OSX Server VPN L2TP secure?

i am using osx server v2.21 (169) and using the L2TP with shared key VPN to connect my iphone to my home server, and browse through my home internet connection...
i have read numerous articles on the internet, and some here on the apple support communities that say L2TP VPN on OSX Server is not secure....
is that really the case?
thanks

There is no perfect security. Ever.   A sufficiently determined attacker can and will succeed against anything you can do, given that sooner or later somebody involved will make an opsec mistake somewhere. Or the existing attacks against MD5, RC4 and SSL/TLS security — attacks including BEAST, CRIME Lucky 13, etc — will continue to be "weaponized".
Firewalls and VPNs only get you so far, and it's common for attackers to use a variety of attacks to try to breach those; to bypass the network security. So-called "spearphishing" tries to get somebody on the network to breach security for the attacker. The best VPN and the best firewall are worth nothing if you have Java lit in your web browser and the Java JVM sandbox gets breached (again), or if you receive and open a document that contains malware, for instance.
Facebook and other entities were recently breached using what was known as a watering hole attack, and that was only spotted based on detecting "odd" out-bound network traffic. The attack got around the firewalls and the VPNs and the rest of the security, and was active on the organizations' internal networks.
If you're securing nuclear secrets or large sums of money or exceedingly embarassing or sensitive data, then you definitely and certainly do need to focus on this stuff, and you're going to be spending time and effort and money on making your organization harder (emphasis on harder) to attack. But attacks will continue.
If you're dealing with a home network or a typical a small business network, then you just don't want to be the lowest of the low-hanging fruit around, and you want to avoid opsec mistakes such as open ports or weak passwords, and you don't want to give the good folks of the Internet reasons to attack you.   You want to be not worth attacking, or not as "fun" and not as valuable to attack.
Even if your security is not attacked, a DDoS can still ruin your day.
As I've mentioned elsewhere, I much prefer using a VPN server in a gateway-firewall-router device — as VPNs and NAT don't mix very well — and I do use private certificate authority chains.    But in terms of attacks? Keep your software and your security current, review your logs and your rules, DMZ any services you provide to "outside", maintain and verify backups — those backups can be your recovery path from a breach — and start looking at "odd" or "unexpected" outbound traffic, too. VPNs are just part of avoiding the mess of a cleanup.

Similar Messages

Mac OSX Server VPN Not Working

Heres how my setup is: I have an ATT DHCP Server/Router That assigns my public ip.
I have an Apple AirPort Extreme in Bridge Mode Which hosts the main wifi connection.
I have my Mac OSX Server connected to the AirPort Extreme
On my ATT Router DHCP Server's Firewall I have my computer set to DMZ Plus mode which forwards all ports on the network to my mac.
I am trying to connect to the vpn network via my MacBook Pro and iPhone5 and I cannot. However I can connect to the online wiki page on my server by going to server.djswirkmke.com if you would like to see it. My host name is server.local on the network but on the internet it is server.djswirkmke.com I also have a mail domain setup as mail.djswirkmke.com. My problem is I am not able to connect to the vpn on the client computers can you please help?

In a moment of random frustration, I tried listing the DNS server in VPN settings three times, and it somehow fixed the problem. Even though it is the same IP all three times, it works when it is listed three times but not when it is listed just once.
In other words, in VPN > Settings > Client Information > DNS Servers, I have:
192.168.100.64
192.168.100.64
192.168.100.64
Hope this helps someone having the same problem.

Leopard Server VPN L2TP Not receiving connections, PPTP works fine??

All,
Setting up a new OSX Snow Leopard server. The server is NOT running the firewall service. I created an L2TP VPN, with PPTP. PPTP works fine... however I am unable to connect to the L2TP.
I receive the error: The L2TP-VPN server did not respond. Try reconnecting, if the problem continues, verify your settings.
The server is behind an apple airport N router. I've tried connecting from both inside and outside (outside I mapped ports UDP 1701, 4500, and 500) with no luck. I even tried creating a VPN connection from the actual server to itself, and get the same error.
The logs show nothing - The extension is loaded, listening for connections, and nothing at all after that even after a connection try is made. PPTP works fine, and lots of logs there.
Appreciate any help!!

