Can't connect to L2TP VPN Server from internet, but can connect locally

Just to add some more info. I put the OS X 10.6.8 server IP into DMZ mode on the Airport Extreme and that didn't help. The server's VPN logs don't even record attempted connections. It's almost as if Snow Leopard's L2TP server is not looking for connections coming from outside the local network. At least with external PPTP connections, the server sees and logs the connection attempts.

I also wondered if my iPhone 4 or iOS 6/7 were blocking L2TP but that doesn't seem to be the case since I can connect to 3rd-party VPN services like IPVanish.

I'm completely baffled by this.

I use a DNS address from www.no-ip.com to point to my server. I also tested the VPN with the actual IP address. My server's internal address is 192.168.2.100 and the range for the VPN server is 192.168.2.200 - 192.168.2.220.

As I said, it used to work reliably for several years and then sometime early last year, it just stopped working. I wonder if an Apple security update broke something.

If I try to connect to the PPTP VPN server, the log shows the connection attempts, but with the L2TP server, the logs show nothing.

Anything else I can try before I give up on this?

iToaster,

Thank you. The "vpnaddkeyagentuser /LDAPv3/127.0.0.1" command fixed my PPTP VPN server problem. I can now connect via PPTP from my laptop and iPhone.

However, L2TP still only works on the LAN. If I try to connect from the WAN when outside my home, I can't connect. VPN logs show nothing, not even connection attempts. For some reason the L2TP is ignoring incoming connection requests or my Airport Extreme is blocking the L2TP ports even though I have them open and forwarded.

I've got UDP ports 500, 1701, and 4500 open. Those are the only ones mentioned by Apple as being necessary for L2TP. Is there another port I need to open?

I have seen some sites mention something called protocol 50 (ESP). But I don't know how to open "protocol 50" on an Airport Extreme. I assume that this is something that is only accessible on 3rd party routers and the the Apple Airport Extreme has it opened by default.

Hmm, I just put the server IP as DMZ host and the incoming L2TP connection request still isn't received.

Success!

iToaster, you got me on the right track thinking that the problem was with port forwarding. I tried to find an up-to-date Apple document about which ports their services use. Before, I had been relying on OS X 10.6 manuals and documentation and some web searches.

I found this Apple document and looked at the entries for ports 500, 1701, and 4500. Under UDP port 500, it mentions that this port is also used by Back to My Mac. But the under UDP port 4500, there was the following entry:

OS X Server VPN service, Back to My Mac.Note: Configuring Back to My Mac on an AirPort Base Station or Time Capsule in NAT mode will impede connectivity to an OS X Server VPN service behind that NAT.

I checked my Airport Extreme and noticed that my Apple ID was entered in the Back to My Mac section of the Base Station. I deleted that, rebooted the router, and tried to connect to the L2TP VPN server. This time it worked.

For some baffling reason, Apple has decided that Back to My Mac should use the same ports as L2TP VPN servers. I don't understand why they would do this. Surely there must be other ports they can use for Back to My Mac.

Well, at least the mystery is solved.