20 20:33:55 2010 : Directory Services Authentication plugin initialized
Sat Mar 20 20:33:55 2010 : Directory Services Authorization plugin initialized
Sat Mar 20 20:33:55 2010 : PPTP incoming call in progress from '98.212.X.X'...
Sat Mar 20 20:33:56 2010 : PPTP connection established.
Sat Mar 20 20:33:56 2010 : using link 0
Sat Mar 20 20:33:56 2010 : Using interface ppp0
Sat Mar 20 20:33:56 2010 : Connect: ppp0 <--> socket[34:17]
Sat Mar 20 20:33:56 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x7dbf926c> <pcomp> <accomp>]
Sat Mar 20 20:33:56 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x259fcb2> <pcomp> <accomp>]
Sat Mar 20 20:33:56 2010 : lcp_reqci: returning CONFACK.
Sat Mar 20 20:33:56 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x259fcb2> <pcomp> <accomp>]
Sat Mar 20 20:33:56 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x7dbf926c> <pcomp> <accomp>]
Sat Mar 20 20:33:56 2010 : sent [LCP EchoReq id=0x0 magic=0x7dbf926c]
Sat Mar 20 20:33:56 2010 : sent [CHAP Challenge id=0xb7 <0b3c684f1c386736660f4840591e2b56>, name = "server.example.com"]
Sat Mar 20 20:33:56 2010 : rcvd [LCP EchoReq id=0x0 magic=0x259fcb2]
Sat Mar 20 20:33:56 2010 : sent [LCP EchoRep id=0x0 magic=0x7dbf926c]
Sat Mar 20 20:33:56 2010 : rcvd [LCP EchoRep id=0x0 magic=0x259fcb2]
Sat Mar 20 20:33:56 2010 : rcvd [CHAP Response id=0xb7 <682dae4925228bc2cee7c2413f964d5e00000000000000009084d9f3d1b2d776db569745634d66 d0404c2c78cfca8bd800>, name = "user"]
Sat Mar 20 20:33:56 2010 : DSAuth plugin: Could not authenticate key agent for encryption key retrieval.
Sat Mar 20 20:33:56 2010 : sent [CHAP Success id=0xb7 "S=5401B462B1437F390B1BD520E948093D31A8E2B2 M=Access granted"]
Sat Mar 20 20:33:56 2010 : CHAP peer authentication succeeded for user
Sat Mar 20 20:33:56 2010 : DSAccessControl plugin: User 'user' authorized for access
Sat Mar 20 20:33:56 2010 : MPPE required, but keys are not available. Possible plugin problem?
Sat Mar 20 20:33:56 2010 : sent [LCP TermReq id=0x2 "MPPE required but not available"]
Sat Mar 20 20:33:56 2010 : Connection terminated.
Sat Mar 20 20:33:56 2010 : Connect time 0.0 minutes.
Sat Mar 20 20:33:56 2010 : Sent 0 bytes, received 0 bytes.
Sat Mar 20 20:33:56 2010 : PPTP disconnecting...
Sat Mar 20 20:33:56 2010 : PPTP disconnected
2010-03-20 20:33:56 CDT --> Client with address = 192.168.252.249 has hungup

----------------------------------
ppp.log from client

'wookie.illiniapplecenter.com' (66.X.X.X)...
Sat Mar 20 20:33:56 2010 : PPTP connection established.
Sat Mar 20 20:33:56 2010 : Using interface ppp0
Sat Mar 20 20:33:56 2010 : Connect: ppp0 <--> socket[34:17]
Sat Mar 20 20:33:56 2010 : LCP terminated by peer (MPPE required but not available)
Sat Mar 20 20:33:56 2010 : PPTP error when reading socket : EOF
Sat Mar 20 20:33:56 2010 : PPTP error when reading header : read -1, expected 12 bytes
Sat Mar 20 20:33:56 2010 : Connection terminated.
Sat Mar 20 20:33:56 2010 : PPTP disconnecting...
Sat Mar 20 20:33:56 2010 : PPTP disconnected
Reply
User profile for user: Bergdoll
Bergdoll Author
User level: Level 1
0 points

Mar 20, 2010 8:15 PM in response to Typo180

I was able to solve my issue.

