Skip navigation

VPN and iPhone 4

8219 Views 14 Replies Latest reply: Mar 2, 2012 7:42 AM by iSumi RSS
Sproctor61 Level 1 Level 1 (0 points)
Currently Being Moderated
Jul 26, 2011 1:17 PM

Anyone setup VPN on Lion Server yet and able to connect from thier iPhone 4?  No luck here.

iMac, Mini, MBPro/Air, iPhone/iPad, Mac OS X (10.7)
  • Brad Bishop Level 1 Level 1 (10 points)
    Currently Being Moderated
    Jul 26, 2011 2:34 PM (in response to Sproctor61)

    I have the same problem. Setup Lion Server on my Mac Mini. Setup VPN. I can connect without any problems from my MacBook Pro to my mini's VPN while out and about (doing it right now, as a matter of fact).

     

    I cannot connect either my iPhone or my iPad to my Mac Mini's VPN in the same situation. I don't know what's up with it. I hope they come out with a fix for it.

     

    I used to use Snow Leopard's (not Server) built-in VPN and configured it using iVPN (it worked but it was a bit of a buggy pain - separate issue with iVPN, though). Anyway, with that setup my Macbook Pro, iPhone, and iPad all happily connected to my home network without any problems.

     

    I'd like this to all work as it's one of the primary reasons I paid extra for Lion Server.

  • ScottM Level 1 Level 1 (120 points)
    Currently Being Moderated
    Jul 26, 2011 5:31 PM (in response to Brad Bishop)

    +1

     

    Can't get Lion or iPhone4 or iPad2 to talk to Lion Server VPN on L2TP or PPTP.  Filed a bug report on this, but haven't heard back.  No filters, no firewalls, works fine from any of the above clients to L2TP on Snow Leopard Server -- I did note that the racoon configuration on Lion Server supports aes 256 whereas older server versions stuck with aes 128 -- but even when I thought I configured the two to be identical, Lion Server still wouldn't work for VPN.

  • serverleader Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jul 26, 2011 10:51 PM (in response to ScottM)

    same problem here....

  • menzbua Calculating status...
    Currently Being Moderated
    Jul 27, 2011 3:06 AM (in response to Sproctor61)
  • Caledai Calculating status...
    Currently Being Moderated
    Jul 27, 2011 3:20 AM (in response to Sproctor61)

    Strangely enough - I managed to get mine working - and have it working on both Lion Client, iPhone 4 & my iPad.

     

    Although it was a nightmare to begin with - I initially was configuring it to PPTP - and had no end of trouble - that still doesn't work.

     

    Make sure your router is forwarding, and your firewall is not blocking.

    • PPTP / L2TP / GRE requests
    • TCP 1723  (PPTP)
    • UDP 1701 (L2TP)
    • UDP 500 (IKE)
    • UDP 4500 (ISAMKE - or however its spelt)

     

    To check if packets are getting through - Use the following in two terminal sessions (either via SSH or locally on the mini)

     

    tail -f -n 1 /var/log/ppp/vpnd.log
    sudo tcpdump tcp port 1723 or udp port 1701 or udp port 500 or udp port 4500 or proto 47

     

    To check your vpn config - run the following

     

    sudo serveradmin settings vpn

     

    Mine gives me this output  (I trimmed out the pptp and ID info)

     

    vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = "1.2.3.4"

    vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128

    vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0

    vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log"

    vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1

    vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains:_array_index:0 = "fqdn"

    vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.2.222"

    vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:SharedSecret = "1"

    vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:Address = "1.1.1.1"

    vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:SharedSecret = "2"

    vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:Address = "2.2.2.2"

    vpn:Servers:com.apple.ppp.l2tp:EAP:KerberosServicePrincipalName = "vpn/server.fqdn@SERVER.FQDN"

    vpn:Servers:com.apple.ppp.l2tp:enabled = yes

    vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP"

    vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP"

    vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5

    vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1

    vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB"

    vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"

    vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1

    vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0

    vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1

    vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60

    vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1

    vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"

    vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"

    vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log"

    vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200

    vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = "Keychain"

    vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = ""

    vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "com.apple.ppp.l2tp"

    vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = "SharedSecret"

    vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = ""

    vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = "None"

    vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = <>

    vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual"

    vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = "192.168.2.70"

    vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = "192.168.2.79"

    vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array

    vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array

    vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array

    vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec"

    vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "<SNIP>"

     

     

    To give you an overview

     

    • Scope - 192.168.2.0/24
    • Router - 192.168.2.1
    • Server - 192.168.2.222  (DHCP, DNS, OD, VPN etc)
    • L2TP Range - 192.168.2.70-79
    • PPTP Range - 192.168.2.80-89
    • DHCP Range - 192.168.2.100-150

     

    I found that after several attempts of flipping back and forth between DMZ and non DMZ model for 222, rebooting the server, rewriting settings etc via terminal I got it working - I can't tell you what exactly did it however.

