VPN mysteries OS X server 10.5.0
Hi all
I have a perplexing issue and I'm sure that to a certain degree it is due to a lack of knowledge and experience with DNS, VPN, etc., but bear with me as I'm learning fast.
Situation is I've configured VPN a Mac Pro running OS X server 10.5.0 (yet to apply updates, but as far as I can see, 10.5.1 and 10.5.2 don't change the VPN picture much).
On the netgear router, the following ports are being forwarded to the IP of the server:
UDP: 4500, 500, 1701
TCP: 1723
So with L2TP set to authenticate via PPP, directory service selected, and MS-CHAPv2 for authentication, I can get a VPN connection from a nearby wireless network.
I've left the Network Routing Definitions blank so all traffic should be routed through the VPN (as I understand it). DNS server - at server end of course - is set to the server's IP, and this shows up in the DNS settings on the client end (after a successful connection).
Forward and reverse DNS lookups seem to be working fine at the server, and on the client (10.5.1).
There is a workstation (192.168.1.51) and printer (192.168.1.60) on the LAN (netgear gigabit switch) the server is connected to. However, I cannot ping anything on the network, nor can I connect via browser (for example to the printer, that has a web-interface for config.). Anyway, the DNS resolves fine, but no access.
I can ping the server at 192.168.1.50 no problem.
What I'd like to be able to do is access other workstations, etc. via IP, on the remote LAN via the VPN connection.
I can't see any firewall problems at either client or server end.
If anybody has any thoughts or ideas of how I could resolve this, I'd be really happy to hear from you!
Thanks!
Hej Leif ...
Leif Carlsson wrote:
"As I understand it, this means all traffic will be routed through the VPN connection for reasons of security and clarity."
It is what people use to report yes (default route through VPN - check with netstat -rn on client when connected to VPN).
I'll check this out and post the results. Never used netstat so there you go!
If you add the server (LAN) subnet to routing def. you should get a split tunnel like you describe.
Sometimes people also add a public route 0.0.0.0/0.0.0.0 (not sure if this is neccessary).
OK.
I think you should look att the subnet used for the server LAN.
Can you give me some more clues here?
Stay away from using 192.168.1.0/24 as most NAT-routers has that as the default.
And don't use 192.168.0.0/24 either.
If you try to connect from a subnet using the same numbering as the server LAN you woun't succed.
OK, so if I'm on a subnet where the addressing overlaps with the remote (server-side) LAN, that's an issue?
Otherwise if server is the gw doing NAT you probably need to look att firewall settings (allowing trafiv in from ppp0 - VPN)
Firewall on the server? I turned it off totally when testing.
If the server is behind NAT and you wish to go through it using the VPN - and then go to Internet - you need ipforwarding "on" in the server (NAT-config: "ipforwarding only" -at least in Tiger server).
NAT on the server box isn't even turned on - the LAN gets it's addresses via DHCP from an adsl modem-router (Netgear DG834) with LAN definition 192.168.1.1/255.255.255.0 and DHCP from 192.168.1.2-25.
I could give the airport base-station a fixed IP, leave DHCP just to wireless (none of the devices that have fixed IPs are wireless) and use the server for NAT? There would be a few physical wiring challenges but it could be done.
Thanks!
Similar Messages
-
Setup VPN on Mac Mini Server running OSX through a BT Hub Router
Hello everyone,
I know this question has been posted several times and I have looked at the suggested solutions, trying each of them. I think this is really down to my lack of knowledge hence hoping someone out there could point me to the right direction for more resources / information, please.
I am trying to setup a Mac Mini Server with VPN access. My server sits behind a BT Hub router. These are the steps that I have been through:
1. I am using the server app and after registering a free account with no-ip, I got myself a host name <myname>.ddns.net.
2. Then I setup the server using a domain name
3. I configured the DNS by first setting up a primary zone - zone: ddns.net. Then added machine record host name: <myname> pointing to my server which I have configured my router to assign a static ip address to it at 192.168.x.x
4. Then, I configured the VPN setting up for L2TP and PPTP, setup the shared secret, change the ip address range to match that of the DHCP range on my router. My router by default has a DHCP range between 64 - 253.
5. Then, I also configured my router to port forward 500, 1701, 1723, and 4500 to my server at 192.168.x.x (I selected both TCP and UDP).
