Previous 1 2 3 4 5 Next 61 Replies Latest reply: Feb 13, 2014 4:07 PM by tqxw Go to original post
  • imafromKC Level 1 Level 1

    I too was in hopes a 10.7.1 update would fix the problem.


    Here's what I have found out today.


    I have 4 VPN servers all 10.6.x servers (3 Xserves and 1 Mini) (1 working is all up to date, the other is still on 10.6.7). I can successfully log into 2 of them and cannot log in to 2 of them. The server on the unsuccessful trys shows nothing in the VPN log. The local console shows me plenty. A successful log in looks like this.


    8/16/11 4:19:02.507 PM racoon: IKE Packet: transmit success. (Initiator, Main-Mode message 5).

    8/16/11 4:19:02.542 PM racoon: IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).

    8/16/11 4:19:02.542 PM racoon: IKE Packet: receive success. (Initiator, Main-Mode message 6).

    8/16/11 4:19:02.542 PM racoon: IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).

    8/16/11 4:19:02.542 PM racoon: IPSec Phase1 established (Initiated by me).

    8/16/11 4:19:03.088 PM racoon: IPSec Phase2 started (Initiated by peer).


    an unsuccessful log in looks like this.


    8/16/11 4:21:17.768 PM racoon: IKE Packet: transmit success. (Initiator, Main-Mode message 5).

    8/16/11 4:21:20.538 PM racoon: Received retransmitted packet from[500].

    8/16/11 4:21:20.538 PM racoon: IKE Packet: transmit success. (Phase1 Retransmit).

    8/16/11 4:21:23.538 PM racoon: Received retransmitted packet from[500].

    8/16/11 4:21:23.538 PM racoon: IKE Packet: transmit success. (Phase1 Retransmit).


    This is not the whole conversation, simply where things go bad. Message 6 seems to be the AUTH Message that the server never receives. I have deleted and recreated the VPN setting for the ones that don't work. I have tried saving my password with the settings. I even tried typing the wrong password. I have also tried typing in a bogus Shared Secret on the Lion client side. I have a SL partition that I have set up the VPN and everything works fine to all four servers. Only Lion 10.7.1 and only to two of the four servers. I have tried replacing the Shared Secret with the same text on both sides (copy and paste). I have tried using Full Name and shortname. As I said it doesn't matter if the password OR shared secret are right or wrong the error "The L2TP Server is not responding..." comes back every time.

  • imafromKC Level 1 Level 1

    I think I  have this solved. I looked at the 4 shared secrets 2 worked and 2 didn't. First I thought that it was the fact that the two working ones used explanation points. Nope. BUT I noticed that the two working secrets were shorter. I shortened the one on my server and tried it and IT WORKED! The length that worked for sure was 53 characters and 66 does not. So it's somewhere in between that. BUT have your network Admin try shortening the shared secrect for a bit and see if that works. This is not an easy change because it will require updating the Shared Secret on every Mac, iPhone and iPad that logs in. At least we have an answer. Of course note as well that iOS devices don't like some characters.


    Good time to refresh that Shared Secret anyway.


    Let me know if that works.

  • imafromKC Level 1 Level 1

    Got it. Lion truncates the VPN Shared Secret at 63 characters. If you paste in your phrase and it's longer than that it will still go in and apply but it won't work. The test string I used was:




    Once I added another character the VPN won't connect. When you change your shared secret bear in mind that iOS seems to filter some characters. I have only seen fleeting references to it not supporting " and a few others. So test your phrase with Lion, and an iPhone and iPad before you roll it out to everyone.


    Glad to put this one to bed. Now we can move on to migrating the server.

  • netlogic Level 1 Level 1

    Confirmed on my side as well.  Shortening the shared key under 64 characters allows Lion to connect to a Snow Leopard VPN Server.  Thank you very much for figuring this out.

  • RickSwear Level 1 Level 1

    I still have trouble and my shared secret is only 8 characters long.

    Trying to login to lion server over lion macbook pro.

    Everything was fine before the update.

  • imafromKC Level 1 Level 1



    Be sure that your shared secret does not use the quote marks. That was the only common special character that broke the VPN shared secrect. I tested it with this phrase and it worked (Lion Client to SL Server):




    But this phase would not work:




    Only difference was the quote mark toward the end. Maybe that will help.


