Apple Event: May 7th at 7 am PT

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Level 1

65 points

Lion Server VPN, Can Connect Locally, Not Remotely

I have both Lion and Lion Server installed on my Core 2 Duo iMac, mainly because I want the VPN feature of Server.

I configured everything correctly for the VPN, and can connect to it with no problems from my iPhone and iPad when I am within my own LAN (the server and the iPhone/iPad are on the same IP range and subnet).

I also used the automatic config within the Server app to configure my AirPort Extreme N Base Station. Looking at the Port Mapping section of my ABS from within AirPort Utility, I do in fact see that VPN Service (L2TP) is configured with the following UDP ports: 500, 1701 and 4500. Those ports ARE pointing to the iMac that is running the VPN server. Firewall on that iMac is turned OFF.

However, I am unable to connect my iPhone to the VPN Server using my Public IP address. I have tried it from within my network (out of network to internet the back), from my Verizon MiFi or from my iPhone's 3G connection (well, in my area it is still Edge). The iPhone simply sits on "Connecting" for a few seconds, then an alert comes up stating "The L2TP-VPN server did not respond. Try reconnecting. If the problem..." yadada.

I AM, however, able to get Web Sharing to work via my Public IP address, as well as VNC.

I also cannot connect to the VPN via the Public IP with other devices like my iBook, PowerBook G4, Windows 7 PC, or iMac G5. They ALL CAN connect via the local network 10.1.x.x IP address.

Am I missing something here? I did all of the automatic configurations, and all of the ports appear to be properly open.

iMac, Mac OS X (10.7)

Posted on Jul 20, 2011 9:59 AM

70 replies

topping

Level 1

3 points

Aug 8, 2011 1:27 AM in response to ScottM

I'm getting the same problem, can connect to the server over the local network, not from remote. Have spent a few days trying to figure this out. Have a lot of experience with Linux and FreeBSD admin back in the day, as well as OS-X desktop use and debugging. This is a complete stumper!

There are zero firewall issues, I've counted packets with tcpdump on both sides and everything is getting through. The router on the Lion server side is set to forward everything, on the client side, it's set as the "DMZ host" (forwarding everything).

Can anyone see anything in my configuration?

bash-3.2# serveradmin fullstatus vpn

vpn:servicePortsAreRestricted = "NO"

vpn:readWriteSettingsVersion = 1

vpn:servers:com.apple.ppp.pptp:AuthenticationProtocol = "MSCHAP2"

vpn:servers:com.apple.ppp.pptp:CurrentConnections = 0

vpn:servers:com.apple.ppp.pptp:enabled = no

vpn:servers:com.apple.ppp.pptp:MPPEKeySize = "MPPEKeySize128"

vpn:servers:com.apple.ppp.pptp:Type = "PPP"

vpn:servers:com.apple.ppp.pptp:SubType = "PPTP"

vpn:servers:com.apple.ppp.pptp:AuthenticatorPlugins = "DSAuth"

vpn:servers:com.apple.ppp.l2tp:AuthenticationProtocol = "MSCHAP2"

vpn:servers:com.apple.ppp.l2tp:CurrentConnections = 0

vpn:servers:com.apple.ppp.l2tp:enabled = yes

vpn:servers:com.apple.ppp.l2tp:startedTime = "2011-08-08 08:09:30 +0000"

vpn:servers:com.apple.ppp.l2tp:Type = "PPP"

vpn:servers:com.apple.ppp.l2tp:SubType = "L2TP"

vpn:servers:com.apple.ppp.l2tp:AuthenticatorPlugins = "DSAuth"

vpn:servers:com.apple.ppp.l2tp:pid = 4059

vpn:servicePortsRestrictionInfo = _empty_array

vpn:health = _empty_dictionary

vpn:logPaths:com.apple.ppp.pptp_ServerLog = "/var/log/ppp/vpnd.log"

vpn:logPaths:com.apple.ppp.pptp_PPPLog = "/var/log/ppp/vpnd.log"

vpn:logPaths:vpnLog = "/var/log/ppp/vpnd.log"

vpn:configured = yes

vpn:state = "RUNNING"

vpn:setStateVersion = 1

Logs are here:

2011-08-08 04:21:58 EDT Incoming call... Address given to client = 204.152.97.199

Mon Aug 8 04:21:58 2011 : Directory Services Authentication plugin initialized

Mon Aug 8 04:21:58 2011 : Directory Services Authorization plugin initialized

Mon Aug 8 04:21:58 2011 : L2TP incoming call in progress from '108.46.128.137'...