6. Finally, setup a user account with account name test and password abcd12345
7. Gone on my "client" machine which is basically my Samsung S4 handphone, selected VPN -> PPTP -> server address: <myname>.ddns.net -> entered account name test and password abcd12345.
This didn't work.
Then, I read some post about manually configure DHCP on the server app. Went on the server app, turned on DHCP and setup a network named TestDHCP. Assigned ip address range between that of the default DHCP range on my BT Hub router.
This does not work either.
Could someone please kindly help me with it? I am completely lost.
Thank you in advance.To run a public VPN server behind an NAT gateway, you need to do the following:
1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)
3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
Allow incoming IPSec authentication
if it's not already checked, and save the change.
With a third-party router, there may be a similar setting.
4. Configure any firewall in use to pass this traffic.
5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.
6. "Back to My Mac" is incompatible with the VPN service. It must be disabled both on the server and on an AirPort router, if applicable.
If the server is directly connected to the Internet, see this blog post. -
Issues with VPN on 10.3 Server
I have no problems using the VPN with 10.4 Server. I manage several of these, and the VPN works fine.
However, with 10.3 Server it doesn't seem to work. I have two 10.3.9 servers at different offices, and with each I can connect to the VPN, I get an IP address, but I cannot access any resources through the VPN. Does anyone have any ideas about this?Thanks for your reply.
I'm using PPTP. I've got it set up the same way as with 10.4 server.
The servers are behind NAT routers, with TCP port 1723 forwarded to them.
In each case the private IP subnet on the server is different from the one I'm connecting from.
I'm connecting just fine to the VPN, but once I'm connected I can't connect to anything on the network.
One thing I see in the system log when I try to make a connection is this: "Protocol-Reject for unsupported protocol."
What do you think? -
Using VPN to access Windows server at work - Possible?
I have an iMac 2.6ghz, running 10.5.7. I have setup a PPTP VPN connection into my server at work, and it says 'connected'. How can I actually 'see' anything on this server? Also, can I see my mail on this server (mail.xxxxxx.com.au/exchange)
Hi Anthony, and a warm welcome to the forums!
Is the Server a Mac or PC? What OS? What Sharing is enabled on the other end? -
Why can I connect OK w/VPN, but cannot see Server?
Finally got my VPN service running on 10.8.3 Server. Am able to connect from outside fine, but after connecting I cannot see my Server in my Sidebar, cannot access my Share Points, nor can I access the Server thru Screen Sharing.
When I return to my office and connect to the LAN, I am able to see the Server, access my Shared folders, and start Screen Sharing without any problems.
Any ideas why this is not working?
Thank you !When you connect via VPN, you'll be joined to the network, but won't be automatically logged into the server. That's a seperate step. In Finder, Go menu, select "Connect to Server...". You might see your server there, maybe not. Either way, you should be able to type in your server's internal IP address and connect to it.
Also, check how you've configured the VPN settings on your server. You'd want VPN to tell your clients what DNS server to use while they are conencted. If you want them to see internal resources like your server, you'd want to put your server's internal IP address in here as the DNS server to point the clients to.
In my screenshot below, I've put in my router's address. You'd want your server listed here, or you'd want your router configured to be using your server for it's DNS lookups. I think either one should work. -
Certificate error connecting to VPN, can not validate server
Used the configuration utility to configure a profile for VPN using certificate as authentication. Keep getting error, can not validate server. When I export the cert to my desktop, I see the CRL information in it. When I view the details of the cert after installing on the iPad, I don't see any CRL information. I'm guessing this may be the problem only not sure how to resolve it.
solved the problem by adding an additional attribute in the certificate request to the VPN server (cisco router) and first enable the server SubjectAltName CA
In CA server:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
certutil -setreg policy\SubjectAltName enabled
certutil -setreg policy\SubjectAltName2 enabled
net stop certsvc
net start certsvc
In certificate request for VPN server:
In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:
san:dns=dns.name[&dns=dns.name]/san:ipaddress=x.x.x.x
(external dns/ip)
http://support.microsoft.com/kb/931351 -
Can't authenticate Mac VPN client from RADIUS server
Hello,
I'm a real noob here so please bear with me.
