Unable to connect to El Capitan server VPN from outside the network

Question

Unable to connect to El Capitan server VPN from outside the network

Hi.

I am having problems connecting to my VPN from outside of my network. When testing internally connections succeed and I am able to use the VPN. However, from outside of the network using an external Wifi network or over 3G / 4G the connection fails every time. I have tested this using two Android devices, a Windows PC and a MacBook. I have included the server log file as it demonstrates the point of failure. Can anyone advise.

DNS Resolves to my static home IP fine but then fails at the point shown below.

My system spec is:

Mac Mini - mid 2010

El Caption 10.11

OSX Server 5.0.4(15S2259)

I am using an Apple Airport as my router which is handling DHCP and NAT. All required ports are open and automatically handled via Server

Thanks

Barry.

#Start-Date: 2015-10-10 10:41:47 BST
#Fields: date time s-comment
2015-10-10 10:41:47 BST Loading plugin /System/Library/Extensions/L2TP.ppp
2015-10-10 10:41:47 BST Listening for connections...
2015-10-10 10:43:26 BST Incoming call... Address given to client = 10.0.1.224
Sat Oct 10 10:43:26 2015 : Directory Services Authentication plugin initialized
Sat Oct 10 10:43:26 2015 : Directory Services Authorization plugin initialized
Sat Oct 10 10:43:26 2015 : publish_entry SCDSet() failed: Success!
Sat Oct 10 10:43:26 2015 : publish_entry SCDSet() failed: Success!
Sat Oct 10 10:43:26 2015 : publish_entry SCDSet() failed: Success!
Sat Oct 10 10:43:26 2015 : L2TP incoming call in progress from '<device_external_ip_address_is_displayed_here>'...
Sat Oct 10 10:43:26 2015 : L2TP received SCCRQ
Sat Oct 10 10:43:26 2015 : L2TP sent SCCRP
2015-10-10 10:43:46 BST   --> Client with address = 10.0.1.224 has hungup

OSX Server-OTHER, OS X El Capitan (10.11), OSX Server 5.0.4 (15S2259)

Posted on Oct 10, 2015 3:01 AM

Reply

Answer 1

Oct 10, 2015 4:10 AM in response to barrrrrrrrrry

I have just tested PPTP and that appears to work fine. However L2TP does not.

Reply

Answer 2

jepping

Level 3

785 points

Oct 10, 2015 6:44 AM in response to barrrrrrrrrry

Hi,

Does your Shared Secret for L2TP contain any characters like this one: "

I have seen connections fail due to that " in the shared secret.

Generate a new shared secret who hasn't got a " in it.

So in your router or the Airport port TCP 1723 for PPTP is open and PPTP works, great!

Are UDP 500, 1701 and 4500 open as well?

Check if your Airport in the settings for network, network options anything active there?

Which user did you use? Is that user allowed access, same user for PPTP and L2TP?

Goodluck

Jeffrey

Reply

Answer 3

Oct 10, 2015 7:15 AM in response to jepping

Hi Jeffrey

The shared secret does not have any special characters in it. It used to but i read a post stating the same so removed them. For test purposes I am just using upper and lower case numbers and letters.

Open ports on the Airport are as follows:

Public UDP Ports: 500, 1701, 4500

Public TCP Ports: 1723

Private UDP Ports: 500, 1701, 4500

Private TCP Ports: 1723

In Network > Network Options:

An IPV4 ip range is set and Allow incoming IPSec Authentication is ticked. All other options are un-ticked. Enable Port mapping protocal used to be ticked but made no difference.

Within server the ip range for VPN connected devices is outside of the range mentioned above. I can connect locally within my home network just not from outside using L2TP.

Thanks.

Reply

Answer 4

Linc Davis

Level 10

209,547 points

Oct 10, 2015 12:59 PM in response to barrrrrrrrrry

Check the DNS server addresses provided to clients in the VPN service settings for validity.

Reply

Answer 5

Oct 10, 2015 1:12 PM in response to barrrrrrrrrry

Hi.