Mon Aug 8 04:21:58 2011 : L2TP received SCCRQ

Mon Aug 8 04:21:58 2011 : L2TP sent SCCRP

2011-08-08 04:21:59 EDT Incoming call... Address given to client = 204.152.97.200

Mon Aug 8 04:21:59 2011 : Directory Services Authentication plugin initialized

Mon Aug 8 04:21:59 2011 : Directory Services Authorization plugin initialized

Mon Aug 8 04:21:59 2011 : L2TP incoming call in progress from '108.46.128.137'...

Mon Aug 8 04:21:59 2011 : L2TP received SCCRQ

Mon Aug 8 04:21:59 2011 : L2TP sent SCCRP

2011-08-08 04:22:01 EDT Incoming call... Address given to client = 204.152.97.201

Mon Aug 8 04:22:01 2011 : Directory Services Authentication plugin initialized

Mon Aug 8 04:22:01 2011 : Directory Services Authorization plugin initialized

Mon Aug 8 04:22:01 2011 : L2TP incoming call in progress from '108.46.128.137'...

Mon Aug 8 04:22:01 2011 : L2TP received SCCRQ

Mon Aug 8 04:22:01 2011 : L2TP sent SCCRP

2011-08-08 04:22:05 EDT Incoming call... Address given to client = 204.152.97.202

Mon Aug 8 04:22:05 2011 : Directory Services Authentication plugin initialized

Mon Aug 8 04:22:05 2011 : Directory Services Authorization plugin initialized

Mon Aug 8 04:22:05 2011 : L2TP incoming call in progress from '108.46.128.137'...

Mon Aug 8 04:22:05 2011 : L2TP received SCCRQ

Mon Aug 8 04:22:05 2011 : L2TP sent SCCRP

2011-08-08 04:22:09 EDT Incoming call... Address given to client = 204.152.97.203

Mon Aug 8 04:22:09 2011 : Directory Services Authentication plugin initialized

Mon Aug 8 04:22:09 2011 : Directory Services Authorization plugin initialized

Mon Aug 8 04:22:09 2011 : L2TP incoming call in progress from '108.46.128.137'...

Mon Aug 8 04:22:09 2011 : L2TP received SCCRQ

Mon Aug 8 04:22:09 2011 : L2TP sent SCCRP

2011-08-08 04:22:13 EDT Incoming call... Address given to client = 204.152.97.204

Mon Aug 8 04:22:13 2011 : Directory Services Authentication plugin initialized

Mon Aug 8 04:22:13 2011 : Directory Services Authorization plugin initialized

Mon Aug 8 04:22:13 2011 : L2TP incoming call in progress from '108.46.128.137'...

Mon Aug 8 04:22:13 2011 : L2TP received SCCRQ

Mon Aug 8 04:22:13 2011 : L2TP sent SCCRP

2011-08-08 04:22:17 EDT Incoming call... Address given to client = 204.152.97.205

Mon Aug 8 04:22:17 2011 : Directory Services Authentication plugin initialized

Mon Aug 8 04:22:17 2011 : Directory Services Authorization plugin initialized

Mon Aug 8 04:22:17 2011 : L2TP incoming call in progress from '108.46.128.137'...

Mon Aug 8 04:22:17 2011 : L2TP received SCCRQ

Mon Aug 8 04:22:17 2011 : L2TP sent SCCRP

2011-08-08 04:22:18 EDT --> Client with address = 204.152.97.199 has hungup

2011-08-08 04:22:19 EDT --> Client with address = 204.152.97.200 has hungup

2011-08-08 04:22:21 EDT --> Client with address = 204.152.97.201 has hungup

2011-08-08 04:22:25 EDT --> Client with address = 204.152.97.202 has hungup

2011-08-08 04:22:29 EDT --> Client with address = 204.152.97.203 has hungup

2011-08-08 04:22:33 EDT --> Client with address = 204.152.97.204 has hungup

2011-08-08 04:22:37 EDT --> Client with address = 204.152.97.205 has hungup

topping

Level 1

3 points

Aug 8, 2011 1:44 AM in response to topping

Also, here's some more config:

bash-3.2# more /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist<?x ml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>ActiveServers</key>