I too since yesterday am having the same issue. It's as if the L2TP tunnel is not making it thru the Airport N DualWireless to the MacMini server. It was running just fine up until yesterday when I installed Security Update 2010-001 v1.0. I can use PPTP outside my network all day long and I can even use L2TP from inside my network just fine so I know the server is responding to local requests. I have tried from cell modem, client T1, client cable internet with no joy. I have rebooted AEBS & Server with no results. When trying L2TP from outside LAN and watching log in realtime it does not even show it's trying. I had this issue once before when I had mobileme "back to my mac" turned on and it was causing an issue but it's off and hasn't been on in some time. I suspect the update. Did you install that update?

10.5 Server VPN L2TP racoon cannot connect to socket

So there is another thread that didn't specify a fix and I'm hoping we can get this thing resolved.
OS X 10.5.8 Server with ports forwarded through firewall and landing on this box was working perfectly. It randomly has stopped and the vpnd.log is reporting...
Unable to connect racoon control socket (errno = 61)
This error happens about every second or so if VPN is enabled.
I have tried changing the subnet, disabling and re-enabling of L2TP, but nothing it working. I believe there is a stuck process that cannot die.
I'm assuming a reboot would resolve this, but this is a product system hosting other critical services and rebooting is not an easy process.
Thoughts?

This is also happening to me, but on 10.6.2. I have restarted, changed subnet range, changed the shared secret, but I continue to get the EDT Unable to connect racoon control socket (errno = 61). I have had the same experience as Grant, but everything I try does not work. Has anyone resolve their issues with this error?

Connecting to OSX Server VPN

Hello-
I have a machine running OSX.4.9 server. When I had it connected to a Linksys Router with VPN pass through it works flawlessly. I moved the server to a remote location and deployed a ExtremeN device as the router. I can talk to the Server, but I cant authenticate. It seems like user information is not being passed. Here is what is happening when the Client touches the server box.
Jun 27 12:45:37 -Server vpnd[39]: Incoming call... Address given to client = 192.168.1.56\n
Jun 27 12:45:37 -Server pppd[29992]: pppd 2.4.2 (Apple version 233-0-4) started by root, uid 0
Jun 27 12:45:37 -Server pppd[29992]: PPTP incoming call in progress from '216.228.X.X'...
Jun 27 12:45:37 -Server pppd[29992]: PPTP connection established.
Jun 27 12:45:37 -Server pppd[29992]: Connect: ppp0 <--> socket[34:17]
Jun 27 12:46:07 -Server pppd[29992]: LCP: timeout sending Config-Requests\n
Jun 27 12:46:07 -Server pppd[29992]: Connection terminated.
Jun 27 12:46:07 -Server pppd[29992]: PPTP disconnecting...\n
Jun 27 12:46:07 -Server pppd[29992]: PPTP disconnected\n
Jun 27 12:46:07 -Server vpnd[39]: --> Client with address = 192.168.1.56 has hungup\n
Jun 27 12:46:43 -Server vpnd[39]: Incoming call... Address given to client = 192.168.1.57\n
Jun 27 12:46:43 -Server pppd[157]: pppd 2.4.2 (Apple version 233-0-4) started by root, uid 0
Jun 27 12:46:43 -Server pppd[157]: PPTP incoming call in progress from '216.228.X.X'...
Jun 27 12:46:43 -Server pppd[157]: PPTP connection established.
Jun 27 12:46:43 -Server pppd[157]: Connect: ppp0 <--> socket[34:17]
Jun 27 12:47:13 -Server pppd[157]: LCP: timeout sending Config-Requests\n
Jun 27 12:47:13 -Server pppd[157]: Connection terminated.
Jun 27 12:47:13 -Server pppd[157]: PPTP disconnecting...\n
Jun 27 12:47:13 -Server pppd[157]: PPTP disconnected\n
Jun 27 12:47:13 -Server vpnd[39]: --> Client with address = 192.168.1.57 has hungup\n
Any suggestions would be appreciated.
Mac OS X (10.4.9) Server

I am trying to figure this out also.. I've had no luck

OSX Server VPN timeout issue

I've setup the VPN server in OS X server, and have a new Apple Airport Extreme base station as my wireless router, and it is properly configured for OSX VPN. I can usually connect to the VPN on my iPhone over the cellular network (on the first or second try). However after a few minutes of inactivity, the VPN connection goes away.
Other VPNs I have configured on my phone (for work) don't timeout after periods of inactivity, and I was wondering if there were any settings I could change for the OSX VPN server to not have it drop the VPN connection after a few minutes of idle time.