DNS resolves to the correct ip. The log shows that it gets beyond that point. But doesn't get any further than L2TP sent SCCCP. I don't know why as it works fine internally.

Reply

Answer 6

Linc Davis

Level 10

209,547 points

Oct 10, 2015 1:20 PM in response to barrrrrrrrrry

What is logged in /var/log/ppp.log on the Mac client when the connection fails?

Reply

Answer 7

Oct 10, 2015 1:24 PM in response to Linc Davis

I'm not sure unfortunately as it was a friend doing me a favour to test it on their Macbook.

Reply

Answer 8

Linc Davis

Level 10

209,547 points

Oct 10, 2015 1:49 PM in response to barrrrrrrrrry

Select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked

Allow incoming IPSec authentication

if it's not already checked, and save the change.

Reply

Answer 9

Oct 10, 2015 9:34 PM in response to Linc Davis

Thanks for replying Linc,

However the box is already ticked. My config is detailed in my 3rd post in this thread .

Thanks

Reply

Answer 10

schifrin

Level 1

18 points

Oct 10, 2015 11:27 PM in response to barrrrrrrrrry

Barr....y,

This may or may not be related to your VPN access issue. Were you having any Keychain problems during the initial upgrade to 10.11?

I was having a pile of them. My company uses Juniper's JUNOS Pulse for VPN, and it would connect only once. Subsequent attempts to connect would hang not only Pulse, but the entire communications pathways on the machine. Nothing in, nothing out on any path. A force-quit, reboot, uninstall Pulse, re-install Pulse would get me connected, again, just once. After banging on it for a few days, I stumbled on the "Save Login Data" in the login screen, and unchecked it. It's worked fine ever since, and I just rationalize that having to enter my password each time is just second-level security.

Reply

Answer 11

Oct 11, 2015 1:53 AM in response to barrrrrrrrrry

Hi Schifrin

I had no issues during the upgrade. It was remarkably smooth sailing to be honest. I have tried rebooting , enabling and disabling VPN. Resetting all VPN settings and starting again. But the issue persists. VPN access locally within the same network which is a bit pointless and only PPTP from outside the network. Using L2TP gets so far and then fails after sending out a SCCRP.

Thanks

Barry.

Reply

Answer 12

Linc Davis

Level 10

209,547 points

Oct 11, 2015 8:57 AM in response to barrrrrrrrrry

To run a public VPN server behind an NAT gateway, you need to do the following:

1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.

2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)

3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server. The Server app can set this up for you if you have an Apple router.

If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked

Allow incoming IPSec authentication

if it's not already checked, and save the change.

There may be a similar setting on a third-party router.

4. Configure any firewall in use to pass this traffic.

If you've taken all the above steps, the Server app should show that the VPN service is accessible from the Internet at your external IP address. Otherwise, something in the network is blocking some of the required traffic. Some residential ISP's block incoming UDP packets statefully. If yours is doing that, you won't be able to set up a VPN.

5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.

6. "Back to My Mac" is incompatible with the VPN service. It must be disabled both on the server and on an AirPort router, if applicable.

7. Bonjour will not work over an L2TP or PPTP VPN. To make services accessible through the tunnel, you need a working DNS service.

Where applicable, services such as Mail must be configured to listen on the netblock assigned to VPN clients.

8. If the server is directly connected to the Internet, rather than being behind NAT, see this blog post.

Reply

Answer 13

Oct 11, 2015 9:30 AM in response to Linc Davis

Hi.

Thanks for the information. All points checked and are correct. I have just run another test with the following results:

Attempting to connect with an Android phone using L2TP fails here - but connects if using PPTP:

2015-10-11 17:12:39 BST	--> Client with address = 10.0.1.204 has hungup
2015-10-11 17:19:54 BST	Incoming call... Address given to client = 10.0.1.205

Sun Oct 11 17:19:54 2015 : Directory Services Authentication plugin initialized

Sun Oct 11 17:19:54 2015 : Directory Services Authorization plugin initialized

Sun Oct 11 17:19:54 2015 : publish_entry SCDSet() failed: Success!

