Lion Server VPN, Can Connect Locally, Not Remotely

Is it possible that your ISP is blocking VPN connections into your network? If you're on a "consumer" connection, many ISPs will block things like VPN.

Unfortunately I can't offer much advice yet as I will be unable to play with Lion Server until tonight. I'll check back in tomorrow and if no one else has answered, I'll see if I can help.

Sounds like it was definitely a weird ISP issue then. I bet once they swap the modem things will start working.

For what it's worth, I've been unable to get the VPN server on 10.7 to work with either iOS or Lion clients for some time. There are no ISP issues, no filters, no firewalls. The same client devices work to 10.5 L2TP servers just fine, but, on Lion I only see in /var/log/ppp/vpnd.log:

2011-07-21 12:47:58 EST Incoming call... Address given to client = 1.2.3.4

Thu Jul 21 12:47:58 2011 : Directory Services Authentication plugin initialized

Thu Jul 21 12:47:58 2011 : Directory Services Authorization plugin initialized

Thu Jul 21 12:47:58 2011 : L2TP incoming call in progress from '5.6.7.8'...

Thu Jul 21 12:47:58 2011 : L2TP received SCCRQ

Thu Jul 21 12:47:58 2011 : L2TP sent SCCRP

2011-07-21 12:47:59 EST Incoming call... Address given to client = 1.2.3.5

Thu Jul 21 12:47:59 2011 : Directory Services Authentication plugin initialized

Thu Jul 21 12:47:59 2011 : Directory Services Authorization plugin initialized

Thu Jul 21 12:47:59 2011 : L2TP incoming call in progress from '5.6.7.8'...

Thu Jul 21 12:47:59 2011 : L2TP received SCCRQ

Thu Jul 21 12:47:59 2011 : L2TP sent SCCRP

2011-07-21 12:48:18 EST --> Client with address = 1.2.3.4 has hungup

2011-07-21 12:48:19 EST --> Client with address = 1.2.3.5 has hungup

I've obfuscated the IP addresses, but that's not the issue; I've basically read the config file (

/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist) from both systems line by line, as well as the racoon configuration, but, no joy.

Since the same client device works elsewhere...the issue is confined to Lion Server. Sadly, the lack of a GUI for most of these things makes twiddling options a somewhat more manual/slow process.

If your modem swap fixes it, then I'm definitely puzzled.

Is this a solution / the problem

http://blog.fusedevelopments.com/2011/07/lion-server-vpn-and-time-capsule-as.htm l

/Per

Not in my case, Per, no.

I just did a tcpdump between various systems.

For those that do NOT work (client iPhone, client 10.7 and server 10.7) the tcpdumps look like so:

19:12:33.883057 IP Home.60845 > LionServer.500: isakmp: phase 1 I ident

19:12:33.884410 IP LionServer.500 > Home.60845: isakmp: phase 1 R ident

19:12:33.910379 IP Home.60845 > LionServer.500: isakmp: phase 1 I ident

19:12:33.918362 IP LionServer.500 > Home.60845: isakmp: phase 1 R ident

19:12:33.958995 IP Home.60846 > LionServer.4500: NONESP-encap: isakmp: phase 1 I ident[E]

19:12:33.959349 IP LionServer.4500 > Home.60846: NONESP-encap: isakmp: phase 1 R ident[E]

19:12:33.959461 IP LionServer.4500 > Home.60846: NONESP-encap: isakmp: phase 2/others R inf[E]

19:12:34.997414 IP Home.60846 > LionServer.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

19:12:34.998323 IP LionServer.4500 > Home.60846: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]

19:12:35.016983 IP Home.60846 > LionServer.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

19:12:35.019173 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x1), length 132

19:12:35.052641 IP LionServer.500 > Home.500: isakmp: phase 1 I ident

19:12:35.595022 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x2), length 132

19:12:37.597957 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x3), length 132

19:12:38.212127 IP LionServer.500 > Home.500: isakmp: phase 1 I ident

19:12:41.214447 IP LionServer.500 > Home.500: isakmp: phase 1 I ident

19:12:41.603061 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x4), length 132

19:12:44.216935 IP LionServer.500 > Home.500: isakmp: phase 1 I ident

19:12:45.609900 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x5), length 132

19:12:49.616860 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x6), length 132

19:12:53.623054 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x7), length 132

19:12:54.965357 IP Home.60846 > LionServer.4500: isakmp-nat-keep-alive

19:12:55.032098 IP Home.60846 > LionServer.4500: NONESP-encap: isakmp: phase 2/others I inf[E]

19:12:55.036420 IP Home.60846 > LionServer.4500: NONESP-encap: isakmp: phase 2/others I inf[E]

19:12:56.228356 IP LionServer.500 > Home.500: isakmp: phase 1 I ident

Note: I've done this over wired and wireless as well as 3G -- the transport on the client end is NOT the issue.