I have been able to configure my PIX 515E to allow VPN connections onto my network, but what I need to do is set up some sort of user authentication to control access at a user level. From what I've read here and in the Configuration Guide I should be able to do this authentication with a RADIUS server. I'm running a Corriente Networks Elektron Security server which has RADIUS server capabilities. It is running on my (inside) interface at IP 192.168.10.26.
I thought that I had everything configured properly but it never seems to authenticate. I connect, the XAUTH window pops up, I add my username and password as it's configured on my RADIUS server, but when I click OK it just cycles the progress bar at the bottom and eventually times out. The client log doesn't show me anything and the log on the RADIUS server shows me nothing. Any ideas? this seems like it should be simple because I can connect until I attempt to authenticate to the RADIUS server.
TIA for any direction you can provide me.
ChristineIf it helps, here is my config with a some of the non-related bits deleted:
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password ********* encrypted
passwd ******* encrypted
hostname pixfirewall
domain-name acme.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol http 80
fixup protocol http 82
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.10.26 192.168.10.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host 192.168.10.69 192.168.10.192 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.10.192 255.255.255.224
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 207.XXX.XXX.130 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0
ip address DMZ 192.168.100.1 255.255.255.0
multicast interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool CBI_VPN_Pool 192.168.10.201-192.168.10.220
pdm location 192.168.10.50 255.255.255.255 inside
pdm group CBI_Servers inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 200 interface
global (DMZ) 200 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 200 192.168.10.0 255.255.255.0 0 0
static (inside,outside) 207.XXX.XXX.150 192.168.10.27 netmask 255.255.255.255 0 0
static (inside,outside) 207.XXX.XXX.132 192.168.10.26 dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 207.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1812
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.10.26 ************* timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.3 255.255.255.255 inside
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map inside_map interface inside
isakmp enable outside
isakmp nat-traversal 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Test_VPN address-pool CBI_VPN_Pool
vpngroup Test_VPN dns-server 142.77.2.101 142.77.2.36
vpngroup Test_VPN default-domain acme.com
vpngroup Test_VPN idle-time 1800
vpngroup Test_VPN authentication-server RADIUS
vpngroup Test_VPN user-authentication
vpngroup Test_VPN user-idle-timeout 1200
vpngroup Test_VPN password ********
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.100-192.168.10.254 inside
dhcpd dns 142.77.2.101 142.77.2.36
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside -
VPN Client and Terminal Server
We have several clients that allow us to vpn into their systems and it has come to the point that we are getting software incompatabilities. What I am trying to do is set up "compatable" connections on a Terminal server box and let our people access this from their workstations. The problem is when the acuall connection thru the vpn client is made they loose connection to the terminal server. I have tried putting in 2 nic's into the terminal server and am able to allocate one for the terminal server but can not find a way to allocate the other to the VPN CLient. Is this possable or is there another way to accomplish this?
ThanksClose,
What I have is one machine with 2 nic's
NIC #1 = Terminal Server Access (local lan only) Locked in via registry settings to use ONLY this NIC
NIC #2 = I would like to "LOCK" the Client software to use ONLY this nic (has a dynamic IP for local lan and access to the Inet via a router.
Problem: When you connect to the T-Server all is fine UNTIL you start up the client software to access our clients systems via the web connection to the T-Server on the local side stops and gives the appearance of a frozen screen.
manualy disconnect person from the T-Server and kill the cisco client software then you can re-connect to the T-Server (and it all starts over again)
The Cisco software acualy makes the connection to our clients system but we can not tell because it want BOTH the NIC's for itself and stops access via NIC#1 to the T-Server. -
SSL VPN Failed to validate server certificate (cannot access https)
Hi all,
I have the next problem.
I've configured in an UC520 a SSL VPN.
I can access properly and I can see the labels, but I only can access urls which are http, not https:
I can access the default ip of the uc520 (192.168.1.10) but
When I try to get access to a secure url I get the msg: Failed to validate server certificate
I'm trying to access a Cisco Digital Media Manager, whose url is https://pc.sumkio.local:8080
Does the certificate of both hardware has to be the same?
How can I add a https?
