James Spong
Level 1 (100 points)

Q: PPTP VPN errors, 10.7

Hi,

 

I have been trying to get the PPTP VPN service working in Lion with no luck and wanted to see if anyone can help...

 

I found this document - http://support.apple.com/kb/HT4748 - and went over the instructions and entered the relevant settings into Terminal.  This is what I entered:

 

bash-3.2# serveradmin settings

vpn:Servers:com.apple.ppp.pptp:enabled = yes

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = 192.168.2.236

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = 192.168.2.240

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_ index:0 = MSCHAP2            

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = DSAuth

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 1   

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1

 

After pressing ctrl-d to save, this is what was returned:

 

vpn:Servers:com.apple.ppp.pptp:enabled = yes

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol = _empty_array

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0

vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1

vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "192.168.2.224"

vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "192.168.2.254"

 

So, straight away it seems that there is problem - the 'AuthenticatorProtocol' setting hasn't taken nor has the starting and ending addresses or 40bit key setting.  When setting up a connection from a client I get the following errors in the VPN logs on the server:

 

2011-08-02 17:41:33 BST          Incoming call... Address given to client = 192.168.2.224

Tue Aug  2 17:41:33 2011 : Directory Services Authentication plugin initialized

Tue Aug  2 17:41:33 2011 : Directory Services Authorization plugin initialized

Tue Aug  2 17:41:33 2011 : PPTP incoming call in progress from '192.168.2.20'...

Tue Aug  2 17:41:33 2011 : PPTP connection established.

Tue Aug  2 17:41:33 2011 : using link 0

Tue Aug  2 17:41:33 2011 : Using interface ppp0

Tue Aug  2 17:41:33 2011 : Connect: ppp0 <--> socket[34:17]

Tue Aug  2 17:41:33 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x658dba54> <pcomp> <accomp>]

Tue Aug  2 17:41:34 2011 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x343c484c> <pcomp> <accomp>]

Tue Aug  2 17:41:34 2011 : lcp_reqci: returning CONFACK.

Tue Aug  2 17:41:34 2011 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x343c484c> <pcomp> <accomp>]

Tue Aug  2 17:41:36 2011 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x658dba54> <pcomp> <accomp>]

Tue Aug  2 17:41:36 2011 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x658dba54> <pcomp> <accomp>]

Tue Aug  2 17:41:36 2011 : sent [LCP EchoReq id=0x0 magic=0x658dba54]

Tue Aug  2 17:41:36 2011 : sent [CHAP Challenge id=0x19 <5856042b4d496d0d7628283f036a342a>, name = "test1.example.com"]

Tue Aug  2 17:41:36 2011 : rcvd [LCP EchoReq id=0x0 magic=0x343c484c]

Tue Aug  2 17:41:36 2011 : sent [LCP EchoRep id=0x0 magic=0x658dba54]

Tue Aug  2 17:41:36 2011 : rcvd [LCP EchoRep id=0x0 magic=0x343c484c]

Tue Aug  2 17:41:37 2011 : rcvd [CHAP Response id=0x19 <1e54910872fb421f0c33a14170a86ae50000000000000000ec5a9244356ad3301e54400736f5c6 ab5e2efcdb72c1b32100>, name = "admin"]

Tue Aug  2 17:41:37 2011 : DSAuth plugin: Failed to retrieve MPPE encryption keys from the password server.

Tue Aug  2 17:41:37 2011 : sent [CHAP Success id=0x19 "S=19042A45445ADAAB6BD0356FC1CB5EFFD3130904 M=Access granted"]

Tue Aug  2 17:41:37 2011 : CHAP peer authentication succeeded for admin

Tue Aug  2 17:41:37 2011 : DSAccessControl plugin: User 'admin' authorized for access

Tue Aug  2 17:41:37 2011 : MPPE required, but keys are not available.  Possible plugin problem?

Tue Aug  2 17:41:37 2011 : sent [LCP TermReq id=0x2 "MPPE required but not available"]

Tue Aug  2 17:41:37 2011 : Connection terminated.

Tue Aug  2 17:41:37 2011 : Connect time 0.1 minutes.

Tue Aug  2 17:41:37 2011 : Sent 0 bytes, received 0 bytes.

Tue Aug  2 17:41:37 2011 : PPTP disconnecting...

Tue Aug  2 17:41:37 2011 : PPTP disconnected

2011-08-02 17:41:37 BST             --> Client with address = 192.168.2.224 has hungup

 

I have dug around and seen that the 'DSAuth plugin: Failed to retrieve MPPE encryption keys from the password server' error is not a new one and has been seen before in upgrades to 10.4, 10.5 and 10.6, however everything that is suggested in those threads doesn't resolve this problem - I still get the same errors in the log.

