com.apple.remoteaccessservers.plist can i chose the interface?

Question

Level 1

10 points

com.apple.remoteaccessservers.plist can i chose the interface?

i'm attempting to add a VPN to an existing 10.6.7 server.

unfortunately, the way it was set up was to have en0 as the primary, lan address and en1 as the WAN address.

we are running OD, AFP, ichat, ical and a bunch of network licensing daemons on en0, and serving web pages out through en1

it appears that i cannot respond to VPN requests through en1, and i cannot find a way to force the VPN server to listen on en1 through editing the com.apple.remoteaccessservers.plist file. maybe i have the format wrong? the references i have found are from 10.4 and do not have that file in xml format.

is there a way to do this?

if there isn't, can i change the IP address of en1 and en0 around without screwing up the existing services? i'm concerned that my SSL secured OD will fall over, since the whole thing is pretty delicate, it appears, and maybe it has a hard coded reference to the interface in there somewhere?

help much appreciated, and i'll post my solution if, as is typical here, i have to work it out myself.

oh for accurate documentation...

2x xserve, 30x MacBook, 3x MacBook Pro, 10x iMac, 20x eMac, 30x PC, Mac OS X (10.6.6), mix intel/PPC

Posted on May 3, 2011 7:41 PM

Reply

Answer 1

flowirin Author

Level 1

10 points

May 3, 2011 8:46 PM in response to flowirin

failed attempt:

i backed up /Library/Preferences/SsystemConfiguration/com.apple.RemoteAccessServers.plist

then replaced the original file's contents with an example file taken from 10.4 with the Addresses comment.

when i restarted the service the file was converted to XML, giving me what looks like a correct format for the addresses key:

<dict>

<key>Addresses</key>

<array>

</array>

this was pretty much what i was expecting , but its good to be sure.

unfortunately, it hasn't helped.

the service , as before, picks up the incoming call, and issues an IP address. it then repeats this 3 or 4 times before the client fails with a "server does not respond" error. the server then logs the issued ip addresses as hanging up.

the only difference is that the primary interface no longer responds to vpn requests

is this a routing thing?

Reply

Answer 2

flowirin Author

Level 1

10 points

May 3, 2011 8:45 PM in response to flowirin

the failed connection attempt client log:

4/05/11 3:35:31 PM pppd[2322] pppd 2.4.2 (Apple version 412.4) started by sysadmin, uid 501

4/05/11 3:35:31 PM pppd[2322] L2TP connecting to server 'xxx.xxx.xxx.en1' (xxx.xxx.xxx.en1)...

4/05/11 3:35:31 PM pppd[2322] IPSec connection started

4/05/11 3:35:31 PM racoon[2240] Connecting.

4/05/11 3:35:31 PM racoon[2240] IKE Packet: transmit success. (Initiator, Main-Mode message 1).

4/05/11 3:35:31 PM racoon[2240] IKE Packet: receive success. (Initiator, Main-Mode message 2).

4/05/11 3:35:31 PM racoon[2240] IKE Packet: transmit success. (Initiator, Main-Mode message 3).

4/05/11 3:35:31 PM racoon[2240] IKE Packet: receive success. (Initiator, Main-Mode message 4).

4/05/11 3:35:31 PM racoon[2240] IKE Packet: transmit success. (Initiator, Main-Mode message 5).

4/05/11 3:35:31 PM racoon[2240] IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).

4/05/11 3:35:31 PM racoon[2240] IKE Packet: receive success. (Initiator, Main-Mode message 6).

4/05/11 3:35:31 PM racoon[2240] IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).

4/05/11 3:35:31 PM racoon[2240] IKE Packet: transmit success. (Information message).

4/05/11 3:35:31 PM racoon[2240] IKEv1 Information-Notice: transmit success. (ISAKMP-SA).

4/05/11 3:35:31 PM racoon[2240] IKE Packet: receive success. (Information message).

4/05/11 3:35:32 PM racoon[2240] IKE Packet: transmit success. (Initiator, Quick-Mode message 1).

4/05/11 3:35:32 PM racoon[2240] IKE Packet: receive success. (Initiator, Quick-Mode message 2).

4/05/11 3:35:32 PM racoon[2240] IKE Packet: transmit success. (Initiator, Quick-Mode message 3).

4/05/11 3:35:32 PM racoon[2240] IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).

4/05/11 3:35:32 PM pppd[2322] IPSec connection established

4/05/11 3:35:52 PM pppd[2322] L2TP cannot connect to the server

4/05/11 3:35:52 PM racoon[2240] IKE Packet: transmit success. (Information message).

4/05/11 3:35:52 PM racoon[2240] IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).

4/05/11 3:35:52 PM racoon[2240] IKE Packet: transmit success. (Information message).

4/05/11 3:35:52 PM racoon[2240] IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

the changes in the com.apple.remoteaccessservers.plist file has stopped access to the primary interface (so at least i know it has done SOMEthing):

4/05/11 3:42:30 PM pppd[2352] pppd 2.4.2 (Apple version 412.4) started by sysadmin, uid 501

4/05/11 3:42:30 PM pppd[2352] L2TP connecting to server 'xxx.xxx.xxx.en0' (xxx.xxx.xxx.en0)...

4/05/11 3:42:30 PM pppd[2352] IPSec connection started

4/05/11 3:42:30 PM racoon[2240] Connecting.