<array>

<string>com.apple.ppp.l2tp</string>

</array>

<key>Servers</key>

<dict>

<key>com.apple.ppp.l2tp</key>

<dict>

<dict>

<key>OfferedSearchDomains</key>

<key>OfferedServerAddresses</key>

<array>

</array>

</dict>

<key>IPSec</key>

<dict>

<key>AuthenticationMethod</key>

<string>SharedSecret</string>

<key>IdentifierVerification</key>

<key>LocalCertificate</key>

<data>

</data>

<key>LocalIdentifier</key>

<key>RemoteIdentifier</key>

<key>SharedSecret</key>

<string>com.apple.ppp.l2tp</string>

<key>SharedSecretEncryption</key>

<string>Keychain</string>

</dict>

<dict>

<key>ConfigMethod</key>

<string>Manual</string>

<key>DestAddressRanges</key>

<array>

</array>

<key>OfferedRouteAddresses</key>

<key>OfferedRouteMasks</key>

<key>OfferedRouteTypes</key>

</dict>

<key>Interface</key>

<dict>

<key>SubType</key>

</dict>

<dict>

<key>Transport</key>

<string>IPSec</string>

</dict>

<dict>

<key>ACSPEnabled</key>

<key>AuthenticatorACLPlugins</key>

<array>

<string>DSACL</string>

</array>

<key>AuthenticatorEAPPlugins</key>

<array>

</array>

<key>AuthenticatorPlugins</key>

<array>

<string>DSAuth</string>

</array>

<key>AuthenticatorProtocol</key>

<array>

<string>MSCHAP2</string>

</array>

<key>DisconnectOnIdle</key>

<key>DisconnectOnIdleTimer</key>

<key>IPCPCompressionVJ</key>

<key>LCPEchoEnabled</key>

<key>LCPEchoFailure</key>

<key>LCPEchoInterval</key>

<key>Logfile</key>

<key>VerboseLogging</key>

</dict>

<key>Radius</key>

<dict>

<key>Servers</key>

<array>

<dict>

<key>Address</key>

<key>SharedSecret</key>

</dict>

<dict>

<key>Address</key>

<key>SharedSecret</key>

</dict>

</array>

</dict>

<key>Server</key>

<dict>

<key>LoadBalancingAddress</key>

<key>LoadBalancingEnabled</key>

<key>Logfile</key>

<key>MaximumSessions</key>

<key>VerboseLogging</key>

</dict>

<key>com.apple.ppp.pptp</key>

<dict>

<dict>

<key>OfferedSearchDomains</key>

<key>OfferedServerAddresses</key>

</dict>

<dict>

<key>ConfigMethod</key>

<string>Manual</string>

<key>DestAddressRanges</key>

<key>OfferedRouteAddresses</key>

<key>OfferedRouteMasks</key>

<key>OfferedRouteTypes</key>

</dict>

<key>Interface</key>

<dict>

<key>SubType</key>

</dict>

<dict>

<key>ACSPEnabled</key>

<key>AuthenticatorACLPlugins</key>

<array>

<string>DSACL</string>

</array>

<key>AuthenticatorEAPPlugins</key>

<array>

</array>

<key>AuthenticatorPlugins</key>

<array>

<string>DSAuth</string>

</array>

<key>AuthenticatorProtocol</key>

<array>

<string>MSCHAP2</string>

</array>

<key>CCPEnabled</key>

<key>CCPProtocols</key>

<array>

</array>

<key>DisconnectOnIdle</key>

<key>DisconnectOnIdleTimer</key>

<key>IPCPCompressionVJ</key>

<key>LCPEchoEnabled</key>

<key>LCPEchoFailure</key>

<key>LCPEchoInterval</key>

<key>Logfile</key>

<key>MPPEKeySize128</key>

<key>MPPEKeySize40</key>

<key>VerboseLogging</key>

</dict>

<key>Radius</key>

<dict>

<key>Servers</key>

<array>

<dict>

<key>Address</key>

<key>SharedSecret</key>

</dict>

<dict>

<key>Address</key>

<key>SharedSecret</key>

</dict>

</array>

</dict>

<key>Server</key>

<dict>

<key>Logfile</key>

<key>MaximumSessions</key>

<key>VerboseLogging</key>

</dict>

<key>VPNHost</key>

</dict>

</plist>

ScottM

Level 1

132 points

Aug 8, 2011 3:30 AM in response to topping

Yeah, same exact issue here. I know for a fact that it's nothing to do with routers or networks - it's something to do with Lion Server, but I haven't been able to pin it down. The same devices work fine with Snow Leopard Server, but with Lion I get the same issue you do.

I've got a standalone box, no Open Directory, no NAT, no firewalls blocking anything, all packets make it in and out, it's purely something that's not clicking into place on the Lion side.

Aug 8, 2011 3:47 AM in response to ScottM

I had the same issues. After days it appeard time machine was the issue with my system.