 

I have tried rebuilding the keyagentuser (sudo vpnaddkeyagentuser /LDAPv3/127.0.0.1 - this is the OD master as well as VPN server) with no luck and have re-entered the sudo serveradmin settings above again, with no change.

 

I don't know enough about how the VPN service works to know what to do/try next and documentation/discussions on this are thin on the ground - if anyone has any idea, it would be great to kow!

 

Thanks

 

JS

MacBook Pro, Mac OS X (10.6.8)

Posted on Aug 2, 2011 10:58 AM

Close
James Spong

Q: PPTP VPN errors, 10.7

  • All replies
  • Helpful answers

Previous Page 2 of 3 last Next

  • by UptimeJeff,

    UptimeJeff UptimeJeff Jan 22, 2012 1:55 PM in response to UptimeJeff
    Level 4 (3,477 points)
    Jan 22, 2012 1:55 PM in response to UptimeJeff

    I need to clarify.

     

    replacing vpnd does not fix the MPPE issue described in this thread

     

    but does fix the CCP issue a described in this thread:

    https://discussions.apple.com/thread/3415822?start=0&tstart=0

     

    Jeff

  • by bobgeo,

    bobgeo bobgeo Feb 1, 2012 8:26 PM in response to UptimeJeff
    Level 1 (25 points)
    Feb 1, 2012 8:26 PM in response to UptimeJeff

    So, I had the same issue after upgrading to 10.7.3, but I did get it working. In Lion server, we are running only the L2TP, but the upgrade today to 10.7.3 somehow messed things up. Previously, in Snow Leopard, I believe we were running L2TP and PPTP. Anyway, been running L2TP in Lion since it was released without issue.

     

    After upgrade today to 10.7.3, I was getting no VPN connection with the error in the Log files of the Server of "DSAuth plugin: Failed to retrieve MPPE encryption keys from the password server." then some type of Fatal error in the log.

     

    First, I tried the things mentioned here: http://support.apple.com/kb/HT4748

     

    But, the terminal command would not run properly for me. So, next, I turned off vpn and then turning it back on. I also, switched from L2TP to both L2TP & PPTP; and then back to L2TP. Then, I restarted the server. Lastly, I tried running the terminal command again; and this time it ran okay.

     

    VPN in L2TP mode is running fine after that command took hold. Note that the Apple doc discusses PPTP, but it fixed my L2TP issue; so I say run the command even if you are only L2TP.

  • by Rob Rocket,

    Rob Rocket Rob Rocket Feb 8, 2012 4:24 AM in response to bobgeo
    Level 2 (305 points)
    Feb 8, 2012 4:24 AM in response to bobgeo

    Thanks, had 3 Servers which had the vpn auth issue after applying the 10.7.3 combo update. No way, to get them to accept vpn connetions (chap auth failed). I also added a new user, switched vpn on/off before applying the terminal commands found in your link.

     

    now everyhting is back up again and works...

     

    Thanks

    Rob

  • by KNicklow,

    KNicklow KNicklow Feb 8, 2012 6:02 AM in response to Rob Rocket
    Level 1 (0 points)
    Feb 8, 2012 6:02 AM in response to Rob Rocket

    I had a VPN working fine until that update, now it's not working anymore. Really inconsistent behavior based around the server not being viewable by clients.

  • by bobgeo,

    bobgeo bobgeo Feb 8, 2012 12:31 PM in response to KNicklow
    Level 1 (25 points)
    Feb 8, 2012 12:31 PM in response to KNicklow

    Ours has been working really well, and we run a fair amount through that vpn pipe.

     

    You should take a look at the Logs in Server app and watch what happens to them when you try to VPN in. This is how I started figuring out my original problem. See if you can make heads or tails from those logs; and/or do some searches on the errors that pop-up in the logs.

     

    Also, take a look at that link, you may want to run the command anyway.

  • by KNicklow,

    KNicklow KNicklow Feb 10, 2012 6:37 AM in response to bobgeo
    Level 1 (0 points)
    Feb 10, 2012 6:37 AM in response to bobgeo

    bobgeo wrote:

     

    Ours has been working really well, and we run a fair amount through that vpn pipe.

     

    You should take a look at the Logs in Server app and watch what happens to them when you try to VPN in. This is how I started figuring out my original problem. See if you can make heads or tails from those logs; and/or do some searches on the errors that pop-up in the logs.

     

    Also, take a look at that link, you may want to run the command anyway.

     

    I went ahead and tried to run the command that's shown on this page:

     

    http://support.apple.com/kb/HT4748

     

    I went ahead and logged into the root and received this message:

     

    mycatie:~ root# pwpolicy -a "DAdmin" -u "VPN MPPE Key Access User" -setpolicy "isSessionKeyAgent=1"

    Password:

    Setting policy for VPN MPPE Key Access User

     

     

    ***Error: eDSAuthFailed : (-14090) for dsDoDirNodeAuth

     

     

    ***Error: eDSAuthFailed : (-14090) for dsDoDirNodeAuth

      Method = dsAuthMethodStandard:dsAuthSetPolicyAsRoot

    mycatie:~ root#

     

    Do you have any idea what the error I'm receiving is indicative of?

