PPTP VPN errors, 10.7

Question

Level 1

100 points

PPTP VPN errors, 10.7

Hi,

I have been trying to get the PPTP VPN service working in Lion with no luck and wanted to see if anyone can help...

I found this document - http://support.apple.com/kb/HT4748 - and went over the instructions and entered the relevant settings into Terminal. This is what I entered:

bash-3.2# serveradmin settings

vpn:Servers:com.apple.ppp.pptp:enabled = yes

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = 192.168.2.236

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = 192.168.2.240

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_ index:0 = MSCHAP2

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = DSAuth

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 1

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1

After pressing ctrl-d to save, this is what was returned:

vpn:Servers:com.apple.ppp.pptp:enabled = yes

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol = _empty_array

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "192.168.2.224"

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "192.168.2.254"

So, straight away it seems that there is problem - the 'AuthenticatorProtocol' setting hasn't taken nor has the starting and ending addresses or 40bit key setting. When setting up a connection from a client I get the following errors in the VPN logs on the server:

2011-08-02 17:41:33 BST Incoming call... Address given to client = 192.168.2.224

Tue Aug 2 17:41:33 2011 : Directory Services Authentication plugin initialized

Tue Aug 2 17:41:33 2011 : Directory Services Authorization plugin initialized

Tue Aug 2 17:41:33 2011 : PPTP incoming call in progress from '192.168.2.20'...

Tue Aug 2 17:41:33 2011 : PPTP connection established.

Tue Aug 2 17:41:33 2011 : using link 0

Tue Aug 2 17:41:33 2011 : Using interface ppp0

Tue Aug 2 17:41:33 2011 : Connect: ppp0 <--> socket[34:17]

Tue Aug 2 17:41:33 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x658dba54> <pcomp> <accomp>]

Tue Aug 2 17:41:34 2011 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x343c484c> <pcomp> <accomp>]

Tue Aug 2 17:41:34 2011 : lcp_reqci: returning CONFACK.

Tue Aug 2 17:41:34 2011 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x343c484c> <pcomp> <accomp>]

Tue Aug 2 17:41:36 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x658dba54> <pcomp> <accomp>]

Tue Aug 2 17:41:36 2011 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x658dba54> <pcomp> <accomp>]

Tue Aug 2 17:41:36 2011 : sent [LCP EchoReq id=0x0 magic=0x658dba54]

Tue Aug 2 17:41:36 2011 : sent [CHAP Challenge id=0x19 <5856042b4d496d0d7628283f036a342a>, name = "test1.example.com"]

Tue Aug 2 17:41:36 2011 : rcvd [LCP EchoReq id=0x0 magic=0x343c484c]

Tue Aug 2 17:41:36 2011 : sent [LCP EchoRep id=0x0 magic=0x658dba54]

Tue Aug 2 17:41:36 2011 : rcvd [LCP EchoRep id=0x0 magic=0x343c484c]

Tue Aug 2 17:41:37 2011 : rcvd [CHAP Response id=0x19 <1e54910872fb421f0c33a14170a86ae50000000000000000ec5a9244356ad3301e54400736f5c6 ab5e2efcdb72c1b32100>, name = "admin"]

Tue Aug 2 17:41:37 2011 : DSAuth plugin: Failed to retrieve MPPE encryption keys from the password server.

Tue Aug 2 17:41:37 2011 : sent [CHAP Success id=0x19 "S=19042A45445ADAAB6BD0356FC1CB5EFFD3130904 M=Access granted"]

Tue Aug 2 17:41:37 2011 : CHAP peer authentication succeeded for admin

Tue Aug 2 17:41:37 2011 : DSAccessControl plugin: User 'admin' authorized for access

Tue Aug 2 17:41:37 2011 : MPPE required, but keys are not available. Possible plugin problem?

Tue Aug 2 17:41:37 2011 : sent [LCP TermReq id=0x2 "MPPE required but not available"]

Tue Aug 2 17:41:37 2011 : Connection terminated.

Tue Aug 2 17:41:37 2011 : Connect time 0.1 minutes.

Tue Aug 2 17:41:37 2011 : Sent 0 bytes, received 0 bytes.

Tue Aug 2 17:41:37 2011 : PPTP disconnecting...

Tue Aug 2 17:41:37 2011 : PPTP disconnected

2011-08-02 17:41:37 BST --> Client with address = 192.168.2.224 has hungup

I have dug around and seen that the 'DSAuth plugin: Failed to retrieve MPPE encryption keys from the password server' error is not a new one and has been seen before in upgrades to 10.4, 10.5 and 10.6, however everything that is suggested in those threads doesn't resolve this problem - I still get the same errors in the log.

I have tried rebuilding the keyagentuser (sudo vpnaddkeyagentuser /LDAPv3/127.0.0.1 - this is the OD master as well as VPN server) with no luck and have re-entered the sudo serveradmin settings above again, with no change.

I don't know enough about how the VPN service works to know what to do/try next and documentation/discussions on this are thin on the ground - if anyone has any idea, it would be great to kow!

Thanks

JS

MacBook Pro, Mac OS X (10.6.8)

Posted on Aug 2, 2011 10:56 AM

Reply

Answer 1

Aug 4, 2011 12:03 PM in response to James Spong

Got the same problem here.

I tried re-ordering some of the entries you have to put into the serveradmin command which resulted in having more of them being accepted. The only one that was never accepted

was vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_ index:0 = MSCHAP2.

So I am still stuck at the same error messages you see.

Reply

Answer 2

Aug 4, 2011 4:23 PM in response to cryptochrome

James,

I changed the com.apple.ppp to my domain.