A connection that works, from iPhone ONLY (on 3G or Wireless) is:

11:24:59.960105 IP Home.61168 > LeopardServer.500: isakmp: phase 1 I ident

11:24:59.964119 IP LeopardServer.500 > Home.61168: isakmp: phase 1 R ident

11:25:00.673976 IP Home.61168 > LeopardServer.500: isakmp: phase 1 I ident

11:25:00.712858 IP LeopardServer.500 > Home.61168: isakmp: phase 1 R ident

11:25:01.466127 IP Home.61169 > LeopardServer.4500: NONESP-encap: isakmp: phase 1 I ident[E]

11:25:01.468180 IP LeopardServer.4500 > Home.61169: NONESP-encap: isakmp: phase 1 R ident[E]

11:25:01.468546 IP LeopardServer.4500 > Home.61169: NONESP-encap: isakmp: phase 2/others R inf[E]

11:25:02.954797 IP Home.61169 > LeopardServer.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

11:25:02.978314 IP LeopardServer.4500 > Home.61169: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]

11:25:03.480886 IP Home.61169 > LeopardServer.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

11:25:03.486763 IP Home.61169 > LeopardServer.4500: UDP-encap: ESP(spi=0x0a46a01f,seq=0x1), length 116

11:25:04.032382 IP Home.61169 > LeopardServer.4500: UDP-encap: ESP(spi=0x0a46a01f,seq=0x2), length 116

11:25:06.029801 IP Home.61169 > LeopardServer.4500: UDP-encap: ESP(spi=0x0a46a01f,seq=0x3), length 116

11:25:06.517111 IP LeopardServer.4500 > Home.61169: UDP-encap: ESP(spi=0x088d7e27,seq=0x1), length 116

11:25:06.742918 IP LeopardServer.4500 > Home.61169: UDP-encap: ESP(spi=0x088d7e27,seq=0x2), length 116

And from there it's all normal.

What never works:

10.7 client to 10.7 server

iPhone to 10.7 server

The breakage seems to happen on 10.7 server here:

19:12:35.019173 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x1), length 132

19:12:35.052641 IP LionServer.500 > Home.500: isakmp: phase 1 I ident

After that first ESP packet, the Lion Server responds with another phase 1 ident.

The Leopard server does not.

It may still be something in my setup, but, there's nothing to configure on 10.7 server other than "on" and "off" and some IP addresses, which I'm nearly certain isn't the issue...but who knows. Either the Lion Server ignores whatever is in that ESP packet, and starts over, or, iOS and OS X are sending it something it doesn't like and is forcing it to reset and start over.

Similar case here. Until yesterday, I could connect internally using 10.6.7 Server/Client and even iOS 4 using both L2TP and PPTP. I never managed to connect externally with L2TP for reason unknown (I tried with BTMM on and off, no change), but since I could connect with PPTP externally, I didn't bother.

Today, and after a lot of wasted time, I only manage to connect internally with L2TP. Nothing else works, meaning the VPN is fully broken since I obviously don't need internal VPN connections.

Extremely irritating and absolutely incompreensible is the loss of GUI for the VPN. I only know that PPTP is working since the error returned is at authentication level. This I managed only after manually opening the PPTP ports in my AEBS.

Crap.

Lots of VPN troubles here as well. Clean install of Lion + Server on my C2D iMac, configured VPN server (no firewal active on iMac). Can connect with my (10.6!) MacBook Pro internally, all works as it should at first attempt.

Cannot connect internally with my iPhone or iPad. Tail of /var/log/ppp/vpnd.log doesn't even show a connection attempt. Also, cannot connect externally at all (and I've opened the right ports on my router according to documenation), not on my MBP, not on my iDevices.

Should not be this hard at all, I am a bit dissapointed for now. Hopefully a fix will come soon.

Try dumping the aiport. If you can find something else to use as your gateway, you might find the airport is blocking the connections. I had that problem after the latest airport firmware update. Nothing I did would let it pass the traffic.

If however, you are seeing the connection come in to the server, then your authentication is dieing somewhere in the loop.

Tracking down VPN issues is terrible on OS X.

This one got me thinking: http://apple-ipad-tablet-help.blogspot.com/2010/12/ipad-vpn-fails-to-connect-on- ios-421.html - the symptoms seems familiar, maybe the solution is comparable? My VPN to Lion Server working on my MacBook Pro and not on my iDevices could be an encryption thingy.

However my knowlegde of racoon (which I believe handles the encryption/security) falls short... but maybe it's a hint for someone?

Jajajarno,

Go in to VPN settings and make sure you are using ONLY shared key and not certificate.

Certificate will cause iOS to fail authentication.

In response to pjunger Thanks for the link this was able to help get L2TP working. It seems time capsule has some issues with allowing L2TP in the latest update. Who knew you needed to roll time capsule back to 7.4.2.

I am also having another issue now. After I got VPN to work, I have tried connecting to the server via my Macbook Pro for both file sharing and screen sharing.

Whenever I open screen sharing, I am able to enter my password login and for a minute or so access my system until it freezes up. I'm thinking the network connection on the server is dropping as i am able to access my satelite receiver still.

The issue with file sharing is after i select the share I want to open, any time i go to open a file or folder, finder will freeze.

VPN shows I am still connected yet I cannot access anything, once I disconnect and try to reconnect it wont let me, and that the server cant be found. Furthermore my public website for the server is not loading either. It takes anywhere from 30mins to an hour or longer to be able to view the site or connect the vpn again.

Any ideas anyone? I'm gonna have to go through the server logs when i get home, hopefully I can find something useful

I installed Lion as an upgrade from 10.6.8. After installing Lion Server, VPN would not work from my iPhone 4 to my iMac server over 3G or Wifi. I tried everything. I decided to do a clean install of Lion. After the intall was done, my iPhone connected on the first try.

I then decided to restore the same iMac to a Time Machine backup taken just after upgrading to Lion, and now I'm having the same problems I originally had. Something is wrong with Lion. This is obvious because doing a fresh install allowed VPN to work and reverting to a backup restored the same problem.