Skip navigation

Lion Server VPN, Can Connect Locally, Not Remotely

33003 Views 70 Replies Latest reply: Oct 31, 2012 6:43 AM by tehcid RSS
1 2 3 ... 5 Previous Next
Rob Shepard Level 1 Level 1 (20 points)
Currently Being Moderated
Jul 20, 2011 9:59 AM

I have both Lion and Lion Server installed on my Core 2 Duo iMac, mainly because I want the VPN feature of Server.

 

I configured everything correctly for the VPN, and can connect to it with no problems from my iPhone and iPad when I am within my own LAN (the server and the iPhone/iPad are on the same IP range and subnet).

 

I also used the automatic config within the Server app to configure my AirPort Extreme N Base Station.   Looking at the Port Mapping section of my ABS from within AirPort Utility, I do in fact see that VPN Service (L2TP) is configured with the following UDP ports: 500, 1701 and 4500.  Those ports ARE pointing to the iMac that is running the VPN server.  Firewall on that iMac is turned OFF.

 

However, I am unable to connect my iPhone to the VPN Server using my Public IP address.  I have tried it from within my network (out of network to internet the back), from my Verizon MiFi or from my iPhone's 3G connection (well, in my area it is still Edge).  The iPhone simply sits on "Connecting" for a few seconds, then an alert comes up stating "The L2TP-VPN server did not respond.  Try reconnecting. If the problem..." yadada.

 

I AM, however, able to get Web Sharing to work via my Public IP address, as well as VNC.

 

I also cannot connect to the VPN via the Public IP with other devices like my iBook, PowerBook G4, Windows 7 PC, or iMac G5.  They ALL CAN connect via the local network 10.1.x.x IP address.

 

Am I missing something here?  I did all of the automatic configurations, and all of the ports appear to be properly open.

iMac, Mac OS X (10.7)
  • John.Kitzmiller Level 3 Level 3 (870 points)

    Is it possible that your ISP is blocking VPN connections into your network? If you're on a "consumer" connection, many ISPs will block things like VPN.

  • John.Kitzmiller Level 3 Level 3 (870 points)

    Unfortunately I can't offer much advice yet as I will be unable to play with Lion Server until tonight. I'll check back in tomorrow and if no one else has answered, I'll see if I can help.

  • John.Kitzmiller Level 3 Level 3 (870 points)

    Sounds like it was definitely a weird ISP issue then. I bet once they swap the modem things will start working.

  • ScottM Level 1 Level 1 (120 points)

    For what it's worth, I've been unable to get the VPN server on 10.7 to work with either iOS or Lion clients for some time.  There are no ISP issues, no filters, no firewalls.  The same client devices work to 10.5 L2TP servers just fine, but, on Lion I only see in /var/log/ppp/vpnd.log:

     

    2011-07-21 12:47:58 EST    Incoming call... Address given to client = 1.2.3.4

    Thu Jul 21 12:47:58 2011 : Directory Services Authentication plugin initialized

    Thu Jul 21 12:47:58 2011 : Directory Services Authorization plugin initialized

    Thu Jul 21 12:47:58 2011 : L2TP incoming call in progress from '5.6.7.8'...

    Thu Jul 21 12:47:58 2011 : L2TP received SCCRQ

    Thu Jul 21 12:47:58 2011 : L2TP sent SCCRP

    2011-07-21 12:47:59 EST    Incoming call... Address given to client = 1.2.3.5

    Thu Jul 21 12:47:59 2011 : Directory Services Authentication plugin initialized

    Thu Jul 21 12:47:59 2011 : Directory Services Authorization plugin initialized

    Thu Jul 21 12:47:59 2011 : L2TP incoming call in progress from '5.6.7.8'...

    Thu Jul 21 12:47:59 2011 : L2TP received SCCRQ

    Thu Jul 21 12:47:59 2011 : L2TP sent SCCRP

    2011-07-21 12:48:18 EST       --> Client with address = 1.2.3.4 has hungup

    2011-07-21 12:48:19 EST       --> Client with address = 1.2.3.5 has hungup

     

    I've obfuscated the IP addresses, but that's not the issue; I've basically read the config file (

    /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist) from both systems line by line, as well as the racoon configuration, but, no joy.

     

    Since the same client device works elsewhere...the issue is confined to Lion Server.  Sadly, the lack of a GUI for most of these things makes twiddling options a somewhat more manual/slow process. 

     

    If your modem swap fixes it, then I'm definitely puzzled.

