5 Replies Latest reply: Oct 29, 2013 9:14 AM by pmlst097
pmlst097 Level 1 Level 1

I have setup VPN L2TP on my macbook pro,  I can access the VPN on my iPad locally just fine.  When I try to access it through the internet, externally, I receive the message ( on my iPad) "The L2TP-VPN server did not respond.  Try reconnecting.  If the problem continues, verify your settings and contact your administrator".  I suspect this is due to my router ( apple time capsule ) and its built in firewall. I should be able to put in a rule to allow the ports through.  which ports are necessary?

MacBook Air (13-inch Mid 2013), OS X Mavericks (10.9)
  • MrHoffman Level 6 Level 6
    Mac OS X

    On Time Capsule and AirPort Extreme, shut off the Back To My Mac and enable VPN Passthrough.  That'll have the proper ports enabled for you. 


    As for your question:


    Depending on the exact set-up of the network, L2TP requires UDP ports 500, 1701 and 4500 and the IP-ESP protocol, which is IP protocol 50; ESP.


    Other than ESP (which is protocol 50 and not port 50), these are UDP ports, and not TCP.


    It is common for L2TP passthrough to fail when more than one connection is active.


    As compared with L2TP, PPTP is usually easier to get going when there's NAT around, though PPTP is less secure than L2TP.


    Use of an external firewall-gateway with an embedded VPN server is recommended.  (NAT passthrough is something best avoided.)


    Also ensure your ISP is not blocking VPN connections.  There are ISPs that block server-oriented ports on the residential service tier.  (If you're on a business-class tier, ignore this.)

  • danmcq Level 1 Level 1

    If the VPN server you're trying to connect to is running Mavericks, L2TP is currently broken, without a fix. See here:



  • pmlst097 Level 1 Level 1

    I was able to get it to work a few days ago, externally through the internet, then it stopped working.  when I look at the log in osx server I can see the ipad client communicating with the osx server.  Interesting too is that osx server alters the settings in my timecapsule to allow the necessary ports through.  I suspect there is a trace or diagnostic that can be activated to show what is wrong

  • pmlst097 Level 1 Level 1

    I recreated the error and the log on the server side is as below


    racoon[324]: Connecting.

    racoon[324]: IPSec Phase 1 started (Initiated by peer).

    racoon[324]: IKE Packet: receive success. (Responder, Main-Mode message 1).

    racoon[324]: >>>>> phase change status = Phase 1 started by us

    racoon[324]: IKE Packet: transmit success. (Responder, Main-Mode message 2).

    racoon[324]: IKE Packet: receive success. (Responder, Main-Mode message 3).

    racoon[324]: IKE Packet: transmit success. (Responder, Main-Mode message 4).

    racoon[324]: Connecting.

    racoon[324]: IKE Packet: transmit success. (Phase 1 Retransmit).

    --- last message repeated 3 times ---

    kernel[0]: Sandbox: xcscredd(138) deny file-read-metadata /Users

    --- last message repeated 16 times ---

    sandboxd[115] ([138]): xcscredd(138) deny file-read-metadata /Users