     

    What I did have to do however, was ensure that DHCP was not issuing a range allocated to either VPN, and manually re-write the settings needed for my DNS Server & DNS Domain provided to VPN Clients.   It was holding the ip of 15 as the DNS server, which is what I had as a DNS Server while I was building this server clean.

  • menzbua Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jul 27, 2011 3:36 AM (in response to Sproctor61)

    okay now it works for me. the missing configlines on my site are:

     

    vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"

    vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"

    vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB"

    vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"

     

    now it works.

    thank you very much for your configpost @Caledai

     

    br

    manuel

  • Nessts Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jul 28, 2011 1:57 PM (in response to Caledai)

    If you can help i will be so greatful.

    I had a working snow leopard server, that got corrupted under vmware and i wound up killing both good copies, so i thought i might as well get my lion server running, and i have it running on a MacPro I have verified all my settings match yours above and differ where they should, and here is what happens in my vpn log.

     

    I see the connection, the client gets several addresses, and then they all hang up. Any ideas?

     

    2011-07-28 14:53:01 MDT Incoming call... Address given to client = 192.168.199.214

    Thu Jul 28 14:53:01 2011 : Directory Services Authentication plugin initialized

    Thu Jul 28 14:53:01 2011 : Directory Services Authorization plugin initialized

    Thu Jul 28 14:53:01 2011 : L2TP incoming call in progress from '107.29.171.11'...

    Thu Jul 28 14:53:01 2011 : L2TP received SCCRQ

    Thu Jul 28 14:53:01 2011 : L2TP sent SCCRP

    2011-07-28 14:53:01 MDT Incoming call... Address given to client = 192.168.199.215

    Thu Jul 28 14:53:01 2011 : Directory Services Authentication plugin initialized

    Thu Jul 28 14:53:01 2011 : Directory Services Authorization plugin initialized

    Thu Jul 28 14:53:01 2011 : L2TP incoming call in progress from '107.29.171.11'...

    Thu Jul 28 14:53:01 2011 : L2TP received SCCRQ

    Thu Jul 28 14:53:01 2011 : L2TP sent SCCRP

    2011-07-28 14:53:03 MDT Incoming call... Address given to client = 192.168.199.216

    Thu Jul 28 14:53:03 2011 : Directory Services Authentication plugin initialized

    Thu Jul 28 14:53:03 2011 : Directory Services Authorization plugin initialized

    Thu Jul 28 14:53:03 2011 : L2TP incoming call in progress from '107.29.171.11'...

    Thu Jul 28 14:53:03 2011 : L2TP received SCCRQ

    Thu Jul 28 14:53:03 2011 : L2TP sent SCCRP

    2011-07-28 14:53:07 MDT Incoming call... Address given to client = 192.168.199.217

    Thu Jul 28 14:53:07 2011 : Directory Services Authentication plugin initialized

    Thu Jul 28 14:53:07 2011 : Directory Services Authorization plugin initialized

    Thu Jul 28 14:53:07 2011 : L2TP incoming call in progress from '107.29.171.11'...

    Thu Jul 28 14:53:07 2011 : L2TP received SCCRQ

    Thu Jul 28 14:53:07 2011 : L2TP sent SCCRP

    2011-07-28 14:53:11 MDT Incoming call... Address given to client = 192.168.199.218

    Thu Jul 28 14:53:11 2011 : Directory Services Authentication plugin initialized

    Thu Jul 28 14:53:11 2011 : Directory Services Authorization plugin initialized

    Thu Jul 28 14:53:11 2011 : L2TP incoming call in progress from '107.29.171.11'...

    Thu Jul 28 14:53:11 2011 : L2TP received SCCRQ

    Thu Jul 28 14:53:11 2011 : L2TP sent SCCRP

    2011-07-28 14:53:15 MDT Incoming call... Address given to client = 192.168.199.219

    Thu Jul 28 14:53:15 2011 : Directory Services Authentication plugin initialized

    Thu Jul 28 14:53:15 2011 : Directory Services Authorization plugin initialized

    Thu Jul 28 14:53:15 2011 : L2TP incoming call in progress from '107.29.171.11'...

    Thu Jul 28 14:53:15 2011 : L2TP received SCCRQ

    Thu Jul 28 14:53:15 2011 : L2TP sent SCCRP

    2011-07-28 14:53:19 MDT Incoming call... Address given to client = 192.168.199.220

    Thu Jul 28 14:53:19 2011 : Directory Services Authentication plugin initialized

    Thu Jul 28 14:53:19 2011 : Directory Services Authorization plugin initialized

    Thu Jul 28 14:53:19 2011 : L2TP incoming call in progress from '107.29.171.11'...