Here is the config of the router:
webvpn gateway SDM_WEBVPN_GATEWAY_1
ip address 192.168.1.254 port 443
ssl trustpoint TP-self-signed-2977472073
inservice
webvpn context SDM_WEBVPN_CONTEXT_1
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
url-list "Intranet"
heading "Corporate Intranet"
url-text "DMM Sumkio" url-value "http://pc.sumkio.local:8080"
url-text "Impresora" url-value "http://192.168.10.100"
url-text "DMM" url-value "https://pc.sumkio.local:8443"
url-text "DMM 1" url-value "http://192.168.10.10:8080"
url-text "UC520" url-value "http://192.168.10.1"
policy group SDM_WEBVPN_POLICY_1
url-list "Intranet"
mask-urls
svc dns-server primary 192.168.10.250
svc dns-server secondary 8.8.8.8
default-group-policy SDM_WEBVPN_POLICY_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway SDM_WEBVPN_GATEWAY_1
max-users 10
inservice
Any help would be apreciatted.
Thank youHi, thanks for your advise.
I'm trying to copy the certificate via cut and paste, but I'm getting a
% Error in saving certificate: status = FAIL
I dont know if I'm doing this right.
I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.
I get a file which if I open with notepad is like
-----BEGIN CERTIFICATE-----
MIICOzCCAaSgAwIBAgIET7EwyzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJV
KoZIhvcNAQEFBQADgYEAdk7n+tJi0igrTD2o7RD9ty8MLTyHN4uk8km+7DbpEy0g
mxLY0UZswYvbj15kPdd8QbeGEdDR6SXOYePsfIRJzL0mqMON4oiUhsqAK5y2yC6R
nqy4wWQ2fGVEYAeLpb1jGKdZWpuag/CO90NMHcMiobfBh+4eTqm7kRPTEyma6V0=
-----END CERTIFICATE-----
If I try to authenticate the trustpoint, I get that error.
how can I export the certificate from the DMM?
I think that this file is not the right file.
and then, do I have to make some changes in
webvpn gateway SDM_WEBVPN_GATEWAY_1?
Should I choose the new trustpoint?
I understand that the old trustpoint is for the outside connection, no for the LAN connection.
Dont worry about me, answer when you can but I really need to fix this.
Thank you so much -
How to enable traffic between VPN clients in Windows Server 2012 R2?
Hello,
I installed Remote Access role with VPN.
IPv4 Router is enabled: http://snag.gy/UAMY2.jpg
VPN clients should use static ip pool: http://snag.gy/REjkB.jpg
One VPN user is configured to have static ip: http://snag.gy/TWwq0.jpg
VPN server uses Windows Authentication and Windows Accounting.
With this setup, VPN clients can connect to server, get ip addresses and can see server via server's vpn ip. Server can connect to VPN clients too (Using client's vpn ips). But VPN clients can't communicate with each other.
For example, VPN server has ip 192.168.99.5
VPN Client 1 - 192.168.99.6
VPN Client 2 - 192.168.99.7
I am able to ping 192.168.99.5 from both clients, and able to ping 192.168.99.6 and 192.168.99.7 from server via remote desktop. But I am not able to ping 192.168.99.7 from client 1 and 192.168.99.6 from client 2.
If I trace route from 192.168.99.6 to 192.168.99.7 - I can see that packets goes to server (192.168.99.5) and next hop - request timeout.
What else should I configure to allow network traffic between VPN clients?Hi,
To better analyze this issue, would you please post the routing tables on the two VPN clients? You can run "route print" at the command prompt to get the routing table.
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Exchange Server 2013 and Remote Access VPN on a single server running Windows Server 2012?
Just by way of background, I have been installing and administering network servers, e-mail systems, VPN servers, and the like for many years. However, my involvement with Exchange and Windows Server has been mostly on the forensics and data recovery
level, or as a (sophisticated) user. I have never tried to deploy either from scratch before. My deployment experiences have been mostly with Linux in recent years, and with small private or personal "servers" running such cutting edge
software as Windows XP back when it was new. And even NetWare once.