My input was:

sudo serveradmin settings

Password:

vpn:Servers:net.domain.mms.pptp:enabled = yes

vpn:Servers:net.domain.mms.pptp:IPv4:DestAddressRanges:_array_index:0 = 10.0.0.64

vpn:Servers:net.domain.mms.pptp:IPv4:DestAddressRanges:_array_index:1 = 10.0.0.90

vpn:Servers:net.domain.mms.pptp:PPP:AuthenticatorProtocol:_array_ index:0 = MSCHAP2

vpn:Servers:net.domain.mms.pptp:PPP:AuthenticatorPlugins:_array_index:0 = DSAuth

vpn:Servers:net.domain.mms.pptp:PPP:MPPEKeySize40 = 1

vpn:Servers:net.domain.mms.pptp:PPP:MPPEKeySize128 = 1

ctrl+d

The output I recieved was:

2011-08-04 13:10:34.029 serveradmin[6681:307] -[__NSCFDictionary objectAtIndex:]: unrecognized selector sent to instance 0x7f984043c080

2011-08-04 13:10:34.076 serveradmin[6681:307] Exception in doCommand for module servermgr_vpn on thread 0x7f9840416d40: -[__NSCFDictionary objectAtIndex:]: unrecognized selector sent to instance 0x7f984043c080

2011-08-04 13:10:34.077 serveradmin[6681:307] --request was {

command = writeSettings;

configuration = {

Servers = {

"net.4pads.mms.pptp" = {

IPv4 = {

DestAddressRanges = (

"10.0.0.64",

"10.0.0.90"

);

};

PPP = {

AuthenticatorPlugins = (

DSAuth

);

AuthenticatorProtocol = {

"_array_ index" = {

0 = MSCHAP2;

};

MPPEKeySize128 = 1;

MPPEKeySize40 = 1;

};

enabled = 1;

};

}

mms:~ admin$

The connection fails with the message:

The PPTP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.

I am trying to figure out how to determine if the server is running. Any ideas?

James

Reply

Answer 3

Aug 4, 2011 4:34 PM in response to James Brochtrup

Found the command to check the vpn settings.

sudo serveradmin settings vpn

Here is another thread on the subject:

https://discussions.apple.com/thread/3214672?answerId=15759817022#15759817022

Reply

Answer 4

Aug 4, 2011 11:29 PM in response to James Spong

I got it working now. Don't ask me how I did it exactly. I was shuffeling around the entries to the serveradmin until each and everyone was accepted. It seems you need to add the entries in the right order. The pptp enable must be the last one because that will always return to off unless all other settings are already set up.

Reply

Answer 5

James Spong Author

Level 1

100 points

Aug 5, 2011 2:45 AM in response to cryptochrome

the command for checking if it's running is:

sudo serveradmin status or fullstatus vpn

Can you post the order that you entered the commands? I'll try changing the order now

Thanks

Reply

Answer 6

mgilan

Level 1

8 points

Aug 9, 2011 4:07 AM in response to James Spong

Hi,

I have the same issue after upgrading from SL to Lion Server. I think the problem is with:

...
Tue Aug 9 11:49:43 2011 : DSAuth plugin: Failed to retrieve MPPE encryption keys from the password server.
...
Tue Aug 9 11:49:44 2011 : MPPE required, but keys are not available. Possible plugin problem?

...

Also the workaround with vpnaddkeyagentuser is not working for me beacuse I'm not able to use my admin user when it asks for it.

Reply

Answer 7

James Spong Author

Level 1

100 points

Aug 9, 2011 4:42 AM in response to mgilan

Hi,

The suggested workaround didn't ork for me either. But, make sure that you are using your OD credentials when authenticating as you need to re-add the vpnaddkeyagentuser for the OD node, not the local node.

I have been trying the commands in different orders as suggested by 'cryptochrome', but not having any luck - has anyone else changed the order and got pptp working?

Reply

Answer 8

mgilan

Level 1

8 points

Aug 9, 2011 5:40 AM in response to James Spong

I'm using this as home server so I never really used OD. Just after upgrade to Lion I deleted some users and created them again thru the new Server.app. So I thought the OD admin will be my local admin. I was looking into the LDAP tree and found user diradmin, but I'm not sure if I can change his password.

Reply

Answer 9

Aug 10, 2011 8:11 PM in response to cryptochrome

Yes can you please post the order you used to get it working?

Thanks!

Reply

Answer 10

Aug 11, 2011 1:17 AM in response to gtrazanka

I don't remember the exact order, sorry. I made sure that I always set those options first that would be needed by the options I entered after that. e.g. I enabled the PPTP service at the very end after all other settings were set because else the service would not start.

You have to play around with this and use the order that makes the most logical sense. What also helps is setting the commands in increments (one command, exit utility, start utility, next command, exit utility... you get the idea).

Reply

Answer 11

Oct 21, 2011 4:23 PM in response to James Spong

Hello James!

You saw the typo in HT4748?

There is no blank at vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = MSCHAP2

between "array_" and "index".

But for me this does not help, either. Still no luck.

Stopped vpn

set things up as mentioned in HT4748

removed vpn-key-user with directory editor

created a new one with vpnkey....

started vpn

Still the same problem :-(

Bye

Reply

Answer 12

sfatula

Level 2

158 points

Oct 30, 2011 5:43 PM in response to Christoph Ewering1

Seems to just be broken. I would bet you could turn encryption off and it would work fine. Seems to be a problem when using OD, likely works without OD but that's useless. As is using it without encryption.

Has anyone tried Apple tech support?

Reply

Answer 13

sfatula

Level 2

158 points

Oct 31, 2011 12:43 PM in response to sfatula

So, I called and opened up a case. Turns out I am not the only one (as you may have guessed). The response I got is that it is a known issue with no current useable workaround (disabling encryption is not useable). But, they are working on it. I volunteered to be a tester should they come up with a patch, etc.

Reply