Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

VPN issues, will connect w/ PPTP not L2TP, only diradmin

Hi Everyone!


I have an issue that is really been a difficult one, and I would love any input or advice from other server folks.


I have a client who has a mac mini Lion server and a time capsule router. The VPN was set up as L2TP (not by me) and has NEVER worked. I, with much confidence, was sure I could fix it, but it is proving to be problematic. I have ran all the updates (server 7.4, newest Server Admin, newest airport utility, etc.)


It seems there is some sort of authentication issue happening.

What I have found:


Enabled PPTP, I am able to connect ONLY with the Directory Admin Account.

Cannot connect with ANY account on L2TP.

Have attempted to connect with long names, short names, domain users, local users, and it never connects. Of course, I have verified the shared secret numerous times.

When I attempted to connect with L2TP, nothing shows in the server log, as if it was blocked (internet provider is NOT blocking vpn access), no CHAP errors or the like. PPTP functions great with the directory admin account, logs all look normal.


To me, it seems like I can rule out network issues, as one account gets through, but I think it points to lion problem. I have allowed access for all users for the vpn in Server Admin, have the time capsule allowing VPN on both L2TP and PPTP. Back to My Mac is not enabled (to prevent port issues).


I was thinking that it would be nice to verify the access list for VPN connections via the terminal, but I don't know what commands are available for that.


Any ideas are appreciated!

Mac mini, Mac OS X (10.7.4)

Posted on Jun 1, 2012 12:18 PM

Reply
Question marked as Best reply

Posted on Jun 3, 2012 12:47 AM

You should be able to track the steps of the connection buildup and failure in your log files, both on the client as well as on the server.

5 replies

Jun 3, 2012 1:23 AM in response to denisefromak

Also, you might look into this: http://support.apple.com/kb/HT4748


You can find the shortname for the vpn user in Workgroup Manager->View System Records


This is the solution that worked for me when using L2TP, and only the server admin could login as VPN user.


In vpnd.log there should be an error about 'failing to retrieve MPPE encryption keys' for the user trying to logon. Maybe best if you check that first.

Jun 5, 2012 12:54 PM in response to denisefromak

To follow up for future searchers:


Apple support article: http://support.apple.com/kb/HT4748 was very helpful, but it still did not resolve the issue. What is import to mention although, is PPTP works with domain accounts, L2TP with Local Accounts in all cases. I believe the bug in Lion is a little more deep seated in some cases, this one being an example. I have worked around the issue by having my client connect with PPTP and the directory admin account, but accessing the file share with her authentication info (her open directory account).


Thanks!

Jul 18, 2012 5:35 PM in response to denisefromak

I am also seeing a similar issue.


But some background first... I had originally exported Open Directory accounts from a 10.5.x server and imported them to the 10.7.4 server. I then had passwords reenterd individually for the acounts, but couldn't get VPN to work even on site. I ended up having to delete the accounts and recreate them individually, but with the same UID in order to get internal VPN to work.


Now I can login with domain acounts through PPTP from off site, but can't login at all with L2TP from off site. I can login with both from on site. I have disabled firewalls on the router and server - temporarily - just to make sure that wasn't any issue... and it wasn't. I have also routed everything through the router so that shouldn't be the issue either. The only log entry of value I can find is below after seeing similar messages saying transmit and receive were successful 4 or 5 times.


racoon[189]: IKE Packet: receive failed. (Responder, Main-Mode Message 5).


Any ideas or resolutions?

VPN issues, will connect w/ PPTP not L2TP, only diradmin

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.