    I have yet to install the Lion Server on our main server. I have a test server set up but not with VPN yet.


    I also have a employee that has a personal MacBook that worked fine before the switch to Lion Client. Did not work afterwards. I could not get him to connect even with the shorter shared secret. I reinstalled him and tested from a clean SL, worked. Updated to Lion, worked, Migrated user worked. restarted tested again and won't work. not sure exactly what the migration brought over. All of his keychain info came in but I don't see anything related to the VPN. The thing is that before the migration the local admin client worked fine. after the migration and a restart the VPN won't connect again. curiously the keychain information is accessable to both the local admin and the migrated user. So there's still something to solve here.

  • J-Hutz Level 1 Level 1

    If found that changing the VPN settings at the VPN server side to use AES encryption rather than 3DES fixed it for Lion.  But so far that seems to have broken it for Snow Leopard.


    Thanks Apple for changing and not documenting.  Glad so many pages are being taken from the MS playbook nowadays.

  • dirkholz Level 1 Level 1

    Had issues accessing my Lion VPN server with my iOS devices from outside my home network. Needed ports were forwarded by the router according to the Apple support docs, but it didn't work.


    The reason: one of the notebooks had MobileMe's "Back to my Mac" feature activated. By that the notebook redirects port 4500 on the router to himself using Upnp. So my port forward to the VPN server was overwritten.


    Deactivated "Back to my Mac" in that notebook's settings and now everything works fine. But cost me two days to find out as I've overseen the Upnp initiated port forwardings in the router mgmt.





  • mtungusov Level 1 Level 1

    After replaced kernel extension L2TP.kext from 10.6.8,

    I can connect using L2TP VPN.


    In 1 min 15 sec connection terminated.

    So it looks like it is a Lion Problem.

  • BraytonAK Level 1 Level 1

    I, too, have just found the problem with 10.7.2 and the inability to make a VPN connection to my office.  We use a Cisco ASA at work (not sure of the model number).  I've tried two of the connections we have configured on the ASA.  One for general use and one just for IT use.  Every connection attempt leaves me with the dialog, "The L2TP-VPN server did not respond. ..."


    I'm not sure where to find logs, but then again, I'm more green with VPN's than some of you.  This is a VPN connection that worked beautifully in Snow Leopard.  I don't want to have to open my Windows 7 virtual machine just to make a VPN connection. 


    Any ideas on why Apple changed something that was working perfectly?  On one hand it's saving me from doing overtime work from home but on the other it's incredibly frustrating that what was perfect is now useless.

  • dlangh Level 1 Level 1

    From reading all these posts, it seems there is a potentional littany of problems, and one persons solution certainly may not work for another.  I thought I would describe my experience as my solution wasn't mentioned by anyone else.


    First a bit of background.  I run a macmini server, which was running Snow Leopard and I had no issues with VPN.  It just worked.  I upgraded to Lion in August and for a while I didn't need my vpn connection so it went unused and untested.  Recently I tried to use it while on the road and could not connect.  When I got home this morning I decided to spend the time to get it working.  I also as a matter of convenience was using my iphone with my wifi not active (IE via 3g network) so I could easily test while keeping my laptop on my home network.


    After reading through these suggestions I tried a few of them and checked other settings to confirm I didn't have the same problems.  After confirming my router was working properly and port-forwarding was in place I focused on my server.  One thing I quickly discovered was that whenever I tried to connect it would generate log entries on my Lion Server (if you go into the Lion Server Application there is a Logs item under the Status section.  Once I confirmed that when I tried to connect I was in fact seeing the server receive packets and throw errors I was able to eliminate firewall, network, router issues, so my advice is to start with this much and make sure your problem is in fact with your Lion server and not something upstream from it.


    I will also add that for me my iphone would connect and then after 20 secs or so return an error saying the VPN Server wasn't available (though it was and as I said receiving packets). 


    I then changed the shared secret on my VPN server just in case that was the problem.  Once I did this my iphone would get past the connection phase and try to authenticate but still failed.  I then re-entered on my iphone my username, password and shared secret, but still got the same error.  The log entries in my Lion Server indicated that the remote device refused to authenticate.


    Finally I deleted my vpn connection on my iphone and recreated it.  It's just 4 values, server, username, password and shared secret all of which I KNOW were correct, but this is what did it.  Once I re-created my vpn client on my iphone it connected right away.


