Previous 1 2 Next 20 Replies Latest reply: Mar 18, 2013 4:05 AM by Guang
Dylan Neild Level 1 Level 1 (0 points)
Hi All,

Running SLS 10.6.5 with VPN Service. Configured for L2TP.

Works perfect with a half dozen Mac clients connected. plus off and on a half dozen more iOS clients, over both WiFi and 3G - so needless to say, service is configured and firewalls are all configured appropriately.

The issues are:

1) WIndows XP (over NAT-T) - does this work at all with L2TP? From what I can see it just hangs on the XP side and fails to negotiate a phase 1 on the server side? Do I need to hack an anonymous.conf together that avoid AES since XP doesn't support that? The default config should allow failback to 3DES but I've never seen it happen since OS X, iOS and Windows 7 all support AES just fine and Windows XP is never able to connect.

2) Windows 7: I can connect. Everything works. Then I disconnect. Sometimes I can't reconnect again. Sometimes I can. If you wait an hour for the SAD tables to expire the entries (3600 seconds, minus connect time) it works again, but you basically are out of luck for making another connection run again sometimes until this happens.

As a side - I'm noticing the SAD entries on the server side are pretty lazy at expiring - specifically, I have 3 people connected right now (should be 6 entires, one in and out for each) but there are 15 SAD entries still on my server (from 45 minutes ago when there was 7 people) connected. Even here, this should be 14 entries but SLS 10.6.5 has left an orphan. It tends to be that the server to remote SAD gets cleared but there is almost always a stray remote to server SAD that gets left lying around.

Any ideas, or should I call Apple support and slog this out with them?

Dual 1.8ghz G5, Mac OS X (10.4.3)
  • hasenpfeffer2 Level 1 Level 1 (0 points)
    I'm having the same problem with #2, Windows 7 client can connect 1 time fine. After disconnect, it cannot reconnect for some period of time. If I restart my VPN server, the client can connect again immediately.
  • alexatull Level 1 Level 1 (0 points)
    Looks like I'm having similar problems. I connect to our 10.6.6 Snow Leopard server from all my apple products at home ( ipad,iphone,iMac, mac Pro, macbook) and have absolutely no problems. A number of my colleagues are trying to connect from Windoze 7 clients with varying levels of success. All the clients are configured the same way. Sometime they connect immediately sometimes they don't.

    Can't be 100% certain but I also have a leopard server as my desktop system and I've configured l2tp/ipsec on that as a backup VPN server and it seems to be more reliable than the snow leopard one.

    I'm not talking about loads of users here, less than 10
  • Joaquim Carvalho Level 1 Level 1 (20 points)
    I have a similar problem.

    Slow Leopard Mini server behind a firewall running both L2TP and PPTP.

    At home Macs and iPhones connect to the VPN without problem over L2TP.

    Windows XP and Vista fail to connect over L2TP, they report server not responding, and no trace on the server side, like they did not reach it at all.

    If I use PPTP both the Macs and the Windows machines manage to connect but are disconnected after a dew seconds. The trace on the server side is:

    2011-01-30 09:15:36 WET Incoming call... Address given to client = XXXXXXXXXXXX
    Sun Jan 30 09:15:36 2011 : Directory Services Authentication plugin initialized
    Sun Jan 30 09:15:36 2011 : Directory Services Authorization plugin initialized
    Sun Jan 30 09:15:36 2011 : PPTP incoming call in progress from 'XXXXXXXXXXXXXXXX..
    Sun Jan 30 09:15:36 2011 : PPTP connection established.
    Sun Jan 30 09:15:36 2011 : using link 0
    Sun Jan 30 09:15:36 2011 : Using interface ppp0
    Sun Jan 30 09:15:36 2011 : Connect: ppp0 <--> socket[34:17]
    Sun Jan 30 09:15:36 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x204e609e> <pcomp> <accomp>]
    Sun Jan 30 09:15:39 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x204e609e> <pcomp> <accomp>]
    Sun Jan 30 09:15:42 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x204e609e> <pcomp> <accomp>]
    Sun Jan 30 09:15:45 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x204e609e> <pcomp> <accomp>]
    Sun Jan 30 09:15:48 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x204e609e> <pcomp> <accomp>]
    Sun Jan 30 09:15:51 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x204e609e> <pcomp> <accomp>]
    Sun Jan 30 09:15:54 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x204e609e> <pcomp> <accomp>]
    Sun Jan 30 09:15:57 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x204e609e> <pcomp> <accomp>]
    Sun Jan 30 09:16:00 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x204e609e> <pcomp> <accomp>]
    Sun Jan 30 09:16:03 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x204e609e> <pcomp> <accomp>]
    Sun Jan 30 09:16:06 2011 : LCP: timeout sending Config-Requests
    Sun Jan 30 09:16:06 2011 : Connection terminated.
    Sun Jan 30 09:16:06 2011 : PPTP disconnecting...
    Sun Jan 30 09:16:06 2011 : PPTP disconnected
    2011-01-30 09:16:06 WET --> Client with address = XXXXXXXXXXXXX has hungup


    The bottom line is that I cannot connect with windows machines at all and with Macs only over L2TP. This was tested with all the client machines behind the same router.

