How to import Lion Server VPN Configuration Profile into Profile Manager

Similar Messages

• Mountain Lion server VPN configuration problem

  I'm having a problem connecting to my Mountain Lion server VPN even on my home local network.  The configuration is so simple but I can't figure out what I need to do to get it to connect.  Trying from my iphone and also ipad going directly to the ip address of the server and have the user account name, password and secret filled out as I have it set on the server but the connection fails.  I was at first thinking it might be a DNS issue, but then dismissed that since it's happening on the local network.  It seems to be an authentication issue, however I'm using the same settings as on the server. I have other services working such as file server, DNS and SUS so the product itself is fine, just the VPN service.
  Any ideas?
  - Chris

  I had the same "No CHAP secret found for authenticating username" issue. I've been at this VPN thing for many many hours over many days. Desperately want OS X Server to work.
  Finally I just bought iVPN to see if that would work somehow--- AND IT TOTALLY DID.
  So, forget Mac OS X Server VPN. Just forget it. There are definitely many problems out there facing VPN access. But if you're at the point I was, where it's connecting just not authenticating, then forget Mac OS X Server.
  http://macserve.org.uk/projects/ivpn/

• Lion Server VPN error

  I am trying to use the Lion Server VPN function and have all the firewall port opens (500, 1701, 1723, 4500) and cannot get anything to connect either inside or outside of the network.  I keep getting "The L2TP-VPN server did not respond.  Try reconnecting.  If the problem continues, verify your settings and contact your admin".  I checked the log on the server and here is what I find under system log
  Oct 27 21:03:56 www racoon[3529]: Connecting.
  Oct 27 21:03:56 www racoon[3529]: IPSec Phase1 started (Initiated by peer).
  Oct 27 21:03:56 www racoon[3529]: IKE Packet: receive success. (Responder, Main-Mode message 1).
  Oct 27 21:03:56 www racoon[3529]: IKE Packet: transmit success. (Responder, Main-Mode message 2).
  Oct 27 21:03:56 www racoon[3529]: IKE Packet: receive success. (Responder, Main-Mode message 3).
  Oct 27 21:03:56 www racoon[3529]: IKE Packet: transmit success. (Responder, Main-Mode message 4).
  Oct 27 21:03:59 www racoon[3529]: IKE Packet: transmit success. (Phase1 Retransmit).
  Oct 27 21:04:29: --- last message repeated 3 times ---
  Oct 27 21:04:32 www racoon[3529]: IKE Packet: transmit success. (Phase1 Retransmit).
  Then I get the error on the other machine (i.e. iPhone 4S, IMac)
  Have I done searches on google for everything I can think of and can not find a answer, or at least not one that helps me.
  Any help would be greatly appreciated
  Sodak

  If you are using iCloud "Back to my mac", then disable it.
  These services are incompatible.

• Adding redirect path and  pattern in Lion server for configuring software update server

  Adding redirect path and  pattern in Lion server for configuring software update server.Any changes

  Ok, after days of browsing on the forum I found the following hint on another discussion related to AFP access:
  "This may be a service ACL issue.
  It turns out one of the latest Apple updates turned on Service ACL's which caused AFP connections to be  blocked. Once I fixed the Service ACL in Server Admin... all connections and Single Sign On worked."
  Well, after allowing access to all services to all users with Server Admin, we were finally able to log in the server with our admin account...
  So, there must have been an update that turned on ACL's which caused even our local access, probably for OD/Kerberos, on the server to be restricted.

