Apple Event: May 7th at 7 am PT
I have been strugling the last couple days on this issue!
I have established a MAC OSX VPN connection to OSX Lion Server without any problems but also need to connect Windows 7 machines also.
The Settings on the server side are correct (hence the MAC connection) but still cant get the Windows 7 machine to make the connection!
Any help will be apreciated!
Toshiba Laptop-OTHER, Windows 7
Finally got it going!
Here are the steps:
1. Add this to your registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002
2. Open secpol.msc (click start > search for secpol.msc)
- Local Policies > Security Options
- Network Security : LAN Manager Auth Level…
- Set to: Send LM & NTLMv2 - UseNTLMv2…
And
- Network Security : Minimum session security… clients
- uncheck "Require 128-bit encryption"
3. Restart PC
4. Create VPN Connection on Windows 7
- Host Name: (server IP or yourhost.name.com)
- PPP Settings : Enable LCP (only)
- Type: L2TP/IPSec
- Pre-shared key : yoursharedsecret
- Data encryption : Optional encryption
- Allow CHAO and CHAPv2
5. Router on server-side must allow VPN Passthrough and forward ports: 50, 51, 500, 548, 1701, 1723, 4500 to the server box. Also, do not filter anonymous internet requests, multicast or NAT Redirection but enable SPI Firewall.
I now can successfully VPN from Windows 7 to MAC OSX Lion Server! YAY!
Please provide contents for .reg files for XP, Vista and 7, so we don't have to guess and cross reference and hence likely make mistakes.
I noticed that even though I made the changes via the Control Panel, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel didn't get set. I found this value (completely) elsewhere, so the above setting is wrong as far as I can see.
Cheers,
Anders
heatsea wrote:
beetlejelly,
with your home edition, change registry below.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
->0x00000000
HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
0x20000000->0x00000000
I made these changes as well as the changes from:
http://support.apple.com/kb/HT5078
On Windows 7 Home Premium. All other settings I believe are correct, but server logs show:
Jan 7 14:55:04 loftbox pppd[1351]: L2TP incoming call in progress from '10.1.10.170'...
Jan 7 14:55:06 loftbox racoon[151]: IKE Packet: transmit success. (Phase1 Retransmit).
Jan 7 14:55:13: --- last message repeated 1 time ---
Jan 7 14:55:13 loftbox vpnd[88]: --> Client with address = 192.168.2.130 has hungup
Jan 7 14:55:13 loftbox com.apple.ppp.l2tp[88]: 2012-01-07 14:55:13 PST --> Client with address = 192.168.2.130 has hungup
Jan 7 14:55:15 loftbox racoon[151]: IKE Packet: receive success. (Information message).
Jan 7 14:55:21: --- last message repeated 1 time ---
Jan 7 14:55:21 loftbox racoon[151]: IKE Packet: transmit success. (Phase1 Retransmit).
And the connection drops.
Has anyone successfully connected VPN from Windows 7 Home Premium to Lion Server?
I just connect my W7 home basic following all your advices, but changing just one thing
You post this:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
->0x00000000"
I changed to:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LMCompatibilityLevel
->0x00000001"
Change Lm = LM and the 0 = 1 based on this post
0 = Send LM & NTLM responses
1 = Use NTLMv2 responses if negotiated
2 = Send NTLM response only
3 = Send NTLMv2 response only
4 = Send NTLMv2 response only. Refuse LM
5 = Send NTLMv2 response only. Refuse LM & NTLM
http://www.sevenforums.com/network-sharing/202099-secpol-msc-network-security-wo rkaround.html
Thanks 😀
I want to thank you for the detailed instructions. It helped me set up a Windows 7 to OS X Lion VPN successfully!
Unfortunately, the Windows 7 is unable to connect to any Lion SMB shared folder after establishing the VPN. I wonder if anyone has successfully done SMB in VPN from Windows 7 to OS X Lion?
You may have to connect your Win7 laptop locally on the LAN, Map the SMB network drives and then use those mapped drives after the VPN connection over the WAN is established. This worked for me.
Darn, I've done it all, still doesn't connect! Windows 7 Professional, Lion Server 10.7.5 (all latest, including 10.7.5 supplemental). Mac clients connect just great! FYI the Lion server is behind 2 firewalls, so the Internet one forwards to the internal one, that forwards to the DMZ. VNC works, Mac clients work, but not Windows client.
Here's what I did:
1. Change CurrentControlSet\Control\Lsa\LmCompatibilityLevel = 1 (also with local security policy administrator)
2. Change AssumeUDPEncapsulationContextOnSendRule = 2
3. Forward firewall ports 50-51 UDP (these were not listed on other sites as L2TP or PPTP ports)
4. Reboot
5. Create VPN settings as indicated above for L2TP - still error 789. I also tried PPTP, which should be much simpler, still no connection.
