Cannot connect to Server VPN

Question

Cannot connect to Server VPN

Hi,

I am running macOS Sierra, iOS 10, and MacOS Server 5.2 (on a Mac mini). (Everything current as of 21 September 2016)

Since PPTP is no longer supported, I am trying to set up L2TP. Unfortunately, when I try to connect to the server, I get the error, "The VPN server did not respond. Verify the server address and try reconnecting."

I do not believe this is a networking issue: Back to my Mac is not enabled, proper ports are forwarding (UDP 500, 1701, 4500), and Server says the service is reachable.

When I check the server's logs after an attempted connection, I find:

9/21/16 21:08:09.994 racoon[75993]: couldn't find configuration.

9/21/16 21:08:13.285 racoon[75993]: couldn't find configuration.

9/21/16 21:08:16.578 racoon[75993]: couldn't find configuration.

9/21/16 21:08:19.884 racoon[75993]: couldn't find configuration.

Any suggestions?

Does anyone know where the configuration file is supposed to be on the server so I can look at it?

Thanks for your help!

Posted on Sep 21, 2016 9:22 PM

Reply

Answer 1

Sep 23, 2016 9:40 AM in response to Rick Giarrusso

Hi Rick,

- Check that /etc/racoon folder exists and the folder contains psk.txt and racoon.conf.

- Installed with the OS.

cheers, dwbrecovery

Reply

Answer 2

Sep 23, 2016 6:30 AM in response to dwbrecovery

In my case they do exist. However, connecting a sierra desktop to an el capitan server (two different ones, in fact) no longer successfully works, with the somewhat useless error "The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator." In fact I can see the server getting the connection, but logging "not acceptable Identity Protection mode". No clue.

Reply

Answer 3

Sep 23, 2016 7:53 AM in response to Robb Allan

Hi Robb,

Are you using VPN of type "L2TP over IPSec ?

hth, cheers

Reply

Answer 4

Sep 23, 2016 7:55 AM in response to dwbrecovery

yes

Reply

Answer 5

Sep 23, 2016 8:23 AM in response to Robb Allan

Hi,

- increase logging on the client: System. Preferencess. ->Network -> VPN(L2TP) -> Advanced -> tick "Use verbose logging".

- Use Console app and Search on process racoon. Any clues?

- Has there been a config change ( plist modification) to the client into an aggressive mode?

cheers

Reply

Answer 6

Sep 23, 2016 8:28 AM in response to dwbrecovery

Did that. Wish it was more helpful:

default	11:27:58.520396 -0400	racoon	accepted connection on vpn control socket.
default	11:27:58.520450 -0400	racoon	accepted connection on vpn control socket.

default	11:27:58.521929 -0400	racoon	Connecting.
default	11:27:58.522371 -0400	racoon	IPSec Phase 1 started (Initiated by me).
default	11:27:58.522406 -0400	racoon	IPSec Phase 1 started (Initiated by me).

default	11:27:58.522946 -0400	racoon	IKE Packet: transmit success. (Initiator, Main-Mode message 1).
default	11:27:58.522998 -0400	racoon	>>>>> phase change status = Phase 1 started by us
default	11:27:58.523033 -0400	racoon	>>>>> phase change status = Phase 1 started by us
default	11:28:01.805060 -0400	racoon	IKE Packet: transmit success. (Phase 1 Retransmit).
default	11:28:04.961024 -0400	racoon	IKE Packet: transmit success. (Phase 1 Retransmit).
default	11:28:08.212889 -0400	racoon	IKE Packet: transmit success. (Phase 1 Retransmit).
default	11:28:08.525763 -0400	racoon	IPSec disconnecting from server x.x.x.x
default	11:28:08.525803 -0400	racoon	IPSec disconnecting from server x.x.x.x

Reply

Answer 7

Sep 23, 2016 8:34 AM in response to dwbrecovery

"Has there been a config change ( plist modification) to the client into an aggressive mode?"

The El Capitan server and Sierra desktop default to "aggressive, main" and changing both to "main, aggressive" does not fix the issue.

Reply

Answer 8

Sep 23, 2016 9:41 AM in response to Rick Giarrusso

Presumably it is /etc/racoon/racoon.conf

Reply

Answer 9

Sep 23, 2016 9:05 AM in response to Robb Allan

- Check on the Server app -> VPN Service ->Permissions-> Account Access and Network Access.

- The posted log suggest the client does not get any response from the Server side.

- Log was similar when i had the VPN service off. So, port UDP 500, 1701 or 4500 may be blocked.

Reply

Answer 10

Sep 23, 2016 9:49 AM in response to dwbrecovery

Thanks, dwbrecovery!

They are there. I restarted the server app and shut down and restarted the VPN service a couple of times, and it started working properly.

Not sure what happened, but all seems to be working fine now.

Reply

Answer 11

Sep 23, 2016 10:00 AM in response to Rick Giarrusso

You are welcome!

Reply

Answer 12

Sep 23, 2016 8:30 PM in response to dwbrecovery

None of those are the issue. tcpdump shows connections on all those ports. However, there is one clue (the last two lines):

23:24:08.220831 IP x.x.x.x.5900 > 192.168.1.115.52635: Flags [P.], seq 2191013886:2191013920, ack 1176925939, win 4096, options [nop,nop,TS val 663935627 ecr 698770130], length 34

23:24:08.220883 IP 192.168.1.115.52635 > x.x.x.x.5900: Flags [.], ack 34, win 12119, options [nop,nop,TS val 698775113 ecr 663935627], length 0

23:24:09.920296 IP 192.168.1.115.500 > x.x.x.x.500: isakmp: phase 1 I ident

23:24:09.956941 IP x.x.x.x.500 > 192.168.1.115.500: isakmp: phase 1 R ident

23:24:09.971975 IP 192.168.1.115.500 > x.x.x.x.500: isakmp: phase 1 I ident

23:24:10.043495 IP x.x.x.x.500 > 192.168.1.115.500: isakmp: phase 1 R ident

23:24:10.061466 IP 192.168.1.115.4500 > x.x.x.x.4500: NONESP-encap: isakmp: phase 1 I ident[E]

23:24:13.062475 IP x.x.x.x > 192.168.1.115: ICMP host x.x.x.x unreachable, length 132

23:24:13.183493 IP 192.168.1.115.4500 > x.x.x.x.4500: NONESP-encap: isakmp: phase 1 I ident[E]

23:24:13.245710 IP x.x.x.x.5900 > 192.168.1.115.52635: Flags [P.], seq 34:68, ack 1, win 4096, options [nop,nop,TS val 663940655 ecr 698775113], length 34

23:24:13.245758 IP 192.168.1.115.52635 > x.x.x.x.5900: Flags [.], ack 68, win 12119, options [nop,nop,TS val 698780068 ecr 663940655], length 0

23:24:13.246824 IP x.x.x.x.500 > 192.168.1.115.500: isakmp: phase 1 R ident

23:24:13.247058 IP 192.168.1.115.4500 > x.x.x.x.4500: NONESP-encap: isakmp: phase 1 I ident[E]

23:24:16.184529 IP x.x.x.x > 192.168.1.115: ICMP host x.x.x.x unreachable, length 132

23:24:16.184561 IP x.x.x.x > 192.168.1.115: ICMP host x.x.x.x unreachable, length 132

Reply