Sorry, I didn't catch the phone part. That was for client. You can set the OS X Server's VPN timeout via the serveradmin command. Run the following to see all the settings...
serveradmin settings vpn
In particular, look at...
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer
The caveat here is that the longer, or lack of, timeout, the more insecure.

OSX Server / VPN / Windows Software Question

Ok -
Here shortly our company is looking to purchase an accouting software that is Windows only. Its a construction specific accounting & project management software that is a great solution for a small company. The software is called Foundation for Windows. I wish there were options for a mac program, but alas...
But...
Being we run a Mac Mini Server, I am having some issues conceptually figuring out how to set this up. And on top of it all, we need guys in the field to be able to VPN in and run the software from the server to input daily reports and write purchase orders for on-site work.
At this time, we are running the following, and would need to use these machines to access the software as well.
Mac Mini Server (which will have Mavericks/ Server 3.0 at thime of software) 2.3 GHz Intel Core i7 (where the software would live)
Time Capsule
15" MBPs 2.0 GHz w the flash hard drives (the most recent release) & Mavericks
13 MBP 2.4 GHz w the flash hard drive & Mavericks
The MBPs are already slated to be Bootcamp-ed with Windows 7.
From a cost standpoint, we would probably get Windows laptops for the field guys. Dust dirt and grime are no way for a Mac to live.
So, I humbly ask the community to assist me on getting this all set up. At this point I know that this is over my head.

To run a public VPN server, you need to do the following:
1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)
3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
4. Configure any firewall in use to pass this traffic.
One other important point is that an L2TP VPN usually won't work in the current release of Mavericks, due to a bug. Unofficially, you can work around the bug by replacing the file /usr/sbin/racoon with a copy from a 10.8 installation.
All that done, you should be able to connect to any service on the network via the built-in VPN client.

OSX Server VPN NAT Help

Hello
Configured ML VPN server using the following article.
http://macminicolo.net/mountainlionvpn
Everything works fine and vpn client can go out to inet. So far so good. Now what I want to do is use StrongVPN on server and allow my vpn clients to go out my connection to strong VPN. So far everything I have tried doesn't work. :-(
Want it to look like this
MYLOCALVPNCLIENT->OSXMLVPNSERVER->SERVEROPEN VPN CLIENT to STRONGVPN
Playing with cusomNATRules:
nat on en0 from 192.168.3.0/24 to any -> (en0)
pass from {lo0, 192.168.3.0/24} to any keep state
tried chaning it from en0 to ppp0 and no go. Did different combinations and still nada. The connection on the server to STRONGVPN cfg to route all traffic through STRONGVPN.
I'd appreciate any help you can give. I'm sure I'm missing something simple.
Thanks!

Hello
Configured ML VPN server using the following article.
http://macminicolo.net/mountainlionvpn
Everything works fine and vpn client can go out to inet. So far so good. Now what I want to do is use StrongVPN on server and allow my vpn clients to go out my connection to strong VPN. So far everything I have tried doesn't work. :-(
Want it to look like this
MYLOCALVPNCLIENT->OSXMLVPNSERVER->SERVEROPEN VPN CLIENT to STRONGVPN
Playing with cusomNATRules:
nat on en0 from 192.168.3.0/24 to any -> (en0)
pass from {lo0, 192.168.3.0/24} to any keep state
tried chaning it from en0 to ppp0 and no go. Did different combinations and still nada. The connection on the server to STRONGVPN cfg to route all traffic through STRONGVPN.
I'd appreciate any help you can give. I'm sure I'm missing something simple.
Thanks!

How can I connect a pptp client TO my mac osx server vpn?

On my client it requires the following information:
IP address of server: done
Remote subnet: __________
Remote subnet mask:__________
MPPE encryption:___________
MTU:______
MRU:______
NAT:______
User: done
Pass: done
I've looked up but I can only find I for for the mac as the client, in my case a dd wrt router is the client.
What belongs in the empty fields, or where can I find that info.