• Mountain Lion Server VPN won't startc

  I just upgraded a MacMini running 10.6.8 client to Mountain Lion (10.8.1) and then downloaded Server.app.
  All I need it to do is run basic file sharing and VPN, however, the VPN service never starts up.
  Every time I flip the switch in Server.app to start VPN, it immediately turns back to the "off" position and the following lines print in the system.log
  Aug 29 20:00:56 server.catsareawesome.com com.apple.SecurityServer[20]: Succeeded authorizing right 'system.privilege.admin' by client '/Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/Serve rManagerDaemon.bundle' [91] for authorization created by '/Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/Serve rManagerDaemon.bundle' [91] (2,0)
  Aug 29 20:00:56 server.catsareawesome.com com.apple.SecurityServer[20]: Succeeded authorizing right 'system.privilege.admin' by client '/Library/PrivilegedHelperTools/com.apple.serverd' [63] for authorization created by '/Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/Serve rManagerDaemon.bundle' [91] (100000,0)
  Aug 29 20:00:56 server.catsareawesome.com com.apple.SecurityServer[20]: Succeeded authorizing right 'com.apple.ServiceManagement.daemons.modify' by client '/usr/libexec/launchdadd' [388] for authorization created by '/Library/PrivilegedHelperTools/com.apple.serverd' [63] (100002,0
  Aug 29 20:00:56 server.catsareawesome.com com.apple.serverd[63]: ERROR: SMJobSubmit: The operation couldn’t be completed. (kSMErrorDomainLaunchd error 9 - The job dictionary specifies that it is disabled.)
  Also of note, if I try to do anything using serveradmin in terminal, I get the following error:
  server:lib temp$ serveradmin
  dyld: Library not loaded: /usr/lib/libservermgrcommon.dylib
    Referenced from: /usr/sbin/serveradmin
    Reason: image not found
  Trace/BPT trap: 5
  That libservermgrcommon.dylib file is definitely not in /usr/lib
  I would really appreciate any help.
  Thanks

  Hi Jason
  I was getting the same behavior after Apple support had me delete some plist files to get Airplay going. I was also getting the following error:
  the error occurred while processing a command of type 'writesettings' in the plug-in 'server vpn'
  I went into ~/Library/Preferences/ and /Library/Preferences/ and deleted every plist contating the word server. I had to re-set up my server (meaning walk through some intial steps) but all of my settings were still there after that and everything started working again.
  Just a thought, obviously try at your own risk but it worked for me.
  Kellen

• How to import pictures from an external memory into Iphoto?

  How to import pictures from an external memory into Iphoto. Is there a way to open all the pictures in my computer in the Iphoto?

  to import photos either use the iPhoto file menu ==> import command or drag the photos to the iPhoto icon in the dock
  LN

• How to import photo from album in Iphone into computer?

  How to import photo from album in Iphone into computer?

  You can't. You can import from the Camera Roll only.
  Photos transferred from your computer to your iPhone via the iTunes sync/transfer process should remain on your computer. Photos transferred from your computer are optimized for viewing on your iPhone via the iTunes sync/transfer process - the original resolution of these photos is reduced, which is why transferring these photos in the opposite direction is not supported. These photos should remain on your computer and be included with your computer's backup.
  There are some 3rd party paid utilities that provide for transferring these photos in the opposite direction but such utilities are not supported by Apple and the original resolution of these photos will be lost.
  Here is one such utility.
  http://www.ecamm.com/mac/phoneview/

• How to use Lion Server Profile Manager to require password after screensaver

  Our Company is upgrading to Lion server. One of our requirments for network security is to require a password to wake the computer from sleep or screensaver. In SL Server you would add a key to the com.apple.screensaver entery in workgroup manager.
  In Profile Manager in Lion server there is a custom setting section and I have tried adding a key there but it does not seem to work. Can anyone offer some help on how to put the require password to wake from sleep or screensaver in Profile Manager so the setting gets pushed out?

