5 Replies Latest reply: Jul 19, 2012 2:30 AM by Mike Vos
denisefromak Level 1 Level 1 (0 points)

Hi Everyone!


I have an issue that is really been a difficult one, and I would love any input or advice from other server folks.


I have a client who has a mac mini Lion server and a time capsule router. The VPN was set up as L2TP (not by me) and has NEVER worked. I, with much confidence, was sure I could fix it, but it is proving to be problematic. I have ran all the updates (server 7.4, newest Server Admin, newest airport utility, etc.)


It seems there is some sort of authentication issue happening.

What I have found:


Enabled PPTP, I am able to connect ONLY with the Directory Admin Account.

Cannot connect with ANY account on L2TP.

Have attempted to connect with long names, short names, domain users, local users, and it never connects. Of course, I have verified the shared secret numerous times.

When I attempted to connect with L2TP, nothing shows in the server log, as if it was blocked (internet provider is NOT blocking vpn access), no CHAP errors or the like. PPTP functions great with the directory admin account, logs all look normal.


To me, it seems like I can rule out network issues, as one account gets through, but I think it points to lion problem. I have allowed access for all users for the vpn in Server Admin, have the time capsule allowing VPN on both L2TP and PPTP. Back to My Mac is not enabled (to prevent port issues).


I was thinking that it would be nice to verify the access list for VPN connections via the terminal, but I don't know what commands are available for that.


Any ideas are appreciated!

Mac mini, Mac OS X (10.7.4)
  • Good-heart Level 1 Level 1 (35 points)

    You should be able to track the steps of the connection buildup and failure in your log files, both on the client as well as on the server.

  • Good-heart Level 1 Level 1 (35 points)

    Also, you might look into this: http://support.apple.com/kb/HT4748


    You can find the shortname for the vpn user in Workgroup Manager->View System Records


    This is the solution that worked for me when using L2TP, and only the server admin could login as VPN user.


    In vpnd.log there should be an error about 'failing to retrieve MPPE encryption keys' for the user trying to logon. Maybe best if you check that first.

  • denisefromak Level 1 Level 1 (0 points)

    To follow up for future searchers:


    Apple support article: http://support.apple.com/kb/HT4748 was very helpful, but it still did not resolve the issue. What is import to mention although, is PPTP works with domain accounts, L2TP with Local Accounts in all cases. I believe the bug in Lion is a little more deep seated in some cases, this one being an example. I have worked around the issue by having my client connect with PPTP and the directory admin account, but accessing the file share with her authentication info (her open directory account).



  • stephen2011 Level 1 Level 1 (10 points)

    I am also seeing a similar issue.


    But some background first... I had originally exported Open Directory accounts from a 10.5.x server and imported them to the 10.7.4 server. I then had passwords reenterd individually for the acounts, but couldn't get VPN to work even on site. I ended up having to delete the accounts and recreate them individually, but with the same UID in order to get internal VPN to work.


    Now I can login with domain acounts through PPTP from off site, but can't login at all with L2TP from off site. I can login with both from on site. I have disabled firewalls on the router and server - temporarily - just to make sure that wasn't any issue... and it wasn't. I have also routed everything through the router so that shouldn't be the issue either. The only log entry of value I can find is below after seeing similar messages saying transmit and receive were successful 4 or 5 times.


    racoon[189]: IKE Packet: receive failed. (Responder, Main-Mode Message 5).


    Any ideas or resolutions?

  • Mike Vos Level 1 Level 1 (15 points)

    I had the same problem and it was resolved with the following terminal comment.


    sudo vpnaddkeyagentuser /LDAPv3/


    Also deleting user id 57 (VPN MPPE Key access User) in WGM is an option. However, this is only possible if you don't intend to use PPTP anymore.