What kind of DVD?
Unlikely that the file size would be suitable for email. How long is the DVD?

OSX Server 2.21 L2TP VPN - security recommendations

hi folks,
I am running OSX server 2.2.1 hosting mail, and L2TP VPN which work great..
I port forward port 25
and UDP 500, 1701 , 4500 for the VPN, from my router gateway to my mac mini.
are there any security concerns in relation to having open access to the UDP ports 500,1701, 4500 on my mac mini?
I had tried to put a firewall rule on my gateway to only allow access from the public ip of my iphone over 3g, but that didnt seem to work as i still could connect over a different public network, so it appears that the firewall rule was ignored as the traffic was automatically being natted by the gateway..
my main question really, is should i be worried, leaving UDP ports open publically to my mac mini server?
thanks

i ran through those processes , and for the last one got file not found
/System/Library/LaunchDaemons/com.apple.pfctl: file does not exist or is not readable or is not a regular file
is there a way to verify that the adaptive firewall is running?
thanks

OSX Server 10.4 + VPN Tracker

I am having problems setting up a vpn connection. I have VPN Tracker but the machine I want to get to on my LAN (behind the router - which is another set of problems!) is running OSX Server. Do I ignore the vpn settings since they are references to IPSec/L2TP, or do I have to switch off the server firewall? I find this very unclear. Also, is there an aternative to using Tracker? Can't I simply use the built-in vpn capability of OSX?

I am having problems setting up a vpn connection.
VPN is a screaming bag of cats. What one vendor calls VPN
may not be what another vendor calls it.
I have VPN Tracker but the machine I want to get to on
my LAN (behind the router - which is another set of
problems!) is running OSX Server.
If you are trying to connect from a Mac to OS X server,
VPN Tracker is not needed to establish a VPN tunnel. The
existing software that comes with the system can be used.
In the Finder's Help menu ("Mac Help"), open the Help Viewer
and search for VPN. Look at the entry entitled "Setting up
a connection to a Virtual Private Network".
The main reason to use VPN Tracker is if you have a
perimeter hardware firewall / VPN appliance. For example,
our users connect to our SonicWALL using VPN Tracker, and it
works great. We terminate the tunnel on the LAN side of the
SonicWALL so that the remote client computers sit through
the tunnel on the LAN The advantage that Equinux brings is
that they keep it up to date as Apple and SonicWALL (and
other VPN firewall vendors) make changes, and they provide
good setup guides. For the interoperability list, see
http://equinux.com/us/products/vpntracker/interoperability.html
Do I ignore the vpn settings since they are references
to IPSec/L2TP, or do I have to switch off the server
firewall?
Well, you will have to open up appropriate ports depending
on the flavor of VPN you choose. Again, it's a screaming
bag of cats. Of course, you will have to configure VPN
on the Xserve.
I find this very unclear.
Yep. It's a screaming bag of cats.
Also, is there an aternative to using Tracker? Can't I
simply use the built-in vpn capability of OSX?
To connect to an Xserve, yes. See the Help viewer article
above. You don't mention the router you are using or whether
it is using NAT. You may have NAT traversal issues.
Hope this helps,
Russ
Xserve G5 2.0 GHz 2 GB RAM Mac OS X (10.4.8) Apple Hardware RAID, ATTO UL4D, Exabyte VXA-2 1x10 1u

VPN on OSX server

I want to configure VPN on OSX server so I can access my server remotely. I understand I have to open up the VPN ports on my router. I have contacted BT about this (it is a BT router) and they need to know the port numbers used by VPN to unlock them. Can

To run a public VPN server, you need to do the following:
1. Give the gateway either a static external address or a dynamic DNS name. In the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
2. Give the VPN server a static address on the local network.
3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
4. Configure any firewall in use to pass this traffic.

