Post Mavericks (server) upgrade, vpn has stopped working. Any suggestions?

Just had to laugh at Crapple's solution to the L2TP problem

http://support.apple.com/kb/TS5313

Reads - "hey moronic Crapple users! Yeh like dudes l2tp like doesn't work right now, but we've got like this awesome solution for you ... are you ready?" **yup we're ready Crapple** "Ok then loser, our solution is .... don't use it ! 🙂 ... Great solution isnt it, do you like it?"

**no crapple I think it's the worst solution I've ever seen to a major bug in a piece of software!** 😠

@formerlyknownas- still working for me, try a repair of the permissions on the disk-mine complained a bunch about iBooks (an app I haven't opened on the server) and then a ton of racoon related stuff. So @kerryfung basically here's what I did- taking into account you need to back up this file and do this at your own risk!!!

I created a VM of Mountain Lion Server in VMWare Fusion, ran any updates that it wanted. Then in Finder on the VM I needed the following file /usr/sbin/racoon as suggested by JoshuaOchs. To get this in Finder hit command + shift + g and enter /usr/sbin and then hit ok. This will open the correct folder, copy the racoon file onto the desktop of the Mavericks server.

Now on the Mavericks server use the same finder command to open the /usr/sbin folder and copy the racoon file to somewhere safe (another folder).

Then copy in the racoon file from the Mountain Lion server, it will ask you put in an admin login/password. At this point reboot. After rebooting open the log in the server and you should see if complaining about IP Sec Self Repair and cannot connect to racoon. Run repair disk permissions, reboot again and you should be good to go.

I've rebooted several times no issues.

If folks need a raccon file I can post one if I get scout's honor on not trying to mess with my server.

That was one poor and embarrassing solution to a pretty major problem.

Hi kellentat

I tried running permission repair but it didn't work for me. Edit - I also tried removing the extended attributes (@) from the permissions on the copied racoon file, but had no joy ..

I'm wondering maybe if it's because my latest TM backup of ML is quite old (10.8.3 i think!).

I'm presuming from your VM it will be 10.8.5 you've copied the file from?

D

Yep- it was a fresh instance of ML and Server 2.2. Do you have a VM app? If you do you could download the ML installer and then from there follow what I did with a blank ML image and install server on top of that.

Thanks mate .. I'm running Fusion 6, I'll give your method a try when I have time

🙂

I had the same problem. Yesterday I updated to Server 3.0.1, which seems to fix this!

Upgrading to 3.0.1 has not resolved this problem here. I have updated the racoon file without a restart and it didn't work. Will restart at the end of the day and update..

The Server 3.0.1 update did fix external access to the calendar and contact services but VPN is still broken. I see these logs when trying to connect externally from my iPhone:

2013-11-14 11:16:46.943 AM racoon[447]: Connecting.

2013-11-14 11:16:46.943 AM racoon[447]: IPSec Phase 1 started (Initiated by peer).

2013-11-14 11:16:46.943 AM racoon[447]: IKE Packet: receive success. (Responder, Main-Mode message 1).

2013-11-14 11:16:46.943 AM racoon[447]: >>>>> phase change status = Phase 1 started by us

2013-11-14 11:16:46.943 AM racoon[447]: IKE Packet: transmit success. (Responder, Main-Mode message 2).

2013-11-14 11:16:47.046 AM racoon[447]: IKE Packet: receive success. (Responder, Main-Mode message 3).

2013-11-14 11:16:47.068 AM racoon[447]: IKE Packet: transmit success. (Responder, Main-Mode message 4).

2013-11-14 11:16:47.147 AM racoon[447]: Connecting.

2013-11-14 11:16:50.242 AM racoon[447]: IKE Packet: transmit success. (Phase 1 Retransmit).

… repeated multiple times …

2013-11-14 11:19:28.027 AM racoon[447]: IKEv1 Phase 1: maximum retransmits. (Phase 1 Maximum Retransmits).

2013-11-14 11:19:28.027 AM racoon[447]: Phase 1 negotiation failed due to time up. 2c03a5b1d53ee4a3:ec9effb974f18930

The iPhone eventually times out and says, "The L2TP-VPN server did not respond."

Apple has some more work to do.

same same ..

14/11/2013 20:40:38.193 racoon[198]: Connecting.

14/11/2013 20:40:38.193 racoon[198]: IPSec Phase 1 started (Initiated by peer).

14/11/2013 20:40:38.193 racoon[198]: IKE Packet: receive success. (Responder, Main-Mode message 1).

14/11/2013 20:40:38.194 racoon[198]: >>>>> phase change status = Phase 1 started by us

14/11/2013 20:40:38.194 racoon[198]: IKE Packet: transmit success. (Responder, Main-Mode message 2).

14/11/2013 20:40:38.229 racoon[198]: IKE Packet: receive success. (Responder, Main-Mode message 3).

14/11/2013 20:40:38.247 racoon[198]: IKE Packet: transmit success. (Responder, Main-Mode message 4).

14/11/2013 20:40:38.283 racoon[198]: Connecting.

