11 Replies Latest reply: Apr 21, 2014 5:45 AM by iToaster
Gunny Sack Level 1 Level 1 (40 points)

I'm running 10.6.8 Server on a Mac Mini. The VPN server used to work reliably, but for months now I haven't been able to connect to it. PPTP is completely busted ("MPPE required, but keys are not available. Possible plugin problem?" error) and I've given up on it.

 

However, L2TP works partly. I can connect to it on my local network, but if I try to connect to it from an external connection (3G on my iPhone or café WiFi on my MacBook Pro), I can't connect. The VPN server doesn't even receive the incoming connection request. There are no errors in the log, nor even entries about attempted connetions. I'm using MSChapv2 with a shared secret and the VPN IP address range is outside that of the server and the router's DHCP addresses.

 

I have a Airport Extreme Base Station. The correct L2TP ports are open but for whatever reason, the VPN clients on my other devices can't establish a connection with the server.

 

Any ideas?

  • Gunny Sack Level 1 Level 1 (40 points)

    Just to add some more info. I put the OS X 10.6.8 server IP into DMZ mode on the Airport Extreme and that didn't help. The server's VPN logs don't even record attempted connections. It's almost as if Snow Leopard's L2TP server is not looking for connections coming from outside the local network. At least with external PPTP connections, the server sees and logs the connection attempts.

     

    I also wondered if my iPhone 4 or iOS 6/7 were blocking L2TP but that doesn't seem to be the case since I can connect to 3rd-party VPN services like IPVanish.

     

    I'm completely baffled by this.

  • iToaster Level 3 Level 3 (735 points)

    Since it was working If you're not using a domain name to connect to your VPN perhaps your IP address has changed

    Or your ISP could be blocking VPN connections

    Make sure the network that is connecting to your VPN is in a different ip range

  • Gunny Sack Level 1 Level 1 (40 points)

    I use a DNS address from www.no-ip.com to point to my server. I also tested the VPN with the actual IP address. My server's internal address is 192.168.2.100 and the range for the VPN server is 192.168.2.200 - 192.168.2.220.

     

    As I said, it used to work reliably for several years and then sometime early last year, it just stopped working. I wonder if an Apple security update broke something.

     

    If I try to connect to the PPTP VPN server, the log shows the connection attempts, but with the L2TP server, the logs show nothing.

  • Gunny Sack Level 1 Level 1 (40 points)

    Anything else I can try before I give up on this?

  • iToaster Level 3 Level 3 (735 points)

    If your server is OD master try the following from terminal

     

    vpnaddkeyagentuser /LDAPv3/127.0.0.1

     

    This will add a new VPN user key and should fix your missing mppe key error message

  • iToaster Level 3 Level 3 (735 points)

    Try connecting to your VPN via a smartphone with VPN connection setup on it

    You'll be able to watch the server logs in real time as you're connecting

     

    Forgot to mention in my pervious post, if you want to clean things up

    Remove the VPN user key from OD before generating the new VPN user

    You can do this from the OD user admin, if you'd rather not delete the old VPN user key

    You can generate a new one see if it fixes VPN problem. Then delete all the VPN user keys

    And generate a new one, this is only if you want to keep things clean and not have multiple VPN user keys in the OD

     

    Shut down VPN while you're doing this

  • Gunny Sack Level 1 Level 1 (40 points)

    iToaster,

     

    Thank you. The "vpnaddkeyagentuser /LDAPv3/127.0.0.1" command fixed my PPTP VPN server problem. I can now connect via PPTP from my laptop and iPhone.

     

    However, L2TP still only works on the LAN. If I try to connect from the WAN when outside my home, I can't connect. VPN logs show nothing, not even connection attempts. For some reason the L2TP is ignoring incoming connection requests or my Airport Extreme is blocking the L2TP ports even though I have them open and forwarded.

  • iToaster Level 3 Level 3 (735 points)

    You're welcome

    I'd say you may be missing one of the L2TP ports if there are no connection attempts in the server logs

    and L2TP works on the lan

  • Gunny Sack Level 1 Level 1 (40 points)

    I've got UDP ports 500, 1701, and 4500 open. Those are the only ones mentioned by Apple as being necessary for L2TP. Is there another port I need to open?

     

    I have seen some sites mention something called protocol 50 (ESP). But I don't know how to open "protocol 50" on an Airport Extreme. I assume that this is something that is only accessible on 3rd party routers and the the Apple Airport Extreme has it opened by default.

     

    Hmm, I just put the server IP as DMZ host and the incoming L2TP connection request still isn't received.

  • Gunny Sack Level 1 Level 1 (40 points)

    Success!

     

    iToaster, you got me on the right track thinking that the problem was with port forwarding. I tried to find an up-to-date Apple document about which ports their services use. Before, I had been relying on OS X 10.6 manuals and documentation and some web searches.

     

    I found this Apple document and looked at the entries for ports 500, 1701, and 4500. Under UDP port 500, it mentions that this port is also used by Back to My Mac. But the under UDP port 4500, there was the following entry:

    OS X Server VPN service, Back to My Mac.Note: Configuring Back to My Mac on an AirPort Base Station or Time Capsule in NAT mode will impede connectivity to an OS X Server VPN service behind that NAT.

     

    I checked my Airport Extreme and noticed that my Apple ID was entered in the Back to My Mac section of the Base Station. I deleted that, rebooted the router, and tried to connect to the L2TP VPN server. This time it worked.

     

    For some baffling reason, Apple has decided that Back to My Mac should use the same ports as L2TP VPN servers. I don't understand why they would do this. Surely there must be other ports they can use for Back to My Mac.

     

    Well, at least the mystery is solved.

  • iToaster Level 3 Level 3 (735 points)

    Well done sorting that out !