L2tp Server VPN Stopped working

Hi all. My L2tp VPN has stopped working despite starting and stopping the service it doesn't seem to be accepting/responding to any connection attempts. It was working up until recently, my theory is that something got messed up when i was setting up a site to site vpn however i have since removed all the servers from s2svpnadmin. Also this is not a firewall issue as i have turned it off for testing. I can see the vpnd service running however when i port scan the machine it does not appear to have any l2tp services listening. I am wondering if there is a list of preferences that I can trash to revert the service to an original state so I can reconfigure it or any other steps I should take. OSX Server 10.4.10
Any Advice you could give me would be greatly appreciated.
Message was edited by: Tim Meade

I have been having the EXACT same problem with OS X Server 10.4.10 (on a Mac Pro). Interestingly enough I have had the VPN service running on 2 other servers, an Xserve G4 and G5 for over a year with absolutely no problems. I will try re-entering the shared secret and see if that helps but I also have begun to have the problem with PPTP as well as L2TP. Here is an excerpt from the log if this helps anyone. It just keeps going on and on, if someone wants to see the rest I can post it.
2007-09-14 19:38:24 PDT Incoming call... Address given to client = 192.168.1.145
Fri Sep 14 19:38:24 2007 : Directory Services Authentication plugin initialized
Fri Sep 14 19:38:24 2007 : Directory Services Authorization plugin initialized
Fri Sep 14 19:38:24 2007 : PPTP incoming call in progress from '76.103.147.238'...
Fri Sep 14 19:38:24 2007 : PPTP connection established.
Fri Sep 14 19:38:24 2007 : using link 0
Fri Sep 14 19:38:24 2007 : Using interface ppp0
Fri Sep 14 19:38:24 2007 : Connect: ppp0 <--> socket[34:17]
Fri Sep 14 19:38:24 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x1847216a> <pcomp> <accomp>]
Fri Sep 14 19:38:24 2007 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x945bad3c> <pcomp> <accomp>]
Fri Sep 14 19:38:24 2007 : lcp_reqci: returning CONFACK.
Fri Sep 14 19:38:24 2007 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x945bad3c> <pcomp> <accomp>]
Fri Sep 14 19:38:24 2007 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x1847216a> <pcomp> <accomp>]
Fri Sep 14 19:38:24 2007 : sent [LCP EchoReq id=0x0 magic=0x1847216a]
Fri Sep 14 19:38:24 2007 : sent [CHAP Challenge id=0xd4 <e063e715c666e5a577124c41dd2a97b2>, name = "Server1"]
Fri Sep 14 19:38:24 2007 : rcvd [LCP EchoReq id=0x0 magic=0x945bad3c]
Fri Sep 14 19:38:24 2007 : sent [LCP EchoRep id=0x0 magic=0x1847216a]
Fri Sep 14 19:38:24 2007 : rcvd [LCP EchoRep id=0x0 magic=0x945bad3c]
Fri Sep 14 19:38:24 2007 : rcvd [CHAP Response id=0xd4 <1fa8586ac5da9c4ac36c26437c76db5c000000000000000022a4e675c1009b94b2a4e43359305a 8815263d16931a16cf00>, name = "vpnuser"]
Fri Sep 14 19:38:24 2007 : sent [CHAP Success id=0xd4 "S=3AB3C51AC6E1E0D520D2A03C7DCF33B0A1C6E3AF M=Access granted"]