Using Time machine gave the same issues as stated above and no clear path why it wasn't working. Firewall, routers, all was tried by local Mac techs but without a solution. De clean install made the difference. It takes a lot of manual backup action, but than it works like it should.

The problem was solved by installing a clean OSX lion by pressing command + R and a clean OSX server Lion from the Apps application.

Hope this helps. 🙂

topping

Level 1

3 points

Aug 8, 2011 8:26 AM in response to Asajj Ventress

I've reinstalled at least four times just last night alone. I started to worry that the apple registration servers would think that I was creating illegal copies of the software and stopped registering the machine each time.

My first install was on the machine while it was at home, then I brought it to the colo. I found it's important to have the reverse DNS correct when the software is first installed. A lot of elements such as server certificates are generated using this information. In order to get this working perfectly, I had my DHCP server issue an IP address based on Ethernet MAC address, one that was already set up with the correct forward and reverse DNS. It's also probably ok just to make sure that the network configuration is precise before installing the server bundle.

As for time machine, I've never activated it, open Open Directory and tested that I can connect to the L2TP VPN over the local network. So I think this is a different problem, although it sounds like the VPN is very fickle.

Aug 8, 2011 9:26 AM in response to topping

Have you downgraded your Airport Base Station / TimeCapsule Firmware as noted here (posted earlier in this thread by pjuger):

http://blog.fusedevelopments.com/2011/07/lion-server-vpn-and-time-capsule-as.htm l

Downgrading to 7.4.2 resolved all of these issues for me, without having to reinstall anything.

topping

Level 1

3 points

Aug 8, 2011 9:56 AM in response to Christopher Pressey

Hi Christopher, thanks for your response, my server is behind a Vyatta router (http://www.vyatta.com). So there's no base station or time capsule involved. And as I noted in there, I've confirmed that each packet (typically about 25 in all) reaches each side.

To say this a different way, those two items might also be contributing to a problem, but it's not the only problem in play here :-)

Aug 11, 2011 11:32 AM in response to ScottM

Hi everyone, just wanted to say that I'm also struggling with the VPN issues mentioned here, on a fresh install of 10.7 server on a Xserve. L2TP connection attempts make the server provide multiple IP addresses to the clients without going further. I tried with my two MBP, my iMacs (10.7), an iPhone and a PC using Windows 7 on various networks and ISP, they all fail with the same log messages. Yet, I'm able to connect locally (which is not very useful for a VPN...).

I tried to connect using PPTP but MPPE keys are said to be missing, despite the fact that I recreated the VPN user account using the appropriated commands. It took me months to get VPN working properly with Apple support on 10.6 server (then they suddenly released a software update that fixed the issue)... And here we go again with Lion. Why did you break something that was (finally) working well!!?

Aug 11, 2011 11:49 AM in response to topping

Hmm.. well, I'm able to successfully connect to the Lion VPN using Airport firmware 7.4.2, but not with 7.5.x - this leads me to think it's a configuration issue within the firmware versioning of the airport router, not the Lion VPN. The only thing I can suggest would be to find out out the difference(s) between the two Airport firmware versions and seeing if any of the 7.4.2 firmware settings can be applied to your Vyatta router.

topping

Level 1

3 points

Aug 11, 2011 11:50 AM in response to nikos_1283

So in your experience, was it just a big black box, that you got no feedback or notification, then one day it just started working?