  Hi CodyCodes,
  Just discovered the same issue today as well.  Further complicating things, the screensaver timeout setting in Login Window doesn't apply to Profile Manager clients no matter what the setting.  This was reproduced and confirmed by the Apple Tech I was working with.  He's submitted the bug to their engineering staff.  I requested that he ask them why there is no setting for password on sleep or screensaver.  Hopefully this is resolved soon, as this feature is 99% of the reason we're implementing Profile Manager to begin with.
  Cheers

• Lion Server VPN with 2 networks

  I hope someone has come across a similar problem to what I have had.
  I am having great difficulty trying to configure our OSX Lion Server (7.4) VPN service. The configuration I am trying to reach is one where we have an external IP for the server itself. A VPN configuration where we can use the external IP to get onto the VPN. When successfully on the VPN we would like to route through internal the network for all VPN traffic. We are having difficulty with the source routing so all traffic when successfully authenticated onto the VPN goes via VLAN0.
  I have used the guide:
  http://macminicolo.net/lionservervpn
  When on the VPN all internal network services should be available. But it seems to take the gateway of the public interface for all routing. I have tried adding routing entries with no luck
  Open to suggestion on how we can get this to successfully work. Thanks in advance.

  I am having a similar if not the same problem.  What happens when you log in with the VPN is that instead of giving a proper route the the VPN network, a second "default route is added".
  Internet:
  Destination        Gateway            Flags        Refs      Use   Netif Expire
  default            172.16.200.1       UGSc          166        0     en0
  default            172.16.150.109     UGScI           0        0    ppp0
  69.27.134.89       172.16.200.1       UGHS            0        0     en0
  127                127.0.0.1          UCS             0        0     lo0
  127.0.0.1          127.0.0.1          UH              3       22     lo0
  169.254            link#4             UCS             0        0     en0
  172.16.150/23      ppp0               USc             1        0    ppp0
  172.16.150.109     172.16.150.5       UH              1        0    ppp0
  172.16.200/23      link#4             UCS             5        0     en0
  172.16.200.1       a0:21:b7:60:b:4e   UHLWIi        167      109     en0    845
  172.16.200.11      b8:ac:6f:ff:b6:66  UHLWIi          0      202     en0   1200
  172.16.200.20      127.0.0.1          UHS             0        0     lo0
  172.16.200.54      d8:30:62:6a:4f:4b  UHLWIi          0        0     en0    881
  172.16.201.255     ff:ff:ff:ff:ff:ff  UHLWbI          0       32     en0
  I can add a manual route using:
  route add 172.16.0.0/23 172.16.150.9  and everything works fine.  But if you disconnect the VPN and reconnect you also have to re-enter the route,
  BTW.... works fine from my Win7 PC.

• Lion Server VPN dual network cards

  I have a XServe running Lion 10.7.3.  When I connect to the vpn I can only connect to the server and nothing else on the network. How can I set it up to see the whole network?

  Simple. Configure your VPN correctly.
  Of course, you might have done that, but since you're so light on details there's no way for us to know.
  From your description, though, it sounds like you haven't configured the server to hand out the right range of VPN networks. When a client connects, the VPN server sends it a list of networks/subnets to send over the VPN tunnel - e.g. "hi, client, send me all traffic for 10.1.2.0/24".
  If you haven't set this then the the client doesn't know what traffic to send over the VPN vs. sending to the public internet. That's what I assume is going on here, but I could be wrong.
  If you have got the routing correct the next issue would be DNS - have you set the right (internal) DNS server in the VPN server settings, so that the server knows to tell the clients what DNS server to use? If you haven't then the client will continue to use its normal DNS server which likely doesn't know anything about your internal network hostnames. Pinging a resource by IP address rather than hostname would be a simple check for this.
  So check your VPN configuration and report back if that's not a solution. Either way it likely comes down to a configuration error on the server.

• How to uninstall Lion Server?

  I accidentally downloaded Lion Server on my laptop.  I need to uninstall this.  Anyone know how to uninstall?