The solution was to follow my own advise that I give students - draw a picture and "walk with the packets"

It turns out that in my case, the ISP coming into my office blocks ports on dynamics IPs -related to web services inbound.
It also turns out that my cell phone company blocks VPN access on their 3G network, but not wireless.

I tried with my Mac from a remote wireless access points and was in.

On the router, I needed to port-forward: 50,500,4500,1701,1723 to the host running OSX Server and VPN services. Also - make sure that the IP's handed out by the Server DO NOT over-lap the IPs on your internal network. For myself, I use 10.0.x.x on the internal net and have the VPN hand-out 192.168.x.x to those fortunate enough to connect 🙂
Reply
User profile for user: cpfisterer
cpfisterer
User level: Level 1
10 points

Mar 20, 2010 10:23 PM in response to Bergdoll

I have been able to get VPN working using Airport Extreme routers on both ends. I added port routing, named it VPN with the following settings:

Public UDP Ports:500,4500,1701
Public TCP Ports:1723
Private IP Address: 10.0.0.4 <- internal address of the server
Private UDP Ports: 500,4500,1701
Private TCP Ports:1723

I haven't tested it extensively, but the internal webserver, file sharing, calendar, and address book services worked fine. Although I couldn't see the other computers, I could connect if I knew the IP addresses. Just wanted to mention that the Airport base stations can allow VPN passthrough.

-Carl
Reply
User profile for user: Bergdoll
Bergdoll Author
User level: Level 1
0 points

Mar 20, 2010 10:57 PM in response to cpfisterer

Yipes. I'm sorry if I gave incorrect info.

I'm actually a little confused - I can't figure out where to find port-forwarding on the Airport Admin utility at all. I'll need to poke around a little more. Does it require any additional installation steps?

I did a search for port-forwarding settings, but it isn't very intuitive (or I'm not very observant).
Reply
User profile for user: Bergdoll
Bergdoll Author
User level: Level 1
0 points

Mar 20, 2010 11:09 PM in response to Bergdoll

oooookay. Now I am really confused 🙂

I went into both my Time Capsule and my Extreme N base station, clicked "Advanced" and ... no Port-Mapping to be seen.

Is this something only available on newer hardware? I checked for a software update and did a help search. There is definitely no port-mapping on the ones I have.

The three options I see are: Statistics, MobileMe, and IPv6 under advanced.
Reply
User profile for user: cpfisterer
cpfisterer
User level: Level 1
10 points

Mar 20, 2010 11:28 PM in response to Bergdoll

I am using an Airport Extreme (I believe N) and Port Mapping is showing up under Advanced. It is strange that it is not showing up for you, I don't know why that would be. My Airport is a couple of years old now so it isn't real new but it does have the latest firmware updates. I can also get to port mapping if I go to Internet then NAT. There is a checkbox for Enable NAT Port Mapping Protocol. Try that. Then you can click the button that says Configure Port Mappings.

-Carl
Reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
149,813 points

Mar 21, 2010 4:16 AM in response to Bergdoll

Also - make sure that the IP's handed out by the Server DO NOT over-lap the IPs on your internal network. For myself, I use 10.0.x.x on the internal net and have the VPN hand-out 192.168.x.x to those fortunate enough to connect


It's (more) typical to use non-overlapping pools of IP addresses within the same subnet, and not within different subnets. (For a simple network with a decent IP router, you can probably get away with it.) And with VPNs around, it's vastly better to have addresses outside 192.168.0.0/16 block that everybody uses for their coffee shop or such, as having the same subnet on both ends of the connection makes for routing problems; otherwise, the VPN software running on the client doesn't know to send the traffic directly or send it over the VPN.
Reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
149,813 points

Mar 22, 2010 1:14 PM in response to Typo180

What might your level of interest be here? IP routing is one of those topics which can expand to fill all available brain-cells given sufficient levels of technical detail.