What am I missing? I don't know.
Here's the Windows log tail from the error reporting, I found 2 sections that may be relevant, but they don't tell me much - DisconnectReason = 2, maybe that's error 719?:
[9708] 10-11 14:13:02:116: PortOpen: VPN0-1
[9708] 10-11 14:13:02:117: Opening line in monitor mode
[9708] 10-11 14:13:02:117: PortOpen: successfully opened VPN0-1
[9708] 10-11 14:13:02:118:
[9168] 10-11 14:13:04:437: DeviceConnect: DevSpecificInfo of 96 bytes available. Allocating new memory...
[9168] 10-11 14:13:04:437: DeviceConnect: calling lineMakeCall with size 96 and offset 193
[9168] 10-11 14:13:04:437: DeviceConnect: calling lineMakeCall for VPN0-1, address=[--deleted--]
[9168] 10-11 14:13:04:438: DeviceConnect: Changing state for VPN0-1 from 1 -> 4
[8492] 10-11 14:13:04:438: RasTapicallback: msg=12 , param1=65601l , param2=0l
[8492] 10-11 14:13:04:438: LINE_REPLY. param1=0x10041
[8492] 10-11 14:13:04:438: RasTapicallback: msg=2 , param1=512l , param2=0l
[8492] 10-11 14:13:04:438: RasTapicallback: linecallstate=0x200
[8492] 10-11 14:13:25:449: RasTapicallback: msg=2 , param1=16384l , param2=2147952451l
[8492] 10-11 14:13:25:449: RasTapicallback: linecallstate=0x4000
[8492] 10-11 14:13:25:449: RasTapiCallback: LINECALLSTATE_DISCONNECTED for port VPN0-1. AsyncErr = -2147014845, param2=0x80072743
[7724] 10-11 14:13:25:449: DeviceWork: VPN0-1. State = 4
[8492] 10-11 14:13:25:449: RasTapicallback: msg=2 , param1=1l , param2=0l
[8492] 10-11 14:13:25:449: RasTapicallback: linecallstate=0x1
[9708] 10-11 14:13:25:452: PortDisconnect: VPN0-1
[9708] 10-11 14:13:25:452: InitiatePortDisconnection: VPN0-1
[9708] 10-11 14:13:25:452: InitiatePortDisconnection: Changing state for VPN0-1 from 4 -> 5, id=0x10275
[9708] 10-11 14:13:25:452:
[9708] 10-11 14:13:25:452:
[8492] 10-11 14:13:25:452: RasTapicallback: msg=12 , param1=66165l , param2=0l
[8492] 10-11 14:13:25:452: LINE_REPLY. param1=0x10275
[8492] 10-11 14:13:25:452: RasTapiCallback: lineDropped. port VPN0-1, id=0xffffffff
[8492] 10-11 14:13:25:452: RasTapiCallback: Idle Received for port VPN0-1
[8492] 10-11 14:13:25:452: RasTapiCallback: changing state of VPN0-1. 5 -> 1
[8492] 10-11 14:13:25:452: RasTapiCallback: lineDeallocateCall for VPN0-1,hcall = 0x1001e
[7724] 10-11 14:13:25:453: PortTestSignalState: DeviceState = 0
[9708] 10-11 14:13:25:453: PortClose: VPN0-1
[9708] 10-11 14:13:25:453: No more ports opened for dialout on this line
[9708] 10-11 14:13:25:453: Closing line
[9708] 10-11 14:13:25:454: PortClose: Changing state for VPN0-1 from 1 -> 0
[9708] 10-11 14:13:25:454:
[4828] 10-11 15:00:32:034: PortOpen: VPN3-1
[4828] 10-11 15:00:32:034: Opening line in monitor mode
[4828] 10-11 15:00:32:034: PortOpen: successfully opened VPN3-1
[4828] 10-11 15:00:32:034:
[7232] 10-11 15:00:32:159: DeviceConnect: DevSpecificInfo of 16 bytes available. Allocating new memory...
