VPN and iPhone 4

I have the same problem. Setup Lion Server on my Mac Mini. Setup VPN. I can connect without any problems from my MacBook Pro to my mini's VPN while out and about (doing it right now, as a matter of fact).

I cannot connect either my iPhone or my iPad to my Mac Mini's VPN in the same situation. I don't know what's up with it. I hope they come out with a fix for it.

I used to use Snow Leopard's (not Server) built-in VPN and configured it using iVPN (it worked but it was a bit of a buggy pain - separate issue with iVPN, though). Anyway, with that setup my Macbook Pro, iPhone, and iPad all happily connected to my home network without any problems.

I'd like this to all work as it's one of the primary reasons I paid extra for Lion Server.

+1

Can't get Lion or iPhone4 or iPad2 to talk to Lion Server VPN on L2TP or PPTP. Filed a bug report on this, but haven't heard back. No filters, no firewalls, works fine from any of the above clients to L2TP on Snow Leopard Server -- I did note that the racoon configuration on Lion Server supports aes 256 whereas older server versions stuck with aes 128 -- but even when I thought I configured the two to be identical, Lion Server still wouldn't work for VPN.

same problem here....

i have the same problem...

https://discussions.apple.com/thread/3214611

Strangely enough - I managed to get mine working - and have it working on both Lion Client, iPhone 4 & my iPad.

Although it was a nightmare to begin with - I initially was configuring it to PPTP - and had no end of trouble - that still doesn't work.

Make sure your router is forwarding, and your firewall is not blocking.

• PPTP / L2TP / GRE requests
• TCP 1723 (PPTP)
• UDP 1701 (L2TP)
• UDP 500 (IKE)
• UDP 4500 (ISAMKE - or however its spelt)

To check if packets are getting through - Use the following in two terminal sessions (either via SSH or locally on the mini)

tail -f -n 1 /var/log/ppp/vpnd.log

sudo tcpdump tcp port 1723 or udp port 1701 or udp port 500 or udp port 4500 or proto 47

To check your vpn config - run the following

sudo serveradmin settings vpn

Mine gives me this output (I trimmed out the pptp and ID info)

vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = "1.2.3.4"

vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128

vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0

vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log"

vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1

vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains:_array_index:0 = "fqdn"

vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.2.222"

vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:SharedSecret = "1"

vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:Address = "1.1.1.1"

vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:SharedSecret = "2"

vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:Address = "2.2.2.2"

vpn:Servers:com.apple.ppp.l2tp:EAP:KerberosServicePrincipalName = "vpn/server.fqdn@SERVER.FQDN"

vpn:Servers:com.apple.ppp.l2tp:enabled = yes

vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP"

vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP"

vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5

vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB"

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"

vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1

vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0

vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1

vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60

vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"

vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log"

vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200

vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = "Keychain"

vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = ""

vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "com.apple.ppp.l2tp"

vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = "SharedSecret"

vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = ""

vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = "None"

vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = <>

vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual"

vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = "192.168.2.70"

vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = "192.168.2.79"

vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array

vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array

vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array

vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec"

vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "<SNIP>"

To give you an overview

• Scope - 192.168.2.0/24
• Router - 192.168.2.1
• Server - 192.168.2.222 (DHCP, DNS, OD, VPN etc)
• L2TP Range - 192.168.2.70-79
• PPTP Range - 192.168.2.80-89
• DHCP Range - 192.168.2.100-150

I found that after several attempts of flipping back and forth between DMZ and non DMZ model for 222, rebooting the server, rewriting settings etc via terminal I got it working - I can't tell you what exactly did it however.

What I did have to do however, was ensure that DHCP was not issuing a range allocated to either VPN, and manually re-write the settings needed for my DNS Server & DNS Domain provided to VPN Clients. It was holding the ip of 15 as the DNS server, which is what I had as a DNS Server while I was building this server clean.

okay now it works for me. the missing configlines on my site are:

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB"

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"

now it works.

thank you very much for your configpost @Caledai

br

manuel

If you can help i will be so greatful.

I had a working snow leopard server, that got corrupted under vmware and i wound up killing both good copies, so i thought i might as well get my lion server running, and i have it running on a MacPro I have verified all my settings match yours above and differ where they should, and here is what happens in my vpn log.

I see the connection, the client gets several addresses, and then they all hang up. Any ideas?

2011-07-28 14:53:01 MDT Incoming call... Address given to client = 192.168.199.214

Thu Jul 28 14:53:01 2011 : Directory Services Authentication plugin initialized

Thu Jul 28 14:53:01 2011 : Directory Services Authorization plugin initialized

Thu Jul 28 14:53:01 2011 : L2TP incoming call in progress from '107.29.171.11'...

Thu Jul 28 14:53:01 2011 : L2TP received SCCRQ

Thu Jul 28 14:53:01 2011 : L2TP sent SCCRP

2011-07-28 14:53:01 MDT Incoming call... Address given to client = 192.168.199.215

Thu Jul 28 14:53:01 2011 : Directory Services Authentication plugin initialized

Thu Jul 28 14:53:01 2011 : Directory Services Authorization plugin initialized

Thu Jul 28 14:53:01 2011 : L2TP incoming call in progress from '107.29.171.11'...

Thu Jul 28 14:53:01 2011 : L2TP received SCCRQ

Thu Jul 28 14:53:01 2011 : L2TP sent SCCRP

2011-07-28 14:53:03 MDT Incoming call... Address given to client = 192.168.199.216

Thu Jul 28 14:53:03 2011 : Directory Services Authentication plugin initialized

Thu Jul 28 14:53:03 2011 : Directory Services Authorization plugin initialized

Thu Jul 28 14:53:03 2011 : L2TP incoming call in progress from '107.29.171.11'...

