Level 1

100 points

PPTP VPN errors, 10.7

Hi,

I have been trying to get the PPTP VPN service working in Lion with no luck and wanted to see if anyone can help...

I found this document - http://support.apple.com/kb/HT4748 - and went over the instructions and entered the relevant settings into Terminal. This is what I entered:

bash-3.2# serveradmin settings

vpn:Servers:com.apple.ppp.pptp:enabled = yes

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = 192.168.2.236

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = 192.168.2.240

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_ index:0 = MSCHAP2

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = DSAuth

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 1

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1

After pressing ctrl-d to save, this is what was returned:

vpn:Servers:com.apple.ppp.pptp:enabled = yes

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol = _empty_array

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "192.168.2.224"

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "192.168.2.254"

So, straight away it seems that there is problem - the 'AuthenticatorProtocol' setting hasn't taken nor has the starting and ending addresses or 40bit key setting. When setting up a connection from a client I get the following errors in the VPN logs on the server:

2011-08-02 17:41:33 BST Incoming call... Address given to client = 192.168.2.224

Tue Aug 2 17:41:33 2011 : Directory Services Authentication plugin initialized

Tue Aug 2 17:41:33 2011 : Directory Services Authorization plugin initialized

Tue Aug 2 17:41:33 2011 : PPTP incoming call in progress from '192.168.2.20'...

Tue Aug 2 17:41:33 2011 : PPTP connection established.

Tue Aug 2 17:41:33 2011 : using link 0

Tue Aug 2 17:41:33 2011 : Using interface ppp0

Tue Aug 2 17:41:33 2011 : Connect: ppp0 <--> socket[34:17]

Tue Aug 2 17:41:33 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x658dba54> <pcomp> <accomp>]

Tue Aug 2 17:41:34 2011 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x343c484c> <pcomp> <accomp>]

Tue Aug 2 17:41:34 2011 : lcp_reqci: returning CONFACK.

Tue Aug 2 17:41:34 2011 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x343c484c> <pcomp> <accomp>]

Tue Aug 2 17:41:36 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x658dba54> <pcomp> <accomp>]

Tue Aug 2 17:41:36 2011 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x658dba54> <pcomp> <accomp>]

Tue Aug 2 17:41:36 2011 : sent [LCP EchoReq id=0x0 magic=0x658dba54]

Tue Aug 2 17:41:36 2011 : sent [CHAP Challenge id=0x19 <5856042b4d496d0d7628283f036a342a>, name = "test1.example.com"]

Tue Aug 2 17:41:36 2011 : rcvd [LCP EchoReq id=0x0 magic=0x343c484c]

Tue Aug 2 17:41:36 2011 : sent [LCP EchoRep id=0x0 magic=0x658dba54]

Tue Aug 2 17:41:36 2011 : rcvd [LCP EchoRep id=0x0 magic=0x343c484c]

Tue Aug 2 17:41:37 2011 : rcvd [CHAP Response id=0x19 <1e54910872fb421f0c33a14170a86ae50000000000000000ec5a9244356ad3301e54400736f5c6 ab5e2efcdb72c1b32100>, name = "admin"]

Tue Aug 2 17:41:37 2011 : DSAuth plugin: Failed to retrieve MPPE encryption keys from the password server.

Tue Aug 2 17:41:37 2011 : sent [CHAP Success id=0x19 "S=19042A45445ADAAB6BD0356FC1CB5EFFD3130904 M=Access granted"]

Tue Aug 2 17:41:37 2011 : CHAP peer authentication succeeded for admin

Tue Aug 2 17:41:37 2011 : DSAccessControl plugin: User 'admin' authorized for access

Tue Aug 2 17:41:37 2011 : MPPE required, but keys are not available. Possible plugin problem?

Tue Aug 2 17:41:37 2011 : sent [LCP TermReq id=0x2 "MPPE required but not available"]

Tue Aug 2 17:41:37 2011 : Connection terminated.

Tue Aug 2 17:41:37 2011 : Connect time 0.1 minutes.

