PPTP VPN errors, 10.7

So, I had the same issue after upgrading to 10.7.3, but I did get it working. In Lion server, we are running only the L2TP, but the upgrade today to 10.7.3 somehow messed things up. Previously, in Snow Leopard, I believe we were running L2TP and PPTP. Anyway, been running L2TP in Lion since it was released without issue.

After upgrade today to 10.7.3, I was getting no VPN connection with the error in the Log files of the Server of "DSAuth plugin: Failed to retrieve MPPE encryption keys from the password server." then some type of Fatal error in the log.

First, I tried the things mentioned here: http://support.apple.com/kb/HT4748

But, the terminal command would not run properly for me. So, next, I turned off vpn and then turning it back on. I also, switched from L2TP to both L2TP & PPTP; and then back to L2TP. Then, I restarted the server. Lastly, I tried running the terminal command again; and this time it ran okay.

VPN in L2TP mode is running fine after that command took hold. Note that the Apple doc discusses PPTP, but it fixed my L2TP issue; so I say run the command even if you are only L2TP.

Thanks, had 3 Servers which had the vpn auth issue after applying the 10.7.3 combo update. No way, to get them to accept vpn connetions (chap auth failed). I also added a new user, switched vpn on/off before applying the terminal commands found in your link.

now everyhting is back up again and works...

Thanks

Rob

I had a VPN working fine until that update, now it's not working anymore. Really inconsistent behavior based around the server not being viewable by clients.

Ours has been working really well, and we run a fair amount through that vpn pipe.

You should take a look at the Logs in Server app and watch what happens to them when you try to VPN in. This is how I started figuring out my original problem. See if you can make heads or tails from those logs; and/or do some searches on the errors that pop-up in the logs.

Also, take a look at that link, you may want to run the command anyway.

bobgeo wrote:

Ours has been working really well, and we run a fair amount through that vpn pipe.

You should take a look at the Logs in Server app and watch what happens to them when you try to VPN in. This is how I started figuring out my original problem. See if you can make heads or tails from those logs; and/or do some searches on the errors that pop-up in the logs.

Also, take a look at that link, you may want to run the command anyway.

I went ahead and tried to run the command that's shown on this page:

http://support.apple.com/kb/HT4748

I went ahead and logged into the root and received this message:

mycatie:~ root# pwpolicy -a "DAdmin" -u "VPN MPPE Key Access User" -setpolicy "isSessionKeyAgent=1"

Password:

Setting policy for VPN MPPE Key Access User

***Error: eDSAuthFailed : (-14090) for dsDoDirNodeAuth

***Error: eDSAuthFailed : (-14090) for dsDoDirNodeAuth

Method = dsAuthMethodStandard:dsAuthSetPolicyAsRoot

mycatie:~ root#

Do you have any idea what the error I'm receiving is indicative of?

Also, where can I find the log files related to the VPN service?

Hi KNicklow,

I think you have the command wrong, specifically, the "VPN MPPE Key Access User" should look more like "vpn_e35274859xxxxxxxxx". Go back to that link and use the Workgroup Manager to see this Short Name. I know the document says you can use Server app to see this, but I could not find it via Server app.

When you run the command, I did not get anything returned back, it just showed me a new prompt, almost as if nothing happened, but something clearly did.

Also, make sure that "DAdmin" is correct using Workgroup manager. Use the Short Name that is listed in Workgroup Manager.

Try again!

Bob

Thanks for the recommendations.

I tried it again and the command was accepted. Unfortunately, the VPN is still busted. It seems that with L2TP connections "Authentication Fails", but users can get through. With PPTP, I get a response of "no server response". I'll keep working with it I guess and see what I get.

Make sure you have the right ports opened up on your router.

For L2TP - Public and Private UDP ports of: 500,1701,4500

For PPTP - Public and Private TCP ports of: 1723

Both of these going to the private IP address of your server. Power cycle the router.

Then on the server, also do the whole turn off the vpn and turn it back on. Maybe turn it off, restart the computer, and then turn it back on.

Also, try creating new Configuration Profile for the VPN in Server App and use that one.

Well, good news. Turns out the PPTP port wasn't forwarded for some reason. I'm still getting Authentication Failed, but now it's consistent between the two protocols. I suppose now it's just a matter of figuring out why it's failing.

This should be solvable. Check this out: https://discussions.apple.com/thread/3202997?start=30&tstart=0

Specifically, what "Silberg" did. Try his steps and make sure that for the vpn, you are using the short name.

Also, if no luck there, check out some of the other posts there, like from "LEK2". In addition, now that the problem is down to "Authentication Failed", you can search on just that issue for Lion Server.

If that does not work, I am thinking something simple like the password is wrong or what-not. Let us know what happens.

Thanks for the great Tips. I don't really have time to mess with it today, but I'm hoping to get another crack at it in the next few days. I'll report my findings when I have some.

Thanks!