Fri Sep 14 19:38:24 2007 : DSAccessControl plugin: User 'vpnuser' authorized for access
Fri Sep 14 19:38:24 2007 : sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
Fri Sep 14 19:38:25 2007 : rcvd [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
Fri Sep 14 19:38:25 2007 : sent [CCP ConfNak id=0x1 <mppe +H -M +S -L -D -C>]
Fri Sep 14 19:38:25 2007 : rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
Fri Sep 14 19:38:25 2007 : rcvd [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
Fri Sep 14 19:38:25 2007 : sent [CCP ConfAck id=0x2 <mppe +H -M +S -L -D -C>]
Fri Sep 14 19:38:25 2007 : MPPE 128-bit stateless compression enabled
Fri Sep 14 19:38:25 2007 : sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]
Fri Sep 14 19:38:25 2007 : sent [ACSCP] 01 01 00 04
Fri Sep 14 19:38:25 2007 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Fri Sep 14 19:38:25 2007 : ipcp: returning Configure-NAK
Fri Sep 14 19:38:25 2007 : sent [IPCP ConfNak id=0x1 <addr 192.168.1.145> <ms-dns1 64.81.79.2> <ms-dns3 206.231.31.12>]
Fri Sep 14 19:38:25 2007 : rcvd [IPV6CP ConfReq id=0x1 <addr fe80::021b:63ff:fe1d:09f1>]
Fri Sep 14 19:38:25 2007 : Unsupported protocol 0x8057 received
Fri Sep 14 19:38:25 2007 : sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 02 1b 63 ff fe 1d 09 f1]
Fri Sep 14 19:38:25 2007 : rcvd [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Fri Sep 14 19:38:25 2007 : sent [ACSCP] 04 01 00 0a 02 06 00 00 00 01
Fri Sep 14 19:38:25 2007 : rcvd [IPCP ConfRej id=0x1 <addr 0.0.0.0>]
Fri Sep 14 19:38:25 2007 : sent [IPCP ConfReq id=0x2 <addrs 0.0.0.0 192.168.1.145>]
Fri Sep 14 19:38:25 2007 : rcvd [ACSCP] 02 01 00 04
Fri Sep 14 19:38:25 2007 : rcvd [IPCP ConfReq id=0x2 <addr 192.168.1.145> <ms-dns1 64.81.79.2> <ms-dns3 206.231.31.12>]
Fri Sep 14 19:38:25 2007 : ipcp: returning Configure-ACK
Fri Sep 14 19:38:25 2007 : sent [IPCP ConfAck id=0x2 <addr 192.168.1.145> <ms-dns1 64.81.79.2> <ms-dns3 206.231.31.12>]
Fri Sep 14 19:38:25 2007 : rcvd [ACSCP] 01 02 00 0a 01 06 00 00 00 01
Fri Sep 14 19:38:25 2007 : sent [ACSCP] 02 02 00 0a 01 06 00 00 00 01
Fri Sep 14 19:38:25 2007 : sent [ACSP data]
01 00 00 14 00 0b 00 00 c0 a8 01 00 ff ff ff 00 '................'
00 01 00 00 '....'
Fri Sep 14 19:38:25 2007 : rcvd [IPCP ConfRej id=0x2 <addrs 0.0.0.0 192.168.1.145>]
Fri Sep 14 19:38:25 2007 : sent [IPCP ConfReq id=0x3 <addrs 0.0.0.0 192.168.1.145>]
Fri Sep 14 19:38:25 2007 : rcvd [ACSP data]
01 00 00 08 00 04 00 00 '........'
Fri Sep 14 19:38:25 2007 : rcvd [IPCP ConfRej id=0x3 <addrs 0.0.0.0 192.168.1.145>]
Fri Sep 14 19:38:25 2007 : sent [IPCP ConfReq id=0x4 <addrs 0.0.0.0 192.168.1.145>]
Fri Sep 14 19:38:25 2007 : rcvd [IPCP ConfRej id=0x4 <addrs 0.0.0.0 192.168.1.145>]
Fri Sep 14 19:38:25 2007 : sent [IPCP ConfReq id=0x5 <addrs 0.0.0.0 192.168.1.145>]
Fri Sep 14 19:38:25 2007 : rcvd [IPCP ConfRej id=0x5 <addrs 0.0.0.0 192.168.1.145>]
Fri Sep 14 19:38:25 2007 : sent [IPCP ConfReq id=0x6 <addrs 0.0.0.0 192.168.1.145>]
Fri Sep 14 19:38:25 2007 : rcvd [IPCP ConfRej id=0x6 <addrs 0.0.0.0 192.168.1.145>]