4/05/11 3:42:30 PM racoon[2240] IKE Packet: transmit success. (Initiator, Main-Mode message 1).

4/05/11 3:42:30 PM racoon[2240] IKE Packet: receive success. (Initiator, Main-Mode message 2).

4/05/11 3:42:30 PM racoon[2240] IKE Packet: transmit success. (Initiator, Main-Mode message 3).

4/05/11 3:42:30 PM racoon[2240] IKE Packet: receive success. (Initiator, Main-Mode message 4).

4/05/11 3:42:30 PM racoon[2240] IKE Packet: transmit success. (Initiator, Main-Mode message 5).

4/05/11 3:42:30 PM racoon[2240] IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).

4/05/11 3:42:30 PM racoon[2240] IKE Packet: receive success. (Initiator, Main-Mode message 6).

4/05/11 3:42:30 PM racoon[2240] IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).

4/05/11 3:42:30 PM racoon[2240] IKE Packet: transmit success. (Information message).

4/05/11 3:42:30 PM racoon[2240] IKEv1 Information-Notice: transmit success. (ISAKMP-SA).

4/05/11 3:42:31 PM racoon[2240] IKE Packet: transmit success. (Initiator, Quick-Mode message 1).

4/05/11 3:42:34 PM racoon[2240] IKE Packet: transmit success. (Phase2 Retransmit).

4/05/11 3:42:37 PM racoon[2240] IKE Packet: transmit success. (Phase2 Retransmit).

4/05/11 3:42:40 PM racoon[2240] IKE Packet: transmit success. (Phase2 Retransmit).

4/05/11 3:42:43 PM racoon[2240] IKE Packet: transmit success. (Phase2 Retransmit).

4/05/11 3:42:46 PM racoon[2240] IKE Packet: transmit success. (Phase2 Retransmit).

4/05/11 3:42:49 PM racoon[2240] IKE Packet: transmit success. (Phase2 Retransmit).

4/05/11 3:42:52 PM racoon[2240] IKE Packet: transmit success. (Phase2 Retransmit).

4/05/11 3:42:55 PM racoon[2240] IKE Packet: transmit success. (Phase2 Retransmit).

4/05/11 3:42:58 PM racoon[2240] IKE Packet: transmit success. (Phase2 Retransmit).

4/05/11 3:43:01 PM pppd[2352] IPSec connection failed

4/05/11 3:43:01 PM racoon[2240] IKE Packet: transmit failed. (Information message).

4/05/11 3:43:01 PM racoon[2240] IKEv1 Information-Notice: transmit failed. (Delete ISAKMP-SA).

Reply

Answer 3

Linc Davis

Level 10

209,541 points

May 3, 2011 8:50 PM in response to flowirin

I've had no luck connecting to a Snow Leopard L2TP server with the built-in client, and I don't think I'm doing anything wrong. So I use PPTP instead, which works fine.

Reply

Answer 4

flowirin Author

Level 1

10 points

May 3, 2011 9:04 PM in response to flowirin

so, the clue is on the server:

2011-05-04 15:56:55 NZST Loading plugin /System/Library/Extensions/L2TP.ppp

2011-05-04 15:56:55 NZST Listening for connections...

2011-05-04 15:57:40 NZST Incoming call... Address given to client = xxx.xxx.xxx.0

Wed May 4 15:57:40 2011 : Directory Services Authentication plugin initialized

Wed May 4 15:57:40 2011 : L2TP incoming call in progress from 'yyy.yyy.yyy.42'...

2011-05-04 15:57:41 NZST Incoming call... Address given to client = xxx.xxx.xxx.1

Wed May 4 15:57:41 2011 : Directory Services Authentication plugin initialized

Wed May 4 15:57:41 2011 : L2TP incoming call in progress from 'yyy.yyy.yyy.42'...

2011-05-04 15:57:43 NZST Incoming call... Address given to client = xxx.xxx.xxx.2

Wed May 4 15:57:43 2011 : Directory Services Authentication plugin initialized

etcetera, until hangup.

it appears the Directory Services Authentication plugin is failing on en1.

Reply

Answer 5

flowirin Author

Level 1

10 points

May 3, 2011 9:18 PM in response to Linc Davis

pptp is not an option. its inherently insecure and exposes my users. much rather struggle on and get this working as it should.

the l2tp system works as expected on interface en0, not on en1.

Reply

Answer 6

Linc Davis

Level 10

209,541 points

May 3, 2011 9:42 PM in response to flowirin

PPTP is not insecure; only Microsoft's implementation of it. If you use strong passwords, it's as safe as anything else.

Reply

Answer 7

flowirin Author

Level 1

10 points

May 3, 2011 10:06 PM in response to Linc Davis

thanks for your input.

i'm really keen on getting this L2TP VPN working on en1. anyone else maanged it?

Reply

Answer 8

SPKlein

Level 1

0 points

Oct 12, 2011 6:25 PM in response to flowirin

Flowirin, did you ever find a solution to this, i have the same issue.

thanks.

Reply

Answer 9

flowirin Author

Level 1

10 points

May 3, 2012 3:40 AM in response to SPKlein

nope. in the end i swapped over the primary and secondary interfaces.
that was a mission.

i had to backup and rebuild the kerberos database replacing all references to the original primary interface with the new one, so that my LDAP server still worked. not straightforward. i had to kick and rebind all my clients too (although that was scriptable through ARD)

however, the VPN would not work in any other way.

apple? *****.

still, its working no

Reply