I'm still working on it, but it's continuing to fail authentication; here's the log:

Mon Feb 13 16:05:03 2012 : Directory Services Authentication plugin initialized

Mon Feb 13 16:05:03 2012 : Directory Services Authorization plugin initialized

Mon Feb 13 16:05:03 2012 : L2TP incoming call in progress from 'Our Public IP Address'...

Mon Feb 13 16:05:03 2012 : L2TP received SCCRQ

Mon Feb 13 16:05:03 2012 : L2TP sent SCCRP

Mon Feb 13 16:05:03 2012 : L2TP received SCCCN

Mon Feb 13 16:05:03 2012 : L2TP received ICRQ

Mon Feb 13 16:05:03 2012 : L2TP sent ICRP

Mon Feb 13 16:05:03 2012 : L2TP received ICCN

Mon Feb 13 16:05:03 2012 : L2TP connection established.

Mon Feb 13 16:05:03 2012 : using link 0

Mon Feb 13 16:05:03 2012 : Using interface ppp0

Mon Feb 13 16:05:03 2012 : Connect: ppp0 <--> socket[34:18]

Mon Feb 13 16:05:03 2012 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x7c6b8d45> <pcomp> <accomp>]

Mon Feb 13 16:05:03 2012 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x586f613> <pcomp> <accomp>]

Mon Feb 13 16:05:03 2012 : lcp_reqci: returning CONFACK.

Mon Feb 13 16:05:03 2012 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x586f613> <pcomp> <accomp>]

Mon Feb 13 16:05:03 2012 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x7c6b8d45> <pcomp> <accomp>]

Mon Feb 13 16:05:03 2012 : sent [LCP EchoReq id=0x0 magic=0x7c6b8d45]

Mon Feb 13 16:05:03 2012 : sent [CHAP Challenge id=0xf1 <731b4c056c570234416d075349301f7f>, name = "mycatie.com"]

Mon Feb 13 16:05:03 2012 : rcvd [LCP EchoReq id=0x0 magic=0x586f613]

Mon Feb 13 16:05:03 2012 : sent [LCP EchoRep id=0x0 magic=0x7c6b8d45]

Mon Feb 13 16:05:03 2012 : rcvd [LCP EchoRep id=0x0 magic=0x586f613]

Mon Feb 13 16:05:03 2012 : rcvd [CHAP Response id=0xf1 <19e910f590740fc9446a674fdd6b1f7b0000000000000000ccefbf20225325d9d1adc998b9a6c9 dd64b01847272801fa00>, name = "The User ID"]

Mon Feb 13 16:05:03 2012 : sent [CHAP Failure id=0xf1 ""]

Mon Feb 13 16:05:03 2012 : CHAP peer authentication failed for The User ID

Mon Feb 13 16:05:03 2012 : sent [LCP TermReq id=0x2 "Authentication failed"]

Mon Feb 13 16:05:03 2012 : Connection terminated.

Mon Feb 13 16:05:03 2012 : L2TP disconnecting...

Mon Feb 13 16:05:03 2012 : L2TP sent CDN

Mon Feb 13 16:05:03 2012 : L2TP sent StopCCN

Mon Feb 13 16:05:03 2012 : L2TP disconnected

I find out that the certificate is one of the problem. So: I just wanted to create a CSR and send it to CertCenter, but the self signed certificate of the Lion Server was unpossible short. So, already no organisation name inside. I decided to delete the existing certificate and create the same new with extended options. I checked the extended options and the certificate assistant asks me 1000 questions about exclude and include and I not know anymore what to answer. So, I canceled the process and created a new selfsigned general certificate without extended options marked. And after I did this 10 minutes later my collegue calling me and said, he was thrown out of the VPN-Tunnel to server, if I'm doing something. I said: Yes, I just trying to do a certifcate, but not know what to answer and canceled and probably therefore he was thrown out. I will check with my XP-Notebook.

So, I check and it is true, the PPTP not working anymore: No server found ...

I thought: I do again this HT4748 and probably then it is working. And so it was: I did the pwpolicy command to the new certifcate and at once the PPTP working again.

So, it depends something on the certificate!

Oh, need still mention: 3 days before I installed my own Mac-Mini OS X Lion Server and buy a certificate from RapidSSL with the CSR I found at that server. But this former certificate at least had an organisation name. And I remember he asking me such things. And this first server is like a wonder: At once all things working. So, if you spend money for a certificate suddenly all things working. For example: When I activated the ODS (opendirectory) inside the Wiki you cannot user calendar element anymore. He tells you, that you need to activate the "Calendar App" at Server App. But there is no point to activate this (like in E-Mail with Webmail). Then I install the official RapidSSL certificate and at once the calendar element working again. So, also this error with the Web-Calender depends on the existance of a public certificate. Isn't it an interesting money machine that is used with this concept: You need a certificate, else your server not right working?

Thank you for the update and I am glad you got it working. I hate to say it, but I thought you had a certificate problem, but I did not say anything since I did not think that the certificate would have any relationship to the VPN.

You could use a free ssl service like Start SSL (www.startssl.com), but I get what you are saying. Well, good job on getting it working!