    Any ideas would be appreciated.

    J

    Message was edited by: Joaquim Carvalho
  • Patrick Savelberg (Private) Level 1 Level 1 (105 points)
    Same problem here, Mac Client no problem, windows 7 client not working, server not responding.
  • Miggl Level 1 Level 1 (75 points)
    I'm in the same boat ... having problems like #2:

    - 1st connection works fine, then subsequent reconnects fail.

    Server: OS/X 10.5.8 Leopard Server
    Client: Windows XP SP3 using Windows VPN Client
  • Sean Flynn Level 2 Level 2 (150 points)
    Also seeing same issue. Mac Clients work beautifully, Windows clients fail time and again.
  • Sean Flynn Level 2 Level 2 (150 points)
    Found this fix for XP in searching through the forums for similar issues.
    http://discussions.apple.com/message.jspa?messageID=12061464

    Unfortunately I'm unable to find similar solution in Win7. Not at all sure where to make that registry edit.

    Anyone know?
  • davidh Level 4 Level 4 (1,890 points)
    I've successfully used the VPN service in 10.5.x server for Win XP.

    There are no major shifts with 10.6 server that would cause it to stop working.

    Some key things: If it's working for Mac clients then that's a good start. Many many home-grade "routers" do not (are not capable of) properly forwarding VPN traffic.

    Don't use PPTP it's the VPN equivalent of WEP and should not be used for secure(d) connections.

    Next, the problem you're seeing is probably due to a default TCP setting in Win Vista and later
    that can & does cause problems with some network equipment.
    As one article about this known issue, see:

    http://8help.osu.edu/3253.html

    http://www.google.com/search?q=Windows7+TCP+WindowScaling

    Try:

    netsh interface tcp set global autotuninglevel=restricted

    Or

    netsh interface tcp set global autotunninglevel=disabled
  • Sean Flynn Level 2 Level 2 (150 points)
    Giving your suggestions a try. Just a heads up, even if you're admin user on Win7 host, you need to try to run cmd as Administrator. This requires some special Microsoft Foo.
    http://www.howtogeek.com/howto/windows-vista/run-a-command-as-administrator-from -the-windows-vista-run-box/

    Summerized: in 'Run' field type cmd, and do control-shift-enter. You'll be in as if your are root.
  • Sean Flynn Level 2 Level 2 (150 points)
    No joy in Win7 with changing netsh interface tcp set global autotuninglevel=disabled .

    Also missed the detail on the link to the page with instructions to 'run as administrator' by right clicking the Start -> Accessories-> Command
  • Sean Flynn Level 2 Level 2 (150 points)
    This is the regedit needed for Windows Vista, and I'm trying it currently with Windows7
    http://support.microsoft.com/kb/926179
  • Sean Flynn Level 2 Level 2 (150 points)
    JOY! Works now.

    For those with many machines to massage, there are ways to export a regedit and send it on to users, or deploy it using Windows management tools.
  • hasenpfeffer2 Level 1 Level 1 (0 points)
    @Sean Flynn and davidh,

    The problems you are describing are NOT the problems this thread describes in the original post.

    Again, Windows 7 will connect to VPN perfectly fine 1 time. I can use that 1 connection as much as I want perfectly fine.

    Once I disconnect, all bets are off. In my case, Windows 7 will not reconnect to the VPN server at all. No log, no information of any kind on either end (well, actually Windows shows the usual useless generic error message after a timeout period).

    If I restart the VPN server OR if I wait several hours, then the cycle restarts, and I can connect 1 time.

    The behavior has nothing to do with firewalls, and I see it even on the same LAN with only a hub in between.
  • Sean Flynn Level 2 Level 2 (150 points)
    sorry to have ventured off topic, but found this thread and some suggestions on it as I was experiencing failure to connect Win7 & XP vpn clients. The regedits I did fixed those issues. They might prove useful to other forum readers.

    With reconnect issue has the recreation of the vpn userkey helped any? Has it been suggested?
Previous 1 2 Next