When a client asked me if I could set up a server for his business, running Exchange Server (since they really want Outlook with all of its bells and whistles to work, particularly calendars) and providing VPN access for a shared file store, I figured it
could not be too difficult given that its a small business, with only a few users, and nothing sophisticated in the way of requirements. For reasons that don't bear explaining here, he was not willing to use a vendor hosting Exchange services or cloud
storage. There is no internal network behind the server; it is intended to be a stand-alone server, hanging off a static IP address on the Internet, providing the entirely mobile work-force of about 10 people with Exchange-hosted e-mail for their computers
and phones, a secure file store, and not much else. If Exchange didn't need it, I would not need to install Active Directory, for example. We have no direct need for its services.
So I did the research and it appears, more by implication than outright assertion, that I should be able to run Windows Server 2012 with Exchange Server 2013 on a server that also hosts Remote Access (VPN only) and does nothing else. And it appears
I ought to be able to do it without virtualizing any of it. However, I have spent the last three or four days fighting one mysterious issue after another. I had Remote Access VPN working and fairly stable very quickly (although it takes a very
long time to become available after the server boots), and it has mostly remained reliable throughout although at times while installing Exchange it seems to have dropped out on me. But I've always been able to get it back after scrounging through the
logs to find out what is bothering it. I have occasionally, for a few minutes at a time, had Exchange Server willing to do everything it should do (although not always everything at the same time). At one point I even received a number of e-mails
on my BlackBerry that had been sent to my test account on the Exchange Server, and was able to send an e-mail from my BlackBerry to an outside account.
But then Exchange Server just stopped. There are messages stuck in the queues, among other issues, but the Exchange Administration Center refuses now to display anything (after I enter my Administrator password, I just get a blank screen, whether on
the server or remotely).
So, I am trying to avoid bothering all of you any more than I have to, but let me just begin with the basic question posed in the title: Can I run Exchange Server (and therefore Active Directory and all of its components) and Remote Access (VPN only) on
a single Windows Server 2012 server? And if so, do I have to run virtual machines (which will require adding more memory to the server, since I did not plan for it when I purchased it)? If it can be done, can anyone provide any pointers on what
the pitfalls are that may be causing my problems? I am happy to provide whatever additional information anyone might like to help figure it out.
Thanks!An old thread but I ran into this issue and thought I share my solution since I ran into the same issue. Configuring VPN removes the HTTPS 443 binding on the Default Site in IIS for some strange reason; just go and editing the bindings, add HTTPS and things
should be back to normal. -
VPN to Mountain Lion Server issues
Hi,
I checked a lot of VPN threads here today, but I wasn't able to find a solution for my problem just now. I try to connect by VPN to my Mountain Lion Server, but I get an error message that the VPN server is not responding. I get this message from iPhone and Mac. The Mountain Lion Server is a new installation, no upgrade from an older server.
Some informations on my setup:
I installed the server with a hostname like myserver.mycompany.com and option 3 (internet access), as I want to use it for email at a later stage. All services are working fine (except VPN). DNS is active, but basically it only contains the adress myserver.mycompany.com and forwards everything else to our router.
I changed the DNS settings of our domain ( hosted by an ISP - so not in the local DNS ! ). I created a subdomain vpn.mycompany.com which points to the static IP of our router.
In the router I opened the UDP ports 500, 1701 and 4500, and for 1701 i made the same thing for TCP (I found this in a forum, but I think this is not necessary?), the ports are pointing to the ip of the os x server.
In OS X Server I started VPN for L2TP using the vpn.mycompany.com hostname, and a shared secret.
When I try to connect with I client from outside I try to connect using L2TP via vpn.mycompany.com using the shared secred and user-id and password. The user-id is created in OS X Mountain Lion server and is configured to use VPN service. When trying to connect I get the error message "L2TP-VPN server is not repsonding...".
In the log file of the server I see some entries for each connect:
Oct 10 20:21:45 myserver.mycompany.com racoon[13873]: Connecting.
Oct 10 20:21:45 myserver.mycompany.com racoon[13873]: IPSec Phase1 started (Initiated by peer).
Oct 10 20:21:45 myserver.mycompany.com racoon[13873]: IKE Packet: receive success. (Responder, Main-Mode message 1).
Oct 10 20:21:45 myserver.mycompany.com racoon[13873]: IKE Packet: transmit success. (Responder, Main-Mode message 2).
Oct 10 20:21:45 myserver.mycompany.com racoon[13873]: IKE Packet: receive success. (Responder, Main-Mode message 3).