     

    Also, where can I find the log files related to the VPN service?

  • by bobgeo,

    bobgeo bobgeo Feb 10, 2012 10:22 AM in response to KNicklow
    Level 1 (25 points)
    Feb 10, 2012 10:22 AM in response to KNicklow

    Hi KNicklow,

     

    I think you have the command wrong, specifically, the "VPN MPPE Key Access User" should look more like "vpn_e35274859xxxxxxxxx". Go back to that link and use the Workgroup Manager to see this Short Name. I know the document says you can use Server app to see this, but I could not find it via Server app.

     

    When you run the command, I did not get anything returned back, it just showed me a new prompt, almost as if nothing happened, but something clearly did.

     

    Also, make sure that "DAdmin" is correct using Workgroup manager. Use the Short Name that is listed in Workgroup Manager.

     

    Try again!

     

    Bob

  • by KNicklow,

    KNicklow KNicklow Feb 10, 2012 11:01 AM in response to bobgeo
    Level 1 (0 points)
    Feb 10, 2012 11:01 AM in response to bobgeo

    Thanks for the recommendations.

     

    I tried it again and the command was accepted. Unfortunately, the VPN is still busted. It seems that with L2TP connections "Authentication Fails", but users can get through. With PPTP, I get a response of "no server response". I'll keep working with it I guess and see what I get.

  • by bobgeo,

    bobgeo bobgeo Feb 10, 2012 11:12 AM in response to KNicklow
    Level 1 (25 points)
    Feb 10, 2012 11:12 AM in response to KNicklow

    Make sure you have the right ports opened up on your router.

     

    For L2TP - Public and Private UDP ports of: 500,1701,4500

    For PPTP - Public and Private TCP ports of: 1723

    Both of these going to the private IP address of your server. Power cycle the router.

     

    Then on the server, also do the whole turn off the vpn and turn it back on. Maybe turn it off, restart the computer, and then turn it back on.

     

    Also, try creating new Configuration Profile for the VPN in Server App and use that one.

  • by KNicklow,

    KNicklow KNicklow Feb 10, 2012 2:13 PM in response to bobgeo
    Level 1 (0 points)
    Feb 10, 2012 2:13 PM in response to bobgeo

    Well, good news. Turns out the PPTP port wasn't forwarded for some reason. I'm still getting Authentication Failed, but now it's consistent between the two protocols. I suppose now it's just a matter of figuring out why it's failing.

  • by bobgeo,

    bobgeo bobgeo Feb 10, 2012 2:26 PM in response to KNicklow
    Level 1 (25 points)
    Feb 10, 2012 2:26 PM in response to KNicklow

    This should be solvable. Check this out: https://discussions.apple.com/thread/3202997?start=30&tstart=0

     

    Specifically, what "Silberg" did. Try his steps and make sure that for the vpn, you are using the short name.

     

    Also, if no luck there, check out some of the other posts there, like from "LEK2". In addition, now that the problem is down to "Authentication Failed", you can search on just that issue for Lion Server.

     

    If that does not work, I am thinking something simple like the password is wrong or what-not. Let us know what happens.

  • by KNicklow,

    KNicklow KNicklow Feb 13, 2012 5:08 AM in response to bobgeo
    Level 1 (0 points)
    Feb 13, 2012 5:08 AM in response to bobgeo

    Thanks for the great Tips. I don't really have time to mess with it today, but I'm hoping to get another crack at it in the next few days. I'll report my findings when I have some.

     

    Thanks!

  • by KNicklow,

    KNicklow KNicklow Feb 13, 2012 1:24 PM in response to bobgeo
    Level 1 (0 points)
    Feb 13, 2012 1:24 PM in response to bobgeo

    I'm still working on it, but it's continuing to fail authentication; here's the log:

     

    2012-02-13 16:05:03 ESTIncoming call... Address given to client = 10.0.0.152

    Mon Feb 13 16:05:03 2012 : Directory Services Authentication plugin initialized

    Mon Feb 13 16:05:03 2012 : Directory Services Authorization plugin initialized

    Mon Feb 13 16:05:03 2012 : L2TP incoming call in progress from 'Our Public IP Address'...

    Mon Feb 13 16:05:03 2012 : L2TP received SCCRQ

    Mon Feb 13 16:05:03 2012 : L2TP sent SCCRP

    Mon Feb 13 16:05:03 2012 : L2TP received SCCCN

    Mon Feb 13 16:05:03 2012 : L2TP received ICRQ

    Mon Feb 13 16:05:03 2012 : L2TP sent ICRP

    Mon Feb 13 16:05:03 2012 : L2TP received ICCN

    Mon Feb 13 16:05:03 2012 : L2TP connection established.