  • pjunger Calculating status...
  • ScottM Level 1 Level 1 (120 points)
    Currently Being Moderated
    Jul 21, 2011 2:44 AM (in response to pjunger)

    Not in my case, Per, no.

     

    I just did a tcpdump between various systems.

     

    For those that do NOT work (client iPhone, client 10.7 and server 10.7) the tcpdumps look like so:

     

    19:12:33.883057 IP Home.60845 > LionServer.500: isakmp: phase 1 I ident

    19:12:33.884410 IP LionServer.500 > Home.60845: isakmp: phase 1 R ident

    19:12:33.910379 IP Home.60845 > LionServer.500: isakmp: phase 1 I ident

    19:12:33.918362 IP LionServer.500 > Home.60845: isakmp: phase 1 R ident

    19:12:33.958995 IP Home.60846 > LionServer.4500: NONESP-encap: isakmp: phase 1 I ident[E]

    19:12:33.959349 IP LionServer.4500 > Home.60846: NONESP-encap: isakmp: phase 1 R ident[E]

    19:12:33.959461 IP LionServer.4500 > Home.60846: NONESP-encap: isakmp: phase 2/others R inf[E]

    19:12:34.997414 IP Home.60846 > LionServer.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

    19:12:34.998323 IP LionServer.4500 > Home.60846: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]

    19:12:35.016983 IP Home.60846 > LionServer.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

    19:12:35.019173 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x1), length 132

    19:12:35.052641 IP LionServer.500 > Home.500: isakmp: phase 1 I ident

    19:12:35.595022 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x2), length 132

    19:12:37.597957 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x3), length 132

    19:12:38.212127 IP LionServer.500 > Home.500: isakmp: phase 1 I ident

    19:12:41.214447 IP LionServer.500 > Home.500: isakmp: phase 1 I ident

    19:12:41.603061 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x4), length 132

    19:12:44.216935 IP LionServer.500 > Home.500: isakmp: phase 1 I ident

    19:12:45.609900 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x5), length 132

    19:12:49.616860 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x6), length 132

    19:12:53.623054 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x7), length 132

    19:12:54.965357 IP Home.60846 > LionServer.4500: isakmp-nat-keep-alive

    19:12:55.032098 IP Home.60846 > LionServer.4500: NONESP-encap: isakmp: phase 2/others I inf[E]

    19:12:55.036420 IP Home.60846 > LionServer.4500: NONESP-encap: isakmp: phase 2/others I inf[E]

    19:12:56.228356 IP LionServer.500 > Home.500: isakmp: phase 1 I ident

     

    Note: I've done this over wired and wireless as well as 3G -- the transport on the client end is NOT the issue.

     

    A connection that works, from iPhone ONLY (on 3G or Wireless) is:

     

    11:24:59.960105 IP Home.61168 > LeopardServer.500: isakmp: phase 1 I ident

    11:24:59.964119 IP LeopardServer.500 > Home.61168: isakmp: phase 1 R ident

    11:25:00.673976 IP Home.61168 > LeopardServer.500: isakmp: phase 1 I ident

    11:25:00.712858 IP LeopardServer.500 > Home.61168: isakmp: phase 1 R ident

    11:25:01.466127 IP Home.61169 > LeopardServer.4500: NONESP-encap: isakmp: phase 1 I ident[E]

    11:25:01.468180 IP LeopardServer.4500 > Home.61169: NONESP-encap: isakmp: phase 1 R ident[E]

    11:25:01.468546 IP LeopardServer.4500 > Home.61169: NONESP-encap: isakmp: phase 2/others R inf[E]

    11:25:02.954797 IP Home.61169 > LeopardServer.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

    11:25:02.978314 IP LeopardServer.4500 > Home.61169: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]

    11:25:03.480886 IP Home.61169 > LeopardServer.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

    11:25:03.486763 IP Home.61169 > LeopardServer.4500: UDP-encap: ESP(spi=0x0a46a01f,seq=0x1), length 116

    11:25:04.032382 IP Home.61169 > LeopardServer.4500: UDP-encap: ESP(spi=0x0a46a01f,seq=0x2), length 116

    11:25:06.029801 IP Home.61169 > LeopardServer.4500: UDP-encap: ESP(spi=0x0a46a01f,seq=0x3), length 116

    11:25:06.517111 IP LeopardServer.4500 > Home.61169: UDP-encap: ESP(spi=0x088d7e27,seq=0x1), length 116

    11:25:06.742918 IP LeopardServer.4500 > Home.61169: UDP-encap: ESP(spi=0x088d7e27,seq=0x2), length 116

     

    And from there it's all normal.