Tue Aug 2 17:41:37 2011 : Sent 0 bytes, received 0 bytes.

Tue Aug 2 17:41:37 2011 : PPTP disconnecting...

Tue Aug 2 17:41:37 2011 : PPTP disconnected

2011-08-02 17:41:37 BST --> Client with address = 192.168.2.224 has hungup

I have dug around and seen that the 'DSAuth plugin: Failed to retrieve MPPE encryption keys from the password server' error is not a new one and has been seen before in upgrades to 10.4, 10.5 and 10.6, however everything that is suggested in those threads doesn't resolve this problem - I still get the same errors in the log.

I have tried rebuilding the keyagentuser (sudo vpnaddkeyagentuser /LDAPv3/127.0.0.1 - this is the OD master as well as VPN server) with no luck and have re-entered the sudo serveradmin settings above again, with no change.

I don't know enough about how the VPN service works to know what to do/try next and documentation/discussions on this are thin on the ground - if anyone has any idea, it would be great to kow!

Thanks

MacBook Pro, Mac OS X (10.6.8)

Posted on Aug 2, 2011 10:56 AM

33 replies

vcacpa

Level 1

0 points

Feb 17, 2012 12:59 AM in response to James Spong

It means you need more or less an certified server to get things running well. Thererfore in the help of Server App it is explained already in the first points that you should buy a public certificate. I myself though: Ok, first I will test the server because I will not spend more money for something maybe I not like. And with this logic the server realy not working fine. For example, I found out, that I need change the certificate settings also in E-Mail-Server, but not in the Server App but in the Admin-Tool from former Snow Leopard Server. At once the TTLS error of my e-Mails vanished. So, this server seams adicted to certificate usage. 2 Weeks ago I also activated one time the selfsigned certificate to the webserver component. At once it was damaged, cannot repair anymore and I need reinstall all: First the original Snow Leopard CD, than the Lion Update, than the generell updates, than the Lion Server ... Kind of interesting sport if only a certificate is the problem, isn't it?

@bobgeo: You suggest StartSSL as free certificate service. Maybe this is realy a good starting point for someone who wants to test this Lion server. I cannot sugest using this Lion server without certificate and then searching for "virtual errors" everywhere in the system that at once vapourise if you install the certificate.

You believe Apple get some money from each certificate offerer they bring people to?

Sure, Apple is the left arm of the media industry, watch about ACTA what seams to crash in Europe now according to the people protests everywhere. Altough they prepared this ACTA topsecret and in no conventional media channel (TV or radio) here in Germany they mentioned that our politicians and we the people should get dictated this ACTA intl. tradelaw.

For me, this is all a matching story and IPv6 is only another easy way to reach this aim of Internet 2. This will be an Internet that not work without everything certified and each transaction between such certifieds are transaction usage-fee bound. This is all in the concept to get each computer clearly identified like a car with number plate, to comercialize the Internet after individuals are clearly identified, to pay taxes like the 19% VAT on each electronic transaction and a 1 Cent Communication Tax on top of all to EU-government. This they already mentioned: E-Mail should become usage-fee based, the German Government will get the 19% tax for each E-Mail and the EU will geht the 1 Cent / E-Mail transaction tax. Internet 2 will be the Internet of identity and per RFID and NFC-mobiles bound to the material as what is said "the internet of the things". If the big ones not like something they just cut you off by Ipv6 or taking your certificate.

I think it might help to keep this higher strategy such products like Lion Server is driven in mind. Then we can more easily understood the pattern of some technical things not working at much single points at the same time (without certificate) and why we are endless watching for errors, but the errors are not of technical but strategical matter: Commercializing of the free Internet 1 to become Internet 2.

leuboo

Level 1

0 points

Apr 18, 2012 5:51 AM in response to James Spong

hi, you can use mac vpn client

get it at www.vpntraffic.com

May 25, 2012 8:00 AM in response to bobgeo

This is what fixed my errors!!! You are the man!!

All three servers are now working with the VPN and OD.

Thanks,

Kevin

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

PPTP VPN errors, 10.7