Server VPN not forwarding traffic after upgrade to Sierra

Question

Level 1

8 points

Server VPN not forwarding traffic after upgrade to Sierra

I recently updated to Sierra and now my VPN is no longer forwarding client traffic to the Internet. I am using L2TP and the clients connect with no issue, but are unable to access any websites. I had to add the customNATRules to the /etc/pf.anchors/com.apple file and everyhting else seems to be correct.

nat-anchor "100.customNATRules/*"

rdr-anchor "100.customNATRules/*"

load anchor "100.customNATRules" from "/etc/pf.anchors/customNATRules"

And the customNATRules:

nat on en0 from 10.0.0.0/24 to any -> (en0)

pass from {lo0, 10.0.0.0/24} to any keep state

What do I look at next?

Posted on Sep 24, 2016 10:17 PM

Reply

Answer 1

Sep 24, 2016 11:37 PM in response to dmfromca

Hi dmfromca,

On the client, use verbose logging: SysPrefs-> Network->VPN(L2TP) -> Advanced

Check for clues with Console, search term process ->racoon and process -> pppd.

hth, cheers, dwbrecovery

Reply

Answer 2

dmfromca Author

Level 1

8 points

Sep 26, 2016 9:35 PM in response to dwbrecovery

I don't find any logs for process -> pppd. Searching racoon I find successful connections. In the server logs, I don't see anything that stands out...

Mon Sep 26 21:28:41 2016 : sent [IPCP ConfReq id=0x1 <addr 199.19.xxx.xxx>]

Mon Sep 26 21:28:41 2016 : sent [ACSCP ConfReq id=0x1]

Mon Sep 26 21:28:41 2016 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]

Mon Sep 26 21:28:41 2016 : ipcp: returning Configure-NAK

Mon Sep 26 21:28:41 2016 : sent [IPCP ConfNak id=0x1 <addr 10.0.0.151> <ms-dns1 10.0.0.1> <ms-dns3 10.0.0.1>]

Mon Sep 26 21:28:41 2016 : rcvd [LCP ProtRej id=0x2 82 35 01 01 00 04]

Mon Sep 26 21:28:41 2016 : rcvd [IPV6CP ConfReq id=0x1 <addr fe80::6aa8:6dff:fe00:06b6>]

Mon Sep 26 21:28:41 2016 : Unsupported protocol 0x8057 received

Mon Sep 26 21:28:41 2016 : sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 6a a8 6d ff fe 00 06 b6]

Mon Sep 26 21:28:41 2016 : rcvd [IPCP ConfAck id=0x1 <addr 199.19.xxx.xxx>]

Mon Sep 26 21:28:41 2016 : rcvd [IPCP ConfReq id=0x2 <addr 10.0.0.151> <ms-dns1 10.0.0.1> <ms-dns3 10.0.0.1>]

Mon Sep 26 21:28:41 2016 : ipcp: returning Configure-ACK

Mon Sep 26 21:28:41 2016 : sent [IPCP ConfAck id=0x2 <addr 10.0.0.151> <ms-dns1 10.0.0.1> <ms-dns3 10.0.0.1>]

Mon Sep 26 21:28:41 2016 : ipcp: up

Mon Sep 26 21:28:41 2016 : found interface vlan0 for proxy arp

Mon Sep 26 21:28:41 2016 : local IP address 199.19.xxx.xxx

Mon Sep 26 21:28:41 2016 : remote IP address 10.0.0.151

Mon Sep 26 21:28:41 2016 : Received protocol dictionaries

Mon Sep 26 21:28:41 2016 : Received acsp/dhcp dictionaries

Mon Sep 26 21:28:41 2016 : Committed PPP store

Mon Sep 26 21:28:41 2016 : Received acsp/dhcp dictionaries

Mon Sep 26 21:28:41 2016 : Committed PPP store

Mon Sep 26 21:28:41 2016 : l2tp_wait_input: Address added. previous interface setting (name: en0, address: 199.19.xxx.xxx), current interface setting (name: ppp0, family: PPP, address: 199.19.xxx.xxx, subnet: 255.255.255.0, destination: 10.0.0.151).

Mon Sep 26 21:29:33 2016 : rcvd [LCP TermReq id=0x3 "User request"]

Mon Sep 26 21:29:33 2016 : LCP terminated by peer (User request)

Mon Sep 26 21:29:33 2016 : ipcp: down

Mon Sep 26 21:29:33 2016 : sent [LCP TermAck id=0x3]

Mon Sep 26 21:29:33 2016 : l2tp_wait_input: Address deleted. previous interface setting (name: en0, address: 199.19.xxx.xxx), deleted interface setting (name: ppp0, family: PPP, address: 199.19.xxx.xxx, subnet: 255.255.255.0, destination: 10.0.0.151).

Mon Sep 26 21:29:33 2016 : L2TP received CDN

Mon Sep 26 21:29:33 2016 : Connection terminated.

Mon Sep 26 21:29:33 2016 : Connect time 0.9 minutes.

Mon Sep 26 21:29:33 2016 : Sent 10433 bytes, received 57601 bytes.

Mon Sep 26 21:29:33 2016 : L2TP disconnecting...

Mon Sep 26 21:29:33 2016 : L2TP disconnected

2016-09-26 21:29:33 PDT --> Client with address = 10.0.0.151 has hungup

Reply

Answer 3

Sep 26, 2016 10:09 PM in response to dmfromca

Agree, only thoughts;

- The dns server assigned to the client, check that it has forwarding servers setup and the server itself can access websites.

- Does the issue still exist without the custom NAT rules.

hth

Reply

Answer 4

dmfromca Author

Level 1

8 points

Sep 27, 2016 3:57 PM in response to dwbrecovery

The server can access websites. I will comment out the custom NAT rules this evening and see if the problem still exists. I will post results later. Thanks for the assistance.

Reply

Answer 5

dmfromca Author

Level 1

8 points

Sep 28, 2016 9:03 PM in response to dmfromca

No luck. I have removed the custom rules and still cannot get client traffic to pass through. I am starting from scratch to see if the problem still exists.

Reply

Answer 6

miho20

Level 1

4 points

Sep 30, 2016 9:16 AM in response to dmfromca

I have the same problem 😟 Any update on the issue?

Reply

Answer 7

dmfromca Author

Level 1

8 points

Sep 30, 2016 1:33 PM in response to miho20

It did not help. I have removed/recreated each file, even following the instructions I used to originally set it up (https://macminicolo.net/blog/files/Setup-a-VPN-server-with-El-Capitan-server%20. html) and it is still not working. I guess the I'm going to try a VM that does not have the VPN server configured and see if it works from scratch.

Reply

Answer 8

miho20

Level 1

4 points

Sep 30, 2016 2:10 PM in response to dmfromca

Okay, this is very strange. I followed the same instructions directly after doing a clean Sierra installation and installing the server app. VPN works. But forwarding traffic does not work.

Reply

Answer 9

Oct 7, 2016 1:00 AM in response to dmfromca

- Also, perform at test of the VPN service but setup without using the VLAN, ( a standard Server.app setup ) so it will assign on the same subset as the server itself.

The setup will confirm that VPN service is running , then pursue your ultimate setup using the VLAN.

cheers, dwbrecovery

Reply