14/11/2013 20:40:41.480 racoon[198]: IKE Packet: transmit success. (Phase 1 Retransmit).

14/11/2013 20:40:44.778 racoon[198]: IKE Packet: transmit success. (Phase 1 Retransmit).

14/11/2013 20:40:48.052 racoon[198]: IKE Packet: transmit success. (Phase 1 Retransmit).

14/11/2013 20:41:01.209 racoon[198]: IKE Packet: transmit success. (Phase 1 Retransmit).

However - If i connect the client to a 3rd party l2tp VPN first, and then connect to my OS X server l2tp VPN, it connects ..

14/11/2013 20:45:30.616 racoon[198]: Connecting.

14/11/2013 20:45:30.616 racoon[198]: IPSec Phase 1 started (Initiated by peer).

14/11/2013 20:45:30.616 racoon[198]: IKE Packet: receive success. (Responder, Main-Mode message 1).

14/11/2013 20:45:30.617 racoon[198]: >>>>> phase change status = Phase 1 started by us

14/11/2013 20:45:30.617 racoon[198]: IKE Packet: transmit success. (Responder, Main-Mode message 2).

14/11/2013 20:45:30.644 racoon[198]: IKE Packet: receive success. (Responder, Main-Mode message 3).

14/11/2013 20:45:30.661 racoon[198]: IKE Packet: transmit success. (Responder, Main-Mode message 4).

14/11/2013 20:45:30.684 racoon[198]: Ignore INITIAL-CONTACT notification, because it is only accepted after Phase 1.

14/11/2013 20:45:30.684 racoon[198]: IKEv1 Phase 1 AUTH: success. (Responder, Main-Mode Message 5).

14/11/2013 20:45:30.684 racoon[198]: IKE Packet: receive success. (Responder, Main-Mode message 5).

14/11/2013 20:45:30.684 racoon[198]: IKEv1 Phase 1 Responder: success. (Responder, Main-Mode).

14/11/2013 20:45:30.684 racoon[198]: IKE Packet: transmit success. (Responder, Main-Mode message 6).

14/11/2013 20:45:30.685 racoon[198]: IKE Packet: transmit success. (Information message).

14/11/2013 20:45:30.685 racoon[198]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).

14/11/2013 20:45:30.685 racoon[198]: IPSec Phase 1 established (Initiated by peer).

14/11/2013 20:45:31.709 racoon[198]: IPSec Phase 2 started (Initiated by peer).

14/11/2013 20:45:31.709 racoon[198]: IKE Packet: receive success. (Responder, Quick-Mode message 1).

14/11/2013 20:45:31.709 racoon[198]: >>>>> phase change status = Phase 2 started

14/11/2013 20:45:31.710 racoon[198]: IKE Packet: transmit success. (Responder, Quick-Mode message 2).

14/11/2013 20:45:31.731 racoon[198]: IKE Packet: receive success. (Responder, Quick-Mode message 3).

14/11/2013 20:45:31.731 racoon[198]: IKEv1 Phase 2 Responder: success. (Responder, Quick-Mode).

14/11/2013 20:45:31.731 racoon[198]: IPSec Phase 2 established (Initiated by peer).

14/11/2013 20:45:31.732 racoon[198]: >>>>> phase change status = Phase 2 established

Closing the 3rd party VPN tunnel, obviously, closes both tunnels!

There's clearly not a NAT or Firewall issue on the client network as the 3rd party l2tp VPN connection wouldn't work either!

And there's not a clash of subnets. The client network is 10.20.101 ... and my home network where my OS X server lives is 192.168.60 .. and the 3rd party VPN service I connect to dishes out 192.168.80 .. ..

The 3rd party VPN connection is also NAT'd ........

FKA

There is no update to the /usr/sbin/racoon file in Server 3.0.1 so if VPN was not working before 3.0.1, i doubt it's working now.

Agreed that their official support note leaves a LOT to be desired (and since when did PPTP require a directory account?), but the fact that they posted it at all means they're aware of the issue. They had a similar note up for the 13-inch Retina "loss of keyboard/trackpad" bug, and a couple weeks later it was fixed. Fingers crossed.

I took a more drastic approach to fixing this - I loaded up a Linux VM in VirtualBox and configured Racoon myself (fortunately I spent a couple weeks on Linux VPN setup a few months back, so I knew what to do). Setting it up by hand worked perfectly, although attempting to use the same config file with the built-in racoon didn't work - rather annoying. At least I have a workaround for now.

Solved enabling l2tp and pptp option on Server app, creating a NAT of 1723 tcp port. Now, my L2TP vpn work from outside using my iphone or mac.

(i don't understand why....)

I guess you use pptp. l2tp is not working with 1723 port.

Funny, I saw the same thing when I repaired the permissions on my disk, a bunch of references to iBook. I wonder what happened there. VPN in Mavericks was working for me outside and inside my network at first.

I see that I can still download ML from the Apps page, is it possible to download that file and use it to install a VM in Parallels? I can't remember if you can download it without it auto-installing or not. I'd rather not mess up Mavericks.

Lobo59