In general terms, there's the "don't do that" stuff, which means staying within the same subnet to avoid running stuff through a router until that's needed (due to larger networks, larger volumes of traffic, mixes of faster and slower links among groups of notes, etc), and the stuff like avoiding overlapping DHCP (and VPN) address pools, and keeping distinct subnets on both ends of a VPN.

More detail than you probably want, but I learned much from the then-current edition of Tannenbaum's Computer Networks book, and from using and configuring and occasionally messing up an IP network.

Other Reading: [Open directory project Computer Networking|http://www.dmoz.org/Computers/Internet/Protocols/IP/Addressing]

I've posted [an intro to some of the pieces of a network|http://labs.hoffmanlabs.com/node/275].
Reply
User profile for user: CPierce
CPierce
User level: Level 1
0 points

Mar 24, 2010 1:11 PM in response to Bergdoll

I seem to be having the same problem. We have a Mac Mini 1TB with 10.6.2. I've set up the VPN service to use L2TP and give a range of addresses from 192.168.0.121-200. DHCP, which is running on the same machine, distributes 192.168.0.30-120. With the shared key entered on my MBP and user authentication set to Kerberos, I can connect to the VPN when I am already on our internal network using the server's static IP.

Our router is a Cisco/Linksys WRV200, and I have set it to forward ports 50, 500, 4500, 1701, and 1723 to our server, as described earlier in this discussion. When I try to connect using our external static IP address, I get an error message that says "Authentication Failed". If I try again quickly, I get a different message saying that the L2TP server did not respond.

Any ideas?
Reply
User profile for user: Bergdoll
Bergdoll Author
User level: Level 1
0 points

Mar 24, 2010 2:06 PM in response to CPierce

RE: Reference material.
The Tannenbaum book "Computer Networks" is a great journey through the OSI model with an intimate PDU details, but for Mac OSX I have been using:

Apple Training Series Mac OS X Server Essentials v10.6: A Guide to Using and Supporting Mac OS X Server v10.6
By: Arek Dreyer; Ben Greisler
Publisher: Peachpit Press
Pub. Date: October 21, 2009

Snow Leopard™ Server
By: Daniel Eran Dilger
Publisher: John Wiley & Sons
Pub. Date: November 02, 2009

The Dilger book has a section on VPN's that I found somewhat helpful. I can see using a range of subnets off a major network for the DHCP, but dividing DHCP scopes would strike me as problematic. When I say dividing I mean that 192.168.1.0/24 could be used to create a scope 192.168.1.1 to 192.168.1.100 and the VPN Server could hand-out 192.168.1.101-200 or something like that. I think this would cause a problem... I have to test it.

However, using 192.168.1.0/27 would create different subnets .0/.32/.64/etc. Then the VPN could hand-out a range of DHCP's in one of these subnets. I just think that if the VPN DHCP hands out addresses in the same subnet - there could be a problem. Not sure though. The book I read seemed to suggest this, but it's not in-hand at the moment.

At any rate. I have it working now. My problem was that my iPhone carrier blocks VPN access. So when I use wireless from my MacBook Pro off-site, I can go through my G-Net router (forwarding ports 1701,1723,50,500,4500 and establish a connection to my OSX VPN Server (which is actually a VMWare machine for fun - I had to ensure I was using bridged networking and "generated" a MAC address).

Odd things: I still can't see how to do port-forwarding on my two Apple BaseStations. I know where it should be (Advanced)... but it's not! Weird and odd. One is the very first "N" BaseStation and the other is the very first model Time Capsule.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

VPN External Access not working - can I "borrow" your eyes?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up