  Well, actually it's been posted some days ago. But it's not quite enough to get rid of it.
  Yesterday I gave it a try and, once everything in the note is done, you still have to open Terminal and :
  stop the Apache server (sudo apachectl stop to stop it until next reboot or sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist to stop it definitely)
  more important : stop the PostGRESQL database server and the collection of information you don't need anymore :
  sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.ServerPerfLog.plist
  sudo launchctl unload -w /System/Library/LaunchDaemons/org.postgresql.postgres.plist
  To revert this commands, simply run them with 'unload -w' changed in 'load -w'.
  (I couldn't manage to find a graphical tool to do it, hence the Terminal commands)
  If you upgraded from Snow Leopard and would like to get back the original Web Server configuration (with the ~username local web sites) you have to put back the Apache configuration file stored during the Server installation. In /private/etc/apache2, you should find a httpd.conf.bak file, to rename in httpd.conf (beforehand, you should keep a copy of the current file, if ever you change your mind). Then restart Apache (sudo apachectl graceful).

• Lion Server 802.1x WLAN System Profile

  Hello skilled guys in the community :-)
  Today I would need some kind of how-to about configuring Lion clients into a Lion Server 802.1x WLAN network. As I am currently setting everything up from scratch in my home/lab environment here the bits and pieces I have already successfully up and running:
  DHCP
  DNS
  Open Directory Master
  Profile Manager
  The next I've done is to activate the Radius service in the server which first of all asks me for the certificate. There was only one and this was the one created from the Open Directory wizard. As the root certificate of this certificate should be already installed in managed clients (done by joining to the Profile Manager) workstations should already trust this certificate and there should be no issue.
  Question here: Can this certificate be used and am I on the right way or should I create an own certificate for this? Is yes, how?
  After many hours of playing around with the radius server and my access point (3COM 9552) I finally got it working and I could connect to my 802.1x network by just providing OD username and password.
  Question here: When adding a new radius client there are four fields in the dialog box: Name (should be clear), IP (more than clear), the shared secrect (also not a problem) and the type. As this type is not a drop down field but just a text box I was wondering quite a while what the server expects from me to put in there. I decided to write there 'other' as this was the only option I could find from googling. Is this correct?
  As next step I would like to configure a WLAN System profile using Profile Manager. So a WLAN connection which is up even though nobody is logged into the machine.
  Question here: Can anybody help me with this. I had a look into this config dialog in Profile Manager but could not get any clue of System Profile and also don't know what else I need to configure there. I also see that I need to configure a name and password but don't understand why I need this. For my understanding the client machines (especially with System Profile) should use there the machine name and password (COMPUTERNAME$) as I created a trusted bind to OD. Or is it rather so that I need to create a dedicated account for WLAN connection with a not expireing password suitable long? What kind of things I have to configure also in there? Trusts, Authentication?
  Thank you already for your help. I'm happy to get the Radius authentication now working. Now would be happy getting rid of the rest of the question marks.
  Cheers
  Robert

  Any ideas here??
  In profile manager I also saw the option authenticate with computer credentials. I belief for this it's needed to have a trusted bond to OD like I have. But when I configure it (TTLS with computer name and password) WLAN never gets connected.
  Any idea on this. Also where can I see that the profile is made as a system profile. The only tick box I've found is for the logon window authentification which is far to late for me to establish any WLAN connection.
  Thanks.

• Lion Server VPN, Can Connect Locally, Not Remotely

  I have both Lion and Lion Server installed on my Core 2 Duo iMac, mainly because I want the VPN feature of Server.
  I configured everything correctly for the VPN, and can connect to it with no problems from my iPhone and iPad when I am within my own LAN (the server and the iPhone/iPad are on the same IP range and subnet).
  I also used the automatic config within the Server app to configure my AirPort Extreme N Base Station.   Looking at the Port Mapping section of my ABS from within AirPort Utility, I do in fact see that VPN Service (L2TP) is configured with the following UDP ports: 500, 1701 and 4500.  Those ports ARE pointing to the iMac that is running the VPN server.  Firewall on that iMac is turned OFF.
  However, I am unable to connect my iPhone to the VPN Server using my Public IP address.  I have tried it from within my network (out of network to internet the back), from my Verizon MiFi or from my iPhone's 3G connection (well, in my area it is still Edge).  The iPhone simply sits on "Connecting" for a few seconds, then an alert comes up stating "The L2TP-VPN server did not respond.  Try reconnecting. If the problem..." yadada.
  I AM, however, able to get Web Sharing to work via my Public IP address, as well as VNC.
  I also cannot connect to the VPN via the Public IP with other devices like my iBook, PowerBook G4, Windows 7 PC, or iMac G5.  They ALL CAN connect via the local network 10.1.x.x IP address.
  Am I missing something here?  I did all of the automatic configurations, and all of the ports appear to be properly open.