     

    What never works:

     

    10.7 client to 10.7 server

    iPhone to 10.7 server

     

    The breakage seems to happen on 10.7 server here:

     

    19:12:35.019173 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x1), length 132

    19:12:35.052641 IP LionServer.500 > Home.500: isakmp: phase 1 I ident

     

    After that first ESP packet, the Lion Server responds with another phase 1 ident.

     

    The Leopard server does not.

     

    It may still be something in my setup, but, there's nothing to configure on 10.7 server other than "on" and "off" and some IP addresses, which I'm nearly certain isn't the issue...but who knows.   Either the Lion Server ignores whatever is in that ESP packet, and starts over, or, iOS and OS X are sending it something it doesn't like and is forcing it to reset and start over.

  • laalves Calculating status...

    Similar case here. Until yesterday, I could connect internally using 10.6.7 Server/Client and even iOS 4 using both L2TP and PPTP. I never managed to connect externally with L2TP for reason unknown (I tried with BTMM on and off, no change), but since I could connect with PPTP externally, I didn't bother.

     

    Today, and after a lot of wasted time, I only manage to connect internally with L2TP. Nothing else works, meaning the VPN is fully broken since I obviously don't need internal VPN connections.

     

    Extremely irritating and absolutely incompreensible is the loss of GUI for the VPN. I only know that PPTP is working since the error returned is at authentication level. This I managed only after manually opening the PPTP ports in my AEBS.

     

    Crap.

  • Jajajarno Calculating status...

    Lots of VPN troubles here as well. Clean install of Lion + Server on my C2D iMac, configured VPN server (no firewal active on iMac). Can connect with my (10.6!) MacBook Pro internally, all works as it should at first attempt.

     

    Cannot connect internally with my iPhone or iPad. Tail of /var/log/ppp/vpnd.log doesn't even show a connection attempt. Also, cannot connect externally at all (and I've opened the right ports on my router according to documenation), not on my MBP, not on my iDevices.

     

    Should not be this hard at all, I am a bit dissapointed for now. Hopefully a fix will come soon.

  • Shawn Wilton Calculating status...

    Try dumping the aiport.  If you can find something else to use as your gateway, you might find the airport is blocking the connections.  I had that problem after the latest airport firmware update.  Nothing I did would let it pass the traffic.

     

    If however, you are seeing the connection come in to the server, then your authentication is dieing somewhere in the loop.

     

    Tracking down VPN issues is terrible on OS X.

  • Jajajarno Level 1 Level 1 (0 points)

    This one got me thinking: http://apple-ipad-tablet-help.blogspot.com/2010/12/ipad-vpn-fails-to-connect-on- ios-421.html - the symptoms seems familiar, maybe the solution is comparable? My VPN to Lion Server working on my MacBook Pro and not on my iDevices could be an encryption thingy.

     

    However my knowlegde of racoon (which I believe handles the encryption/security) falls short... but maybe it's a hint for someone?

  • Shawn Wilton Level 1 Level 1 (5 points)
    Currently Being Moderated
    Jul 22, 2011 12:29 PM (in response to Jajajarno)

    Jajajarno,

    Go in to VPN settings and make sure you are using ONLY shared key and not certificate.

     

    Certificate will cause iOS to fail authentication.

  • Vetter Graphics Calculating status...

    In response to pjunger Thanks for the link this was able to help get L2TP working. It seems time capsule has some issues with allowing L2TP in the latest update. Who knew you needed to roll time capsule back to 7.4.2.

     

    I am also having another issue now. After I got VPN to work, I have tried connecting to the server via my Macbook Pro for both file sharing and screen sharing.

     

    Whenever I open screen sharing, I am able to enter my password login and for a minute or so access my system until it freezes up. I'm thinking the network connection on the server is dropping as i am able to access my satelite receiver still.

     

    The issue with file sharing is after i select the share I want to open, any time i go to open a file or folder, finder will freeze.

     

    VPN shows I am still connected yet I cannot access anything, once I disconnect and try to reconnect it wont let me, and that the server cant be found. Furthermore my public website for the server is not loading either. It takes anywhere from 30mins to an hour or longer to be able to view the site or connect the vpn again.

     

    Any ideas anyone? I'm gonna have to go through the server logs when i get home, hopefully I can find something useful

1 2 3 ... 5 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (2)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.