Thu Jul 28 14:53:03 2011 : L2TP received SCCRQ

Thu Jul 28 14:53:03 2011 : L2TP sent SCCRP

2011-07-28 14:53:07 MDT Incoming call... Address given to client = 192.168.199.217

Thu Jul 28 14:53:07 2011 : Directory Services Authentication plugin initialized

Thu Jul 28 14:53:07 2011 : Directory Services Authorization plugin initialized

Thu Jul 28 14:53:07 2011 : L2TP incoming call in progress from '107.29.171.11'...

Thu Jul 28 14:53:07 2011 : L2TP received SCCRQ

Thu Jul 28 14:53:07 2011 : L2TP sent SCCRP

2011-07-28 14:53:11 MDT Incoming call... Address given to client = 192.168.199.218

Thu Jul 28 14:53:11 2011 : Directory Services Authentication plugin initialized

Thu Jul 28 14:53:11 2011 : Directory Services Authorization plugin initialized

Thu Jul 28 14:53:11 2011 : L2TP incoming call in progress from '107.29.171.11'...

Thu Jul 28 14:53:11 2011 : L2TP received SCCRQ

Thu Jul 28 14:53:11 2011 : L2TP sent SCCRP

2011-07-28 14:53:15 MDT Incoming call... Address given to client = 192.168.199.219

Thu Jul 28 14:53:15 2011 : Directory Services Authentication plugin initialized

Thu Jul 28 14:53:15 2011 : Directory Services Authorization plugin initialized

Thu Jul 28 14:53:15 2011 : L2TP incoming call in progress from '107.29.171.11'...

Thu Jul 28 14:53:15 2011 : L2TP received SCCRQ

Thu Jul 28 14:53:15 2011 : L2TP sent SCCRP

2011-07-28 14:53:19 MDT Incoming call... Address given to client = 192.168.199.220

Thu Jul 28 14:53:19 2011 : Directory Services Authentication plugin initialized

Thu Jul 28 14:53:19 2011 : Directory Services Authorization plugin initialized

Thu Jul 28 14:53:19 2011 : L2TP incoming call in progress from '107.29.171.11'...

Thu Jul 28 14:53:19 2011 : L2TP received SCCRQ

Thu Jul 28 14:53:19 2011 : L2TP sent SCCRP

2011-07-28 14:53:21 MDT --> Client with address = 192.168.199.214 has hungup

2011-07-28 14:53:21 MDT --> Client with address = 192.168.199.215 has hungup

2011-07-28 14:53:23 MDT --> Client with address = 192.168.199.216 has hungup

2011-07-28 14:53:27 MDT --> Client with address = 192.168.199.217 has hungup

2011-07-28 14:53:31 MDT --> Client with address = 192.168.199.218 has hungup

2011-07-28 14:53:35 MDT --> Client with address = 192.168.199.219 has hungup

2011-07-28 14:53:39 MDT --> Client with address = 192.168.199.220 has hungup

Really wish I could help with that Nessts - same problem I've been having with Lion's VPN server. No amount of tweaking the settings nor PPTP vs L2TP has assisted. I have a bug report open with Apple on this one, but, yeah, that's a one-way conversation, one doesn't usually hear back. Shame.

First of all, I am new to servers, and Lion Server is my first experience related to very basic server functionallity. However I though I would share my experience on how I solved my problem with my iPhone 4.

I also had problem connecting to the VPN server from my iPhone 4 while my MacBook Pro connected just fine. While debugging, I changed my shared secret to a simple alpha-numeric string and suddently both my iPhone and MacBook Pro connected just fine to the VPN server. I then started to ommit sybmols, one by one, from my orignal shared secret and found out that the " symbol was the character cause the problem. Now I have a strong shared secret with letters, number, and symbols, but without " and it just works.

As I said before, I have very little experience with servers and I apologise if my suggestion is not at all related to your problems, they just sound like the problem I had.

gave a passphrase with numbers and letters only, and it still only works internally, Apple thorugh my select support agreement has acknowledged that this is a common problem with no solution eta.

Apple has fixed the typo in HT4748 (the erroneous space is no longer there).

http://support.apple.com/kb/HT4748

Even so, when following the instructions mentioned in HT4748 we have not been able to get PPTP to work, even on a vanilla Lion server.

Apple wants us to use the saver L2TP/IPSec solution which would be great if Apple had actually implemented the UDP port 4500 NAT Traversal fallback properly so that it would be possible for NATted users in the same subnet to simultaneously use VPN (instead of being kicked out when someone else logs in as is what happens now).

Very frustrated with Lion server...

Good news, 10.7.3 Server brings PPTP back to theGUI. One caveat, for servers upgraded from 10.7.2 some extra handling is required as stated in (the new version of) http://​sup​port​.apple​.com/​k​b​/​H​T​4​748 and PPTP is only available for Open Directory users, not local users (which is not an issue of course).

Basically it's just a matter of setting the correct policy for the vpn keyagent user (which might work with 10.7.2 as well).

menzbua wrote:

okay now it works for me. the missing configlines on my site are:

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB"

vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"

now it works.

thank you very much for your configpost @Caledai

br

manuel

I viewed my VPN config and I found that it also is missing those entries. How did you open or edit the file to make the necessary changes (adding those entries).

Thanks in advance!

This help to me http://​sup​port​.apple​.com/​k​b​/​H​T​4​748 ➕