  Not in my case, Per, no.
  I just did a tcpdump between various systems.
  For those that do NOT work (client iPhone, client 10.7 and server 10.7) the tcpdumps look like so:
  19:12:33.883057 IP Home.60845 > LionServer.500: isakmp: phase 1 I ident
  19:12:33.884410 IP LionServer.500 > Home.60845: isakmp: phase 1 R ident
  19:12:33.910379 IP Home.60845 > LionServer.500: isakmp: phase 1 I ident
  19:12:33.918362 IP LionServer.500 > Home.60845: isakmp: phase 1 R ident
  19:12:33.958995 IP Home.60846 > LionServer.4500: NONESP-encap: isakmp: phase 1 I ident[E]
  19:12:33.959349 IP LionServer.4500 > Home.60846: NONESP-encap: isakmp: phase 1 R ident[E]
  19:12:33.959461 IP LionServer.4500 > Home.60846: NONESP-encap: isakmp: phase 2/others R inf[E]
  19:12:34.997414 IP Home.60846 > LionServer.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
  19:12:34.998323 IP LionServer.4500 > Home.60846: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
  19:12:35.016983 IP Home.60846 > LionServer.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
  19:12:35.019173 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x1), length 132
  19:12:35.052641 IP LionServer.500 > Home.500: isakmp: phase 1 I ident
  19:12:35.595022 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x2), length 132
  19:12:37.597957 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x3), length 132
  19:12:38.212127 IP LionServer.500 > Home.500: isakmp: phase 1 I ident
  19:12:41.214447 IP LionServer.500 > Home.500: isakmp: phase 1 I ident
  19:12:41.603061 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x4), length 132
  19:12:44.216935 IP LionServer.500 > Home.500: isakmp: phase 1 I ident
  19:12:45.609900 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x5), length 132
  19:12:49.616860 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x6), length 132
  19:12:53.623054 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x7), length 132
  19:12:54.965357 IP Home.60846 > LionServer.4500: isakmp-nat-keep-alive
  19:12:55.032098 IP Home.60846 > LionServer.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
  19:12:55.036420 IP Home.60846 > LionServer.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
  19:12:56.228356 IP LionServer.500 > Home.500: isakmp: phase 1 I ident
  Note: I've done this over wired and wireless as well as 3G -- the transport on the client end is NOT the issue.
  A connection that works, from iPhone ONLY (on 3G or Wireless) is:
  11:24:59.960105 IP Home.61168 > LeopardServer.500: isakmp: phase 1 I ident
  11:24:59.964119 IP LeopardServer.500 > Home.61168: isakmp: phase 1 R ident
  11:25:00.673976 IP Home.61168 > LeopardServer.500: isakmp: phase 1 I ident
  11:25:00.712858 IP LeopardServer.500 > Home.61168: isakmp: phase 1 R ident
  11:25:01.466127 IP Home.61169 > LeopardServer.4500: NONESP-encap: isakmp: phase 1 I ident[E]
  11:25:01.468180 IP LeopardServer.4500 > Home.61169: NONESP-encap: isakmp: phase 1 R ident[E]
  11:25:01.468546 IP LeopardServer.4500 > Home.61169: NONESP-encap: isakmp: phase 2/others R inf[E]
  11:25:02.954797 IP Home.61169 > LeopardServer.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
  11:25:02.978314 IP LeopardServer.4500 > Home.61169: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
  11:25:03.480886 IP Home.61169 > LeopardServer.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
  11:25:03.486763 IP Home.61169 > LeopardServer.4500: UDP-encap: ESP(spi=0x0a46a01f,seq=0x1), length 116
  11:25:04.032382 IP Home.61169 > LeopardServer.4500: UDP-encap: ESP(spi=0x0a46a01f,seq=0x2), length 116
  11:25:06.029801 IP Home.61169 > LeopardServer.4500: UDP-encap: ESP(spi=0x0a46a01f,seq=0x3), length 116
  11:25:06.517111 IP LeopardServer.4500 > Home.61169: UDP-encap: ESP(spi=0x088d7e27,seq=0x1), length 116
  11:25:06.742918 IP LeopardServer.4500 > Home.61169: UDP-encap: ESP(spi=0x088d7e27,seq=0x2), length 116
  And from there it's all normal.
  What never works:
  10.7 client to 10.7 server
  iPhone to 10.7 server
  The breakage seems to happen on 10.7 server here:
  19:12:35.019173 IP Home.60846 > LionServer.4500: UDP-encap: ESP(spi=0x041b007d,seq=0x1), length 132
  19:12:35.052641 IP LionServer.500 > Home.500: isakmp: phase 1 I ident
  After that first ESP packet, the Lion Server responds with another phase 1 ident.
  The Leopard server does not.
  It may still be something in my setup, but, there's nothing to configure on 10.7 server other than "on" and "off" and some IP addresses, which I'm nearly certain isn't the issue...but who knows.   Either the Lion Server ignores whatever is in that ESP packet, and starts over, or, iOS and OS X are sending it something it doesn't like and is forcing it to reset and start over.

