Native iOS L2TP VPN not working on Lion Server

Question

Level 1

0 points

Native iOS L2TP VPN not working on Lion Server

Hi Folks,

I have a very strange issue concerning making VPN work on two iOS devices I have. I have recently setup Lion Server on a MacMini here in the office with L2TP VPN using a shared secrert phrase and a password authentication.

I have Lion running on an a MacBook Air (which I setup VPN using the provisioning profile "VPN.mobileprovision") and Snow Leopard running on an iMac. (VPN was set up manually). Both systems have been tested to work both inside and outsideof my internal network as I have tested with an air card.

I also have an iPhone running 4.3.4/4.3.5 that I setup by emailing the provisioning profile and and iPad 1 running iOS 5 beta 4 setup with the vpn provisioning profile. Neither the iPad nor iPhone seem to work at all either internally nor externally. In fact I never see any activity in the vpnd.log when I attempt to connect to with these devices. All I get is the standard "The L2TP-VPN server did not respond. Try reconnecting. ..."

Based on my success with the OSX Clients both inside and outside my local network I feel it is safe to say that I do not think the issue resides on the Lion Server nor the network/firewall configuration. I am running a Time Capsule with FW 7.5.2/7.4.2. There was no change in behavior with either version of the Time capsule firmware for the clients whether they were OSX or iOS. I must be clearly missing something here and I don't know what. Any help any of you could provide would be greatly appreciated. Thanks!

Please see the below settings for my VPN Settings on the host and iOS client

root# serveradmin settings vpn

vpn:vpnHost = ""

vpn:Servers:com.apple.ppp.pptp:Server:Logfile = "/var/log/ppp/vpnd.log"

vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging = 1

vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 128

vpn:Servers:com.apple.ppp.pptp:DNS:OfferedSearchDomains:_array_index:0 = "ri.cox.net"

vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.15.1"

vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "1"

vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "1.1.1.1"

vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:SharedSecret = "2"

vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:Address = "2.2.2.2"

vpn:Servers:com.apple.ppp.pptp:enabled = no

vpn:Servers:com.apple.ppp.pptp:Interface:SubType = "PPTP"

vpn:Servers:com.apple.ppp.pptp:Interface:Type = "PPP"

vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoFailure = 5

vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle = 1

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-RSA"

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"

vpn:Servers:com.apple.ppp.pptp:PPP:CCPEnabled = 1

vpn:Servers:com.apple.ppp.pptp:PPP:IPCPCompressionVJ = 0

vpn:Servers:com.apple.ppp.pptp:PPP:ACSPEnabled = 1

vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoEnabled = 1

vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoInterval = 60

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"

vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = "/var/log/ppp/vpnd.log"

vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging = 1

vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer = 7200

vpn:Servers:com.apple.ppp.pptp:PPP:CCPProtocols:_array_index:0 = "MPPE"

vpn:Servers:com.apple.ppp.pptp:IPv4:ConfigMethod = "Manual"

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "192.168.15.224"

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "192.168.15.254"

vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteAddresses = _empty_array

vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteTypes = _empty_array

vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteMasks = _empty_array

vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = "1.2.3.4"

vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128

vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0

vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log"

vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1

vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains:_array_index:0 = "ri.cox.net"

vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.15.1"

vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:SharedSecret = "1"

vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:Address = "1.1.1.1"

vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:SharedSecret = "2"

vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:Address = "2.2.2.2"

vpn:Servers:com.apple.ppp.l2tp:enabled = yes

vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP"

vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP"

vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5

vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB"

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"

vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1

vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0

vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1

vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60

vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"

vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log"

vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200

vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = "Keychain"

vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = ""

vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "com.apple.ppp.l2tp"

vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = "SharedSecret"

vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = ""

vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = "None"

vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = <>

vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual"

vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = "192.168.15.241"

vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = "192.168.15.249"

vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array

vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array

vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array

vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec"

iPhone 4, iOS 4.3.3, Lion Server VPN

Posted on Jul 26, 2011 6:12 AM

Reply

Answer 1

Best reply

rocstarr Author

Level 1

0 points

Jul 26, 2011 5:44 PM in response to rocstarr

Issue is resolved. I used the initial random generated shared secret that was generated by Lion Server. The shared secret has special characters. IOS did not like the special characters. See iPhone Console Log below:

Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] INFO: @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/)

Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] INFO: Reading configuration from "/etc/racoon/racoon.conf"

Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] ERROR: /var/run/racoon/68.9.232.78.conf:6: "?gLA" syntax error

Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] ERROR: fatal parse failure (1 errors)

That is why I never saw any attempt to connect. The actual process would bomb out before attempting to make a connection to the server.

The shared secret key was:

Y|WNwvM_O"?gLA$F@adT

Looks like it was the " or the ? symbols.

Once I changed the shared secret key the issue went away and the iPhone and iPad could connect to vpn without issue.

Figured I'd let you all know

Reply

Answer 2

volman69

Level 1

4 points

Aug 7, 2011 8:02 PM in response to rocstarr

Thanks! I've been trying to get my first VPN going with Lion Sever, and this was apparently the problem. I don't think the "doesn't recognize special characters" is confined to iOS devices b/c I was having the same problem on Snow Leopard and Lion MacBook client machines.

Reply

Answer 3

didca

Level 1

0 points

Aug 13, 2011 12:54 AM in response to rocstarr

Thanks a lot, I spent a full afternoon verifying that everything went through the router etc. and finally the issue was exactly what you describe. It worked as soon as I changed the private key !

Thanks again.

Reply

Answer 4

AndreGB

Level 1

14 points

Dec 10, 2011 3:12 PM in response to rocstarr

Thank you for the tip! I was also having this exact same issue and this solved it.

Reply

Answer 5

Dec 18, 2011 10:10 AM in response to rocstarr

Your are a life saver. I never would have tried this and it worked. I have one associated issue. It works ONLY if my idevice is using WIFI. If I try to VPN over ATT 3G then I get: "VPN Connection The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verfiy your settings and contact your Administrator."

I tried to find another VPN client that would run on an iPhone and connect to Lion Server but could not come up with anything to try that.

Thoughts?

Reply

Answer 6

sgirard

Level 1

40 points

May 28, 2012 8:57 PM in response to rocstarr

Thanks for the catch. I have lost several hours on this tonight, and I am so glad you posted your solution.

For me, my auto-generated shared secret had a " in it and that was the issue. I substituted a different character for the " in the shared secret, restarted the VPN service, changed the shared secret for my devices in profile manager, let them sync, and all is well now.

Again, thanks so much for posting your result.

Reply

Answer 7

Jun 17, 2012 1:02 AM in response to rocstarr

Apparently the secret is also limited in length, I attempted to use a 64 character key without any special characters (thanks for the insight) and it would not connect. I reduced the secret to 16 characters and the connection worked.

Reply

Answer 8

evan.j

Level 1

4 points

Nov 4, 2014 6:45 PM in response to rocstarr

Thank you! Apparently this issue still exists with suggested secrets in OS X Server 4 and IOS 8.1. Spent quite a few hours today trying to troubleshoot this.

Thanks again!

Reply