10.9 VPN behind Airport Extreme no longer works

I am having the same issue, my VPN worked fine on Mountain Lion earlier today and since I upgraded to Mavericks tonight. I have been racking my brain on this issue since updating, all of my other services like Messaging, Profile Manager, and my Website can be accessed either inside or outside of my network. It has to be some type of software problem with the Server.app itself, as I should not have been able to connect with my other services if it was some type of Port forwarding or blocking issue. I will continue to reasearch and try and find an answer for this major issue. Merchon have you tried to connect using your external IP address instead of your VPN host name? I have tried but it does not seem to help me but I would give it a try if you have not yet.

Also my VPN log shows that its waiting for a connection, but nothing changes when I try to connect with my iPhone or my MBP.

Very strange......

I've been seeing the same problem since the GM was released a couple weeks ago. One difference is that I do see the connection negotiation beginning in the logs, but it never completes successfully.

Same problem here. My VPN does not work now from external (LTE) network on mobile devices (iPhone 5S & iPad Mini). No problems before Mavericks and Server 3.

VPN works fine when on the same WiFi network...but that is kind of pointless.

Right now, I'm upset that I paid $19.99 for Server 3 and unwittingly joined the Mavericks beta program.

All that I got from this upgrade is a broken VPN...

It is seeming more and more that Apple is relasing Beta software as release canadates to an unespecting audience. But that does not mean that we cant find some sort of work around. I work on Mac Servers all day and I am at a loss for what to start with at VPN has been a solid rock on previous verisons of the Server app.

I'm having the exact same problem, I was fine with sever and mountain lion, vpn not working at all in Sever 3 and Mavericks

This has to be more than an isolated incidnet at this point. VPN on Server 3 must be wonky.

Same here. After the upgrade, the VPN service doesn't work.

flacojo32's log seems to indicate that there was no connection made, so perhaps there is a firewall issue or port routing issue.

For those of you seeing the problem, do your servers have public IP addresses, or are they on a private LAN behind an Airport? I'm wondering if maybe there is an issue with the Airport's port forwarding for L2TP. Do any of you see incoming connections?

I'm not using an Airport. The firewall on the network is running DD-WRT and no settings have changed since it was working with ML Server. I did test the problem with an Airport Express, though, and was able to reproduce it with that equipment as well.

My server does not have a public address. VPN traffic is forwarded from the firewall. I do see activity when the connection attempt begins, but it never succeeds.

Oct 23 00:31:47 servername racoon[14219]: accepted connection on vpn control socket.

Oct 23 00:32:02 servername racoon[14219]: Connecting.

Oct 23 00:32:02 servername racoon[14219]: IPSec Phase 1 started (Initiated by peer).

Oct 23 00:32:02 servername racoon[14219]: IKE Packet: receive success. (Responder, Main-Mode message 1).

Oct 23 00:32:02 servername racoon[14219]: >>>>> phase change status = Phase 1 started by us

Oct 23 00:32:02 servername racoon[14219]: IKE Packet: transmit success. (Responder, Main-Mode message 2).

Oct 23 00:32:03 servername racoon[14219]: IKE Packet: receive success. (Responder, Main-Mode message 3).

Oct 23 00:32:03 servername racoon[14219]: IKE Packet: transmit success. (Responder, Main-Mode message 4).

Oct 23 00:32:03 servername racoon[14219]: Connecting.

Oct 23 00:32:06 servername racoon[14219]: IKE Packet: transmit success. (Phase 1 Retransmit).

Oct 23 00:32:24 --- last message repeated 3 times ---

Oct 23 00:32:24 servername com.apple.launchd.peruser.502[4494] (com.apple.KerberosHelper.LKDCHelper[47084]): Exited with code: 1

Oct 23 00:32:41 servername racoon[14219]: IKE Packet: transmit success. (Phase 1 Retransmit).

Yep, that's all of it. No real indication of failure even.

What ports would be the issue? I have 500, 1701, 1723, and 4500 all forwarrded to my server from my Time Capsule and nothing. I do not see the clients trying to connect to my VPN server from the logs it appears the service starts and just stits listening for connections. Anyone have any ideas what to try?

I mean VPN error has the feeling of a port forwarding issue but I can still get to my website, profile manager, etc...

flacojo32 wrote:

It is seeming more and more that Apple is relasing Beta software as release canadates to an unespecting audience.

Problem being, developers use OS X previews to develop their apps, but there are not enough folks testing Server. Another problem being, you never know, is it really a bug or did you do a mistake configuring your server. 😐

The server preview was released very late compared to Mavericks proper and the GM release (which is really when a lot of developer-adjacent testers come on board) didn't come out until about a week ago.

I spent almost two weeks rebuilding this system repeatedly, checking it again and again against settings on ML servers I have that still run the VPN service. It is always possible that the problem lies with my settings, of course, but they are absolutely settings that worked under ML Server. If there are differences in server behavior, Apple needs to do a better job of providing documentation for them.

When Apple replaced a $1,000 unlimited license for SL Server with a $30 license for Lion Server, I knew the trouble we were in for. You spend a thousand bucks, Apple has to make it work. You spend $30 bucks ($20 now) Apple says "what do you expect for $30?". Still, it's great when you need to run very small networks that don't need more than it offers.

Well my config worked on Mountain Lion but a direct update to Mavericks wont work? That proves that my configuration was fine and I changed nothing during the update.

So this is not a config problem this is a Server 3.0 problem.

So my point again that its Beta software.