    Thu Jul 28 14:53:19 2011 : L2TP received SCCRQ

    Thu Jul 28 14:53:19 2011 : L2TP sent SCCRP

    2011-07-28 14:53:21 MDT    --> Client with address = 192.168.199.214 has hungup

    2011-07-28 14:53:21 MDT    --> Client with address = 192.168.199.215 has hungup

    2011-07-28 14:53:23 MDT    --> Client with address = 192.168.199.216 has hungup

    2011-07-28 14:53:27 MDT    --> Client with address = 192.168.199.217 has hungup

    2011-07-28 14:53:31 MDT    --> Client with address = 192.168.199.218 has hungup

    2011-07-28 14:53:35 MDT    --> Client with address = 192.168.199.219 has hungup

    2011-07-28 14:53:39 MDT    --> Client with address = 192.168.199.220 has hungup

  • ScottM Level 1 Level 1 (120 points)
    Currently Being Moderated
    Jul 28, 2011 2:01 PM (in response to Nessts)

    Really wish I could help with that Nessts - same problem I've been having with Lion's VPN server.  No amount of tweaking the settings nor PPTP vs L2TP has assisted.  I have a bug report open with Apple on this one, but, yeah, that's a one-way conversation, one doesn't usually hear back.  Shame.

  • runev Calculating status...
    Currently Being Moderated
    Sep 21, 2011 12:56 PM (in response to Sproctor61)

    First of all, I am new to servers, and Lion Server is my first experience related to very basic server functionallity. However I though I would share my experience on how I solved my problem with my iPhone 4.

     

    I also had problem connecting to the VPN server from my iPhone 4 while my MacBook Pro connected just fine. While debugging, I changed my shared secret to a simple alpha-numeric string and suddently both my iPhone and MacBook Pro connected just fine to the VPN server. I then started to ommit sybmols, one by one, from my orignal shared secret and found out that the " symbol was the character cause the problem. Now I have a strong shared secret with letters, number, and symbols, but without " and it just works.

     

    As I said before, I have very little experience with servers and I apologise if my suggestion is not at all related to your problems, they just sound like the problem I had.

  • Nessts Level 1 Level 1 (0 points)
    Currently Being Moderated
    Sep 21, 2011 1:25 PM (in response to runev)

    gave a passphrase with numbers and letters only, and it still only works internally, Apple thorugh my select support agreement has acknowledged that this is a common problem with no solution eta.

  • Ernst Mulder Calculating status...
    Currently Being Moderated
    Dec 6, 2011 2:31 AM (in response to Sproctor61)

    Apple has fixed the typo in HT4748 (the erroneous space is no longer there).

     

     

    http://support.apple.com/kb/HT4748

     

     

    Even so, when following the instructions mentioned in HT4748 we have not been able to get PPTP to work, even on a vanilla Lion server.

     

     

    Apple wants us to use the saver L2TP/IPSec solution which would be great if Apple had actually implemented the UDP port 4500 NAT Traversal fallback properly so that it would be possible for NATted users in the same subnet to simultaneously use VPN (instead of being kicked out when someone else logs in as is what happens now).

     

     

    Very frustrated with Lion server...

  • Ernst Mulder Level 1 Level 1 (5 points)
    Currently Being Moderated
    Feb 3, 2012 4:42 AM (in response to Ernst Mulder)

    Good news, 10.7.3 Server brings PPTP back to theGUI. One caveat, for servers upgraded from 10.7.2 some extra han­dling is required as stated in (the new ver­sion of) http://​sup​port​.apple​.com/​k​b​/​H​T​4​748 and PPTP is only avail­able for Open Direc­tory users, not local users (which is not an issue of course).

    Basi­cally it's just a mat­ter of set­ting the cor­rect pol­icy for the vpn keya­gent user (which might work with 10.7.2 as well).

  • KNicklow Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 10, 2012 7:50 AM (in response to menzbua)

    menzbua wrote:

     

    okay now it works for me. the missing configlines on my site are:

     

    vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"

    vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"

    vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB"

    vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"

     

    now it works.

    thank you very much for your configpost @Caledai

     

    br

    manuel

     

    I viewed my VPN config and I found that it also is missing those entries. How did you open or edit the file to make the necessary changes (adding those entries).

     

    Thanks in advance!

  • iSumi Level 1 Level 1 (10 points)
    Currently Being Moderated
    Mar 2, 2012 7:42 AM (in response to Ernst Mulder)

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.