i had the same problem. It's not about your NAT. Its related to your HOST-NAME settings on your Lion mac-Server.
go to Lion Server.app and connect to your Lion Server.
go to the HARDWARE-group (left side) and select your Lion Server.
go to Network and edit your HOSTNAME.
my hostname was choosen as a local-hostname like mini.local, but this is only for internal use.
you have to choose a server.private name, or a real domainname.
if you follow these steps, it would work from inside your network and from internet too.
I've got a similar problem. Been running an L2TP/IPSec vpn service using Snow Leopard for months. Upgraded to Lion and now locval vpn connectivity on the same network works but external access to VPN doesn't Difference is that The serve is on our Uni network so there's no NAT router issues as some people have suggested. Everything has a real IP address and as I managet the outside world firewall its not that either.
I'm currently routing people through a backup leopard VPN server till I get the Lion one working.
Also, Do apple want to make things difficult w.r.t. VPN server connectivity?
The Snow Leopard VPN server management page wasn't the best in the world but at least you could quickly see how many VPN users you had and what their userids were. With Lion it looks as if the only thing you can do is look at the diag log for the service..... or have they moved it to some other location?
I have been trying to get Lion VPN server up for a while....struggling with the same issues as folks listed here.
I was able to connect on local LAN, but not from WAN. I figured that it must be something with my router [DD-WRT on Linksys 54g].
The apple help says only a couple of ports need to be forwarded. I reviewed the traffic on local LAN and made the following router adjustments:
- Forward ports 50, 51, 500, 548, 1701, 1723, 4500 to the server
- Do not filter anonymous internet requests
- Do not filter multicast
- Do not filter NAT Redirection
The VPN connections are now working for me from WAN side. I still cannot see other IPs on my LAN once VPN'ed in.
BTW, thanks to the following post for insight as well:
This sounds like it might be the solution I am looking for (my iPhone and iPad can VPN in, but not my iMac). I am the admin for my offices airport extreme so I can configure the ports, however I'm a little confused as to the specifics.
For each service, the router asks for a list of public UDP and TCP ports and then a list of private UDP and TCP ports. How I had it configured previously to today was:
public UDP ports: 500, 1701, 4500
public TCP ports: 1701
private UDP ports: 500, 1701, 4500
private TCP ports: 1701
So my question is, for the list of ports to forward, which ones go under UDP and which ones go under TCP? Thanks!
So I still had this issue with iOS 5.0.1 and Airport firmware 7.6 I resolved the issue (VPN now works from my iPhone from a remote wifi network) as follows:
(Please note not all of these ports may be necessary I have not regressed that yet)
On my airport
Public UDP Ports 500, 1701, 1723, 4500
Public TCP Ports 1701, 1723
Private UDP Ports 500, 1701, 1723, 4500
Private TCP Ports 1701, 1723
The VPN didn't work until I did the following however:
user name, password, and Shared Secret all set to EIGHT (8) characters (letters only in my test)
Yes that's right, it looks to me that the Lion VPN server has a mistake in the maximum length of one of these character strings.
Kudos if anyone has the time to figure out which one. Please reply if this fixes your issue.
7.6 did not solve this for me. Very frustrating. my iPad can connect, but not my iMac running 10.7.2. I even installed the VPN profile that Lion Server created. I am able to screen share with the server and watch vpnd.log in the console. When I connect w/the iPad the console shows activity. When I attempt to connect with the Mac, nothing. Then the Mac says the L2TP server did not respond. Any ideas? This is end-to-end Apple products (I have an AEBS at my house too).
Wow. After searching for two hours and struggling, your suggestion of trying 8 characters for the secret, user name, and password fixed it for me. I was over on each. I only got it wiorking if all 3 were 8 or less. Any one of them more than 8, and I would get the following in my log:
CHAP peer authentication failed for <username>
DNS, IP, provided IP address from VPN, and the handshakes in the logs all looked good. I tried reseting users, restarting, restarting services etc. I was only using local directory as I am still configuring the server.
I can now get in and VPN works.
Again, thanks for that little tidbit. I had seen suggestions of making the secret alphanumeric but you were the first to mention size of the fields.
Strange thing. After checking my firewall finding nothing I assumed it had something to do with my router or the communication between MBP and router. Port forwarding was unchanged but I found that in the UPnP section some device (probably one of our macs from the IP) had somehow grabbed port 4500. Disabled UPnP (don't think I'll need it anyway) and everythings back to normal.