    Mon Feb 13 16:05:03 2012 : using link 0

    Mon Feb 13 16:05:03 2012 : Using interface ppp0

    Mon Feb 13 16:05:03 2012 : Connect: ppp0 <--> socket[34:18]

    Mon Feb 13 16:05:03 2012 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x7c6b8d45> <pcomp> <accomp>]

    Mon Feb 13 16:05:03 2012 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x586f613> <pcomp> <accomp>]

    Mon Feb 13 16:05:03 2012 : lcp_reqci: returning CONFACK.

    Mon Feb 13 16:05:03 2012 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x586f613> <pcomp> <accomp>]

    Mon Feb 13 16:05:03 2012 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x7c6b8d45> <pcomp> <accomp>]

    Mon Feb 13 16:05:03 2012 : sent [LCP EchoReq id=0x0 magic=0x7c6b8d45]

    Mon Feb 13 16:05:03 2012 : sent [CHAP Challenge id=0xf1 <731b4c056c570234416d075349301f7f>, name = "mycatie.com"]

    Mon Feb 13 16:05:03 2012 : rcvd [LCP EchoReq id=0x0 magic=0x586f613]

    Mon Feb 13 16:05:03 2012 : sent [LCP EchoRep id=0x0 magic=0x7c6b8d45]

    Mon Feb 13 16:05:03 2012 : rcvd [LCP EchoRep id=0x0 magic=0x586f613]

    Mon Feb 13 16:05:03 2012 : rcvd [CHAP Response id=0xf1 <19e910f590740fc9446a674fdd6b1f7b0000000000000000ccefbf20225325d9d1adc998b9a6c9 dd64b01847272801fa00>, name = "The User ID"]

    Mon Feb 13 16:05:03 2012 : sent [CHAP Failure id=0xf1 ""]

    Mon Feb 13 16:05:03 2012 : CHAP peer authentication failed for The User ID

    Mon Feb 13 16:05:03 2012 : sent [LCP TermReq id=0x2 "Authentication failed"]

    Mon Feb 13 16:05:03 2012 : Connection terminated.

    Mon Feb 13 16:05:03 2012 : L2TP disconnecting...

    Mon Feb 13 16:05:03 2012 : L2TP sent CDN

    Mon Feb 13 16:05:03 2012 : L2TP sent StopCCN

    Mon Feb 13 16:05:03 2012 : L2TP disconnected

    2012-02-13 16:05:03 EST   --> Client with address = 10.0.0.152 has hungup

  • by vcacpa,

    vcacpa vcacpa Feb 16, 2012 12:16 PM in response to James Spong
    Level 1 (0 points)
    Feb 16, 2012 12:16 PM in response to James Spong

    I find out that the certificate is one of the problem. So: I just wanted to create a CSR and send it to CertCenter, but the self signed certificate of the Lion Server was unpossible short. So, already no organisation name inside. I decided to delete the existing certificate and create the same new with extended options. I checked the extended options and the certificate assistant asks me 1000 questions about exclude and include and I not know anymore what to answer. So, I canceled the process and created a new selfsigned general certificate without extended options marked. And after I did this 10 minutes later my collegue calling me and said, he was thrown out of the VPN-Tunnel to server, if I'm doing something. I said: Yes, I just trying to do a certifcate, but not know what to answer and canceled and probably therefore he was thrown out. I will check with my XP-Notebook.

     

    So, I check and it is true, the PPTP not working anymore: No server found ...

    I thought: I do again this HT4748 and probably then it is working. And so it was: I did the pwpolicy command to the new certifcate and at once the PPTP working again.

     

    So, it depends something on the certificate!

  • by vcacpa,

    vcacpa vcacpa Feb 16, 2012 12:22 PM in response to James Spong
    Level 1 (0 points)
    Feb 16, 2012 12:22 PM in response to James Spong

    Oh, need still mention: 3 days before I installed my own Mac-Mini OS X Lion Server and buy a certificate from RapidSSL with the CSR I found at that server. But this former certificate at least had an organisation name. And I remember he asking me such things. And this first server is like a wonder: At once all things working. So, if you spend money for a certificate suddenly all things working. For example: When I activated the ODS (opendirectory) inside the Wiki you cannot user calendar element anymore. He tells you, that you need to activate the "Calendar App" at Server App. But there is no point to activate this (like in E-Mail with Webmail). Then I install the official RapidSSL certificate and at once the calendar element working again. So, also this error with the Web-Calender depends on the existance of a public certificate. Isn't it an interesting money machine that is used with this concept: You need a certificate, else your server not right working?

Previous Page 2 of 3 last Next