Especially considering this is a regression, I find it unacceptable that there's no recourse for users other than to just sit on their hands like this. I went out and spent $1K on hardware last week because I couldn't get Lion booted in XenServer, now I find that it just doesn't work. I'm really biting my tongue at this point!

topping

Level 1

3 points

Aug 11, 2011 11:59 AM in response to Christopher Pressey

Think of Vyatta like a Cisco router. It takes packets from one interface and forwards them to another.

Consider this snippet from wikipedia:

The IP Forwarding Algorithm states:

Given a destination IP address, D, and network prefix, N: if (N matches a directly connected network address) Deliver datagram to D over that network; else if (N does not match a network address and routing table contains route for N) Send datagram to next-hop address listed in the routing table; else if (N does not match a network and routing table does not contain route for N and there exists a default route) Send datagram to default route; else Send forwarding error message;

Note that there's no mention of Apple Airport in there. :-)

Airport has a standard IP stack. My guess is that Lion Server acts differently if it happens to see an Airport. In other words, this is a bug. I also reviewed the Lion server sales literature and Airport is not a requirement, so if in fact there is a requirement on Airport, we're looking at a documentation bug.

Either way, it's a bug, and Apple needs to get on it. There's no excuse for Lion Server not to work flawlessly behind any industry standard router that's capable of terabit forwarding speeds.

Aug 11, 2011 12:12 PM in response to topping

Yep. I spent weekends on the problems I had (VPN connected, clients reachable but not the server itself?!), then I contacted AppleCare and started telling them about the problem. I made bug reports, log records, an image of my system using their dedicated application then... nothing. One day, they released 10.6.6 as far as I remember. I tried (without much hope) the VPN and it worked properly! Unbelievable...

I installed Lion, hoping they wouldn't have destroyed the improvements they made. Sadly, it's even worse. I tried Lion on a small installation before setting it on the production server but (unfortunately) I was not able to test VPN in this configuration. Even if the AppleCare support cost a lot, I'm not very eager to start a new procedure with this not so new problem... I thought that I wouldn't be fooled again with Apple bugged updates (like the 10.6.5, with security breach)... What a mistake! Thinking that Apple would finally take care of its (few) enterprise clients that use their beautiful yet expensive and malfunctioning software and hardware is a huge mistake, apparently!

Aug 11, 2011 11:10 PM in response to nikos_1283

Solved!

Using Lion Server on iMac with Airport Extreme Router and iPhone, iPad & MBAir. Was able to connect VPN locally, but not from iPhone on 3G or any of the 3 from a Clear hotspot.

Troubleshooting: Turned on default host (DMZ) to my computer and was able to connect from all devices.

What is wrong: Lion's Server App only maps L2TP in Airport Routers for Ports 500, 1701, & 4500

Solution:

1. You can either expose your machine to the internet on all ports (really bad idea) by turning on default host

2. You can add Port 1723 to the Airport Extreme Port Mappings for L2TP (got this port from Apple KB: http://support.apple.com/kb/ts1629)

Knew there had to be a port hop that wasn't being tracked!

Bug report filed with Apple as well.

topping

Level 1

3 points

Aug 11, 2011 11:46 PM in response to porthosjon

Congrats!

Anytime one is running with a NAT network, they are definitely going to have to run either with a triggered port forwarding setup or DMZ default host to get UDP L2TP packets to the correct destination.

I can't speak for everyone, but I am not running NAT. The OSX Server has a dedicated IP address that is completely unfiltered. In fact, I am not even using an Airport.

There's still a problem there, but it doesn't seem to be affecting your box. Your setup was working and had a firewall problem, many of the others of us have an actual problem with our servers. They are quite distinct!

Cheers

Aug 12, 2011 5:59 AM in response to topping

I understand that there are 5 different issues that are being presented in this thread. When I say solved I was speaking of the OP and their issue.

The OP was very specific about their config, a lot of folk have hijacked this thread for their own issues with a completely different configuration.

Lion Server VPN, Can Connect Locally, Not Remotely