[7232] 10-11 15:00:32:159: DeviceConnect: calling lineMakeCall with size 16 and offset 193
[7232] 10-11 15:00:32:159: DeviceConnect: calling lineMakeCall for VPN3-1, address=[--deleted--]
[7232] 10-11 15:00:32:159: DeviceConnect: Changing state for VPN3-1 from 1 -> 4
[8640] 10-11 15:00:32:174: RasTapicallback: msg=12 , param1=65785l , param2=0l
[8640] 10-11 15:00:32:174: LINE_REPLY. param1=0x100f9
[8640] 10-11 15:00:32:174: RasTapicallback: msg=2 , param1=512l , param2=0l
[8640] 10-11 15:00:32:174: RasTapicallback: linecallstate=0x200
[8640] 10-11 15:00:34:109: RasTapicallback: msg=2 , param1=256l , param2=0l
[8640] 10-11 15:00:34:109: RasTapicallback: linecallstate=0x100
[8640] 10-11 15:00:34:109: DwGetConnectInfo
[8640] 10-11 15:00:34:109: DwGetIDInformation
[8640] 10-11 15:00:34:109: DwGetIDInformation. 0
[8640] 10-11 15:00:34:109: SizeRequired for CallID=0
[8640] 10-11 15:00:34:109: CallIDSize=ConnectResponseSize=0
[8640] 10-11 15:00:34:109: DwGetConnectInfo. 0x0
[8640] 10-11 15:00:34:109: RasTapiCallback: DwGetConnectInforeturned 0x0
[8640] 10-11 15:00:34:109: RasTapiCallback: Connected on VPN3-1
[8640] 10-11 15:00:34:109: RasTapiCallback: Outgoing call
[1336] 10-11 15:00:34:109: DeviceWork: VPN3-1. State = 4
[1336] 10-11 15:00:34:109: DeviceWork: Changing state for VPN3-1 from 4 -> 3
[4828] 10-11 15:00:34:124: PortConnect: VPN3-1
[4828] 10-11 15:00:34:124:
[8640] 10-11 15:01:04:320: RasTapicallback: msg=2 , param1=16384l , param2=0l
[8640] 10-11 15:01:04:320: RasTapicallback: linecallstate=0x4000
[8640] 10-11 15:01:04:320: RasTapiCallback: lineGetCallStatus for VPN3-1 returned 0x4000
[8640] 10-11 15:01:04:320: RasTapiCallback: DisconnectReason mapped to 2
[8640] 10-11 15:01:04:320: RasTapiCallback: LINECALLSTATE - initiating Port Disconnect
[8640] 10-11 15:01:04:320: InitiatePortDisconnection: VPN3-1
[8640] 10-11 15:01:04:320: InitiatePortDisconnection: Changing state for VPN3-1 from 3 -> 5, id=0x102a5
[8640] 10-11 15:01:04:320:
[8640] 10-11 15:01:04:320: RasTapicallback: msg=2 , param1=1l , param2=0l
[8640] 10-11 15:01:04:320: RasTapicallback: linecallstate=0x1
[8640] 10-11 15:01:04:320: RasTapicallback: msg=12 , param1=66213l , param2=0l
[8640] 10-11 15:01:04:320: LINE_REPLY. param1=0x102a5
[8640] 10-11 15:01:04:320: RasTapiCallback: lineDropped. port VPN3-1, id=0xffffffff
[8640] 10-11 15:01:04:320: RasTapiCallback: Idle Received for port VPN3-1
[8640] 10-11 15:01:04:320: RasTapiCallback: changing state of VPN3-1. 5 -> 1
[8640] 10-11 15:01:04:320: RasTapiCallback: lineDeallocateCall for VPN3-1,hcall = 0x100d7
[1336] 10-11 15:01:04:320: PortTestSignalState: DisconnectReason = 2
[1336] 10-11 15:01:04:320: PortDisconnect: VPN3-1
[1336] 10-11 15:01:04:320:
Is the solution really to change the registry of the windows computer? That seems excessive!
There has got to be an easier way, what if I want to hook up a dozen windows computers? Updating each registry is not very eloquent.
Should the router for the Mac server perhaps have NAT disabled? Will that solve the problem?
Thanks beejster,
This worked for me immediately.
But due to the fact that I'm only working with L2TP protocol I don't need al those ports open on my router.
These are the only ports that need to be open when you use L2TP.
Ports:
500 (UDP)
1701 (UDP)
4500 (UDP)
With only those 3 ports open your network will be a little more secure.
Once the connection made through VPN it's a little more difficult than with MAC OS X to get to share folders but it works.
I open (windows) explorer. At the top of the screen where you see >computer>
you click on the bar on computer, erase everything and type the ip address of your server which is sharing in your network.
This has to be the internal IP address.
An example: My server has 192.168.15.108 as IP address.
So in the bar I have to type
\\192.168.15.108\
Be sure to use the both backslashes in front of your IP address!
In the case of VNC is again different.
With Mac OS X you can start screen sharing app or you just open safari and type: vnc://192.168.15.108 and you can remote desktop to your MAC server without 3rd party software, which I find awesome.
For VNC from Windows you're obliged to use 3rd party software.
I use Real VNC which works pretty good.
Good luck to all you VPN'ers
How to VPN windows 7 to osx lion server