• Lion Server VPN Service/Class C IPs/Bonjour

  In order to deploy Lion Server's VPN service, you obviously are required to enter an IP range to assign. We are running a standard class C network here, with systems running on 192.168.1.x. The problem is that if a user is accessing the VPN from a remote location that also uses the same IP scheme, then they won't be able to connect. Is there a simple way to deal with this? Is the only way to fix the problem to re-assign every IP address on our network a more unique address scheme? We have a large network and that would be unwieldy.
  Also, will it be possible to use Bonjour over the VPN? We want to be able to share network resources as if the user was physically connected to our LAN.
  Thanks in advance for your answers!

  Linc Davis wrote:
  Also, will it be possible to use Bonjour over the VPN?
  Bonjour doesn't work over a routed connection. You would need to use something like this:
  Slinkware
  Thanks for this link Linc. From descriptions and reviews it sounds like exactly what I was looking for to propagate Bonjour service discovery to a remote Mac. Being a little naive I had set up an OS X Server VPN expecting Bonjour to "just work" once a remote Mac connected!
  In particular the Slinkware web site has a detailed description on how to set up certificate authentication which improves security (geeky but very well detailed).

• Lion Server: VPN external ports to open on firewall

  With Leopard/SnowLeopard Server, opening ports back to my server @ 500, 1701 and 4500 were sufficient for L2TP VPN.  I had no issues trying to connect to my VPN until I upgraded to Lion (which I'm quickly learning was a big mistake).
  Now it appears that there might be undocumented, additional ports in the new (dumbed down) VPN on Lion Server
  I've got 500, 1701 and 4500 open now... and added 1723 (PPTP) as some people suggested (found via google search).  I still cannot connect from outside my nework - the client acts like the server does not exist.
  Please note that I can connect without an issue from within the network.  When I simply change the hostname to my external host, it no longer is able to connect.  (My firewall supports external reflection when trying to access my external IP - so don't worry about my firewall config, other than port redirection).
  Is there another port besides the four I've listed about that I need to open?

  Yup... all UDP.  I'll mess with getting it outside the firewall. 
  I'm thinking now that it might be a domain/certificate name issue - seeing that all the new certificate trust requirements have already broken other things for me (like web-based stuff, calendars and profile management)
  Is it required by the VPN server that the certificate hostname matches the external hostname?