Sun Oct 11 17:19:54 2015 : L2TP incoming call in progress from '<external-ip>'...

Sun Oct 11 17:19:54 2015 : L2TP received SCCRQ

Sun Oct 11 17:19:54 2015 : L2TP sent SCCRP

2015-10-11 17:20:14 BST

--> Client with address = 10.0.1.205 has hungup

Using my Macbook using L2TP and tethering to my Android phone connecting over 4G - Works!!!

Marker - 11 Oct 2015, 17:12:02

Sun Oct 11 17:12:05 2015 : publish_entry SCDSet() failed: Success!

Sun Oct 11 17:12:05 2015 : l2tp_get_router_address

Sun Oct 11 17:12:05 2015 : l2tp_get_router_address 192.168.43.1 from dict 1

Sun Oct 11 17:12:05 2015 : L2TP connecting to server '<server-name-and-ip>...

Sun Oct 11 17:12:05 2015 : IPSec connection started

Sun Oct 11 17:12:06 2015 : IPSec connection established

Sun Oct 11 17:12:08 2015 : L2TP connection established.

Sun Oct 11 17:12:08 2015 : L2TP set port-mapping for en1, interface: 5, protocol: 0, privatePort: 0

Sun Oct 11 17:12:08 2015 : Using interface ppp0

Sun Oct 11 17:12:08 2015 : Connect: ppp0 <--> socket[34:18]

Sun Oct 11 17:12:12 2015 : local IP address 10.0.1.204

Sun Oct 11 17:12:12 2015 : remote IP address 10.0.1.10

Sun Oct 11 17:12:12 2015 : primary DNS address 10.0.1.10

Sun Oct 11 17:12:12 2015 : secondary DNS address 192.168.0.1

Sun Oct 11 17:12:12 2015 : l2tp_wait_input: Address added. previous interface setting (name: en1, address: 192.168.43.67), current interface setting (name: ppp0, family: PPP, address: 10.0.1.204, subnet: 255.0.0.0, destination: 10.0.1.10).

Sun Oct 11 17:12:12 2015 : Committed PPP store on install command

Sun Oct 11 17:12:15 2015 : L2TP port-mapping update for en1 ignored: VPN is the Primary interface. Public Address: 0, Protocol: None, Private Port: 0, Public Port: 0

Sun Oct 11 17:12:15 2015 : L2TP clearing port-mapping for en1

Sun Oct 11 17:12:39 2015 : [TERMINATE]

Sun Oct 11 17:12:39 2015 : Terminating on signal 15.

Sun Oct 11 17:12:39 2015 : Connection terminated.

Sun Oct 11 17:12:39 2015 : Connect time 0.6 minutes.

Sun Oct 11 17:12:39 2015 : Sent 89932 bytes, received 249902 bytes.

Sun Oct 11 17:12:39 2015 : L2TP disconnecting...

Sun Oct 11 17:12:39 2015 : L2TP clearing port-mapping for en1

Sun Oct 11 17:12:39 2015 : L2TP disconnected

Connecting with my Android phone whilst on the same local network as the server connects fine. As is the case if connecting with my Macbook on the same network.

So it appears that I am unable to connect to the VPN from outside the network, using my Android Phone and using L2TP - I cant work out why!

Reply

Answer 14

Linc Davis

Level 10

209,547 points

Oct 11, 2015 10:38 AM in response to barrrrrrrrrry

I don't know why it doesn't work with an Android phone. There are many parameters in L2TP over IPSec that are not adjustable in Server. Apple only supports Apple devices as clients. You'd have a better chance of getting help in an Android user forum.

Reply

Answer 15

Oct 11, 2015 10:45 AM in response to Linc Davis

It's important to point out its not just Android that it happens with. It's also a Windows PC. Exactly the same issue PPTP working fine L2TP not working.

Reply