    So, I have no idea why this fixed it, but there must be other hidden settings for the vpn connection that you can't change that were incorrect, perhaps during an initial connection to the VPN server (which would have been Snow Leopard at the time) it receives some VPN type details (like handshake/negotiation settings) that it saves with the client config and they changed with Lion but the client then kept trying to use incorrect settings?  I can't really say but I would recommend if all else fails delete and recreate your vpn client config because that fixed it for me.

  • drmac8 Level 1 Level 1

    OK, same problems as most described - and I've finally got it working!


    Fresh install of 10.7.2 (previosuly 10.6-10.7 upgraded version - but I couldn't even connect locally).


    I already had a short key, so this wasn't the problem.

    I deleted pref files as suggested - but didn't make a difference.


    I'm using a TP-Link Router, so needed to set port forwarding/mapping manually - still not working...


    Tried everything else until...


    dirkholz's tip regarding back to my mac using Upnp to confuse the router to use port 4500 - I turned off back to my mac from icloud and then rebooted the router and it finally worked!


    Wasted 10 hours of messing about and reinstalling/reconfiguring servers... but at least its working now.


    Apple may want to look at this....

  • AJ 2010 Level 1 Level 1

    Just another me too. L2TP works fine when connecting from 10.6 but doesn't work with 10.7. Same settings, same account name and same shared secret. The shared secret is is not anywhere near 64 characters. The VPN server is running OS X server 10.7.2.


    12/16/11 1:07:13.933 PM configd: SCNC: start, triggered by System Preferen, type L2TP, status 0

    12/16/11 1:07:14.115 PM pppd: pppd 2.4.2 (Apple version 560.13) started by ajones, uid 501

    12/16/11 1:07:16.976 PM pppd: L2TP connecting to server '' (

    12/16/11 1:07:17.069 PM pppd: IPSec connection started

    12/16/11 1:07:17.129 PM racoon: Connecting.

    12/16/11 1:07:17.129 PM racoon: IPSec Phase1 started (Initiated by me).

    12/16/11 1:07:17.130 PM racoon: IKE Packet: transmit success. (Initiator, Main-Mode message 1).

    12/16/11 1:07:17.155 PM racoon: IKE Packet: receive success. (Initiator, Main-Mode message 2).

    12/16/11 1:07:17.161 PM racoon: IKE Packet: transmit success. (Initiator, Main-Mode message 3).

    12/16/11 1:07:17.191 PM racoon: IKE Packet: receive success. (Initiator, Main-Mode message 4).

    12/16/11 1:07:17.199 PM racoon: IKE Packet: transmit success. (Initiator, Main-Mode message 5).

    12/16/11 1:07:17.227 PM racoon: IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).

    12/16/11 1:07:17.227 PM racoon: IKE Packet: receive success. (Initiator, Main-Mode message 6).

    12/16/11 1:07:17.227 PM racoon: IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).

    12/16/11 1:07:17.227 PM racoon: IPSec Phase1 established (Initiated by me).

    12/16/11 1:07:18.228 PM racoon: IPSec Phase2 started (Initiated by me).

    12/16/11 1:07:18.229 PM racoon: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).

    12/16/11 1:07:18.250 PM racoon: IKE Packet: receive success. (Initiator, Quick-Mode message 2).

    12/16/11 1:07:18.251 PM racoon: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).

    12/16/11 1:07:18.251 PM racoon: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).

    12/16/11 1:07:18.251 PM racoon: IPSec Phase2 established (Initiated by me).

    12/16/11 1:07:18.252 PM pppd: IPSec connection established

    12/16/11 1:07:38.252 PM pppd: L2TP cannot connect to the server

    12/16/11 1:07:38.284 PM racoon: IKE Packet: transmit success. (Information message).

    12/16/11 1:07:38.284 PM racoon: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).

    12/16/11 1:07:38.290 PM racoon: IKE Packet: transmit success. (Information message).

    12/16/11 1:07:38.290 PM racoon: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

    12/16/11 1:07:40.031 PM racoon: tracer failed. (Invalid session).

  • blk182n7 Level 1 Level 1

    this works just follow the directions exactly works everytime.



    Thanks for your hard work. 

  • BMQ Level 1 Level 1

    Very many thanks Minake - save lots of time and effort!