Unable to access gateway and DNS via VPN (L2TP) with Snow Leopard Server

Summary:
After rebooting my VPN server, i am able to establish a VPN (L2TP) connection from outside my private network. I am able to connect (ping, SSH, …) the gateway only until the first client disconnects. Then i can perfectly access all the other computers of the private network, but i cannot access the private IP address of the gateway.
Additionally, during my first VPN connection, my DNS server, which is on the same server, is not working properly with VPN. I can access it with the public IP address of my gateway. I can access it from inside my private network. A port scan indicates me that the port 53 is open, but a dig returns me a timeout.
Configuration:
Cluster of 19 Xserve3.1 - Snow Leopard Server 10.6.2
Private network 192.168.1.0/255.255.255.0 -> domain name: cluster
-> 1 controller, which act as a gateway for the cluster private network, with the following services activated:
DHCP, DNS, firewall (allowing all incoming traffic for each groups for test purposes), NAT, VPN, OpenDirectory, web, software update, AFP, NFS and Xgrid controller.
en0: fixed public IP address -> controller.example.com
en1: 192.168.1.254 -> controller.cluster
-> 18 agents with AFP and Xgrid agent activated:
en1: 192.168.1.x -> nodex.cluster with x between 1 and 18
VPN (L2TP) server distributes IP addresses between 192.168.1.201 and 192.168.1.210 (-> vpn1.cluster to vpn10.cluster). Client informations contain the private network DNS server informations (192.168.1.254, search domain: cluster).
_*Detailed problem description:*_
After rebooting the Xserve, my VPN server works fine except for the DNS. My client receives the correct informations:
Configure IPv4: Using PPP
IPv4 address: 192.168.1.201
Subnet Mask:
Router: 192.168.1.254
DNS: 192.168.1.254
Search domain: cluster
From my VPN client, i can ping all the Xserve of my cluster (192.168.1.1 to 18 and 192.168.1.254). If i have a look in Server Admin > Settings > Network, i have three interfaces listed: en0, en1 and ppp0 of family IPv4 with address 192.168.1.254 and DNS name controller.cluster.
The DNS server returns me timeouts when i try to do a dig from my VPN client even if i am able to access it directly from a computer inside or outside my private network.
After i disconnect, i can see in Server Admin that the IP address of my ppp0 interface has switch to my public IP address.
Then i can always establish a VPN (L2TP) connection, but the client receives the following informations:
Configure IPv4: Using PPP
IPv4 address: 192.168.1.202
Subnet Mask:
Router: (Public IP address of my VPN server)
DNS: 192.168.1.254
Search domain: cluster
From my VPN client, i can access all the other computers of my network (192.168.1.1 to 192.168.1.18) but when i ping my gateway (192.168.1.254), it returns me timeouts.
I have two "lazy" solutions to this problem: 1) Configure VPN and DNS servers on two differents Xserve, 2) Put the public IP address of my gateway as DNS server address, but none of these solutions are acceptable for me…
Any help is welcome!!!

I would suggest taking a look at:
server admin:vpn:settings:client information:network route definitions.
as I understand your setup it should be something like
192.168.1.0 255.255.255.0 private.
at least as a start. I just got done troubleshooting a similar issue but via two subnets:
http://discussions.apple.com/thread.jspa?threadID=2292827&tstart=0

How can I configure Lion server to accept inbound VPN (L2TP) connections while connected as client to another vpn service?

I have what I believe to be a unique need;
I have a MacPro (1,1) running Lion with Server app.
I require that this particular machine be connected as a client to a VPN server, while at the same time acting as a VPN server for my network.
The PPTP connection configuration is such that "Send all traffic over VPN connection" is checked.
If PPTP client is NOT connected, I can connect to Lion as VPN server. As soon as I make the connection from Lion as a client, I can no longer
connect to Lion VPN server.
I understand this is because I am forcing all traffic out the virtual interface (tun0) and eth0 is no longer listening on the local network.
1. Is it possible to bind the VPN client (on Lion Server) to a particular interface? If I could tell the PPTP client to only use eth1 as the interface of choice, my assumption would be that eth0 would then be free to accept incoming connections.
2. Is it possible to bind the VPN service (on Lion Server) to a particular interface? if I could tell the vpn serviec to only listen on eth1, and in turn tell the PPTP client to NOT communicate on eth1 but only eth0 then perhaps I could separate the communications?
In my head, it seems as though both of the above options would be required in order to use Lion as both a VPN server and VPN client
Any and all help appreciated.

This is a standard facet of most VPNs - the problem lies in your NAT router since both clients appear to come from the same IP address as far as the VPN server is concerned, and the router can't separate out the traffic.
There are a couple of solutions.
First, the built-in VPN server supports L2TP and PPTP protocols. You should be able to connect one system under each protocol, so that gets your two machines connected.
Second, you can replace your NAT router with one that supports multiple VPN clients (often termed 'VPN passthrough').
Third, setup a site-to-site tunnel so that your entire LAN is connected to the VPN (this saves you from having to run a separate VPN client on each machine, but is typically only worth it when you have more machines).

OSX Server VPN L2TP secure?

Similar Messages

Maybe you are looking for