Oct 10 20:21:45 myserver.mycompany.com racoon[13873]: IKE Packet: transmit success. (Responder, Main-Mode message 4).
Oct 10 20:21:48 myserver.mycompany.com racoon[13873]: IKE Packet: transmit success. (Phase1 Retransmit).
Oct 10 20:22:06 --- last message repeated 2 times ---
Oct 10 20:22:06 myserver.mycompany.com com.apple.SecurityServer[17]: Succeeded authorizing right 'system.privilege.admin' by client '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [2967] for authorization created by '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [2967] (2,0)
Oct 10 20:22:06 myserver.mycompany.com com.apple.SecurityServer[17]: Succeeded authorizing right 'system.privilege.admin' by client '/Library/PrivilegedHelperTools/com.apple.serverd' [1716] for authorization created by '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [2967] (100000,0)
Oct 10 20:22:06 myserver.mycompany.com racoon[13873]: IKE Packet: transmit success. (Phase1 Retransmit).
No more entries in log file now. Anyone any ideas what's going wrong. Might there be a problem as I use another servername outside as inside (vpn... instead of myserver...)?
Thanks!Solved, first of all we tested to establish the VPN connection locally by adding the ip address of the server to /etc/hosts for vpn.mycompany.com. The VPN connected without problems then, so it was clear that it is a firewall/router problem, and not a server problem.
After that we studied some more documentations and found that we don't have to open port 50, but ip protocoll 50 (ESP) on the firewall. After that was done, the connection was working from the internet as well. -
Need help sorting a 'self-populating' plist file (vpn on mac leopard server - 10.6.8)
i recently configured my mac snow leopard server using terminal and had it successfully working.
i could vpn internally and externally to my server at its location.
i one day started getting the message
"The connection has failed. Please verify your settings and try again"
i did as the message said and everything remained the same;
- server IP
- shared secret
- username and password
- public IP address
- com.apple.ppp.l2tp.plist stil, configured correctly
on a mission i thought id configure it the normal way by entering the data into the server admin panel and tried flicking the VPN service on and it wouldnt work, i was also getting an error saying it could not launch the com.apple.ppp.l2tp plist.
upon investigation i found out that i had installed (but not running) iVPN... so i uninstalled this...
still i could not get a VPN connection so i checked the com.apple.RemoteAccessServers.plist and noticed it had doubled in size (originally 4kb and now 8kb).
i thought this was a mistake and deleted it knowing it would self create a new fresh plist file.... HOWEVER it constantly populates the info twice as shown below:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ActiveServers</key>
<array>
<string>com.apple.ppp.l2tp</string>
</array>
<key>Globals</key>
<dict>
<key>PSKeyAccount</key>
<string>vpn_0649d87c2f06</string>
</dict>
<key>Servers</key>
<dict>
<key>com.apple.ppp.l2tp</key>
<dict>
<key>DNS</key>
<dict>
<key>OfferedSearchDomains</key>
<array>
<string>8.8.8.8</string>
<string>8.8.4.4</string>
</array>
<key>OfferedServerAddresses</key>
<array>
<string>192.168.0.248</string>
</array>
</dict>
<key>EAP</key>
<dict>
<key>KerberosServicePrincipalName</key>
<string>vpn/[email protected]</string>
</dict>
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>IdentifierVerification</key>
<string>None</string>
<key>LocalCertificate</key>
<data>
</data>
<key>LocalIdentifier</key>
<string></string>
<key>RemoteIdentifier</key>
<string></string>
<key>SharedSecret</key>
<string>com.apple.ppp.l2tp</string>
<key>SharedSecretEncryption</key>
<string>Keychain</string>
</dict>
<key>IPv4</key>
<dict>
<key>ConfigMethod</key>
<string>Manual</string>
<key>DestAddressRanges</key>
<array>
<string>192.168.0.230</string>
<string>192.168.0.240</string>
</array>
<key>OfferedRouteAddresses</key>
<array/>
<key>OfferedRouteMasks</key>
<array/>
<key>OfferedRouteTypes</key>
<array/>
</dict>
<key>Interface</key>
<dict>
<key>SubType</key>
<string>L2TP</string>
<key>Type</key>
<string>PPP</string>
</dict>
<key>L2TP</key>
<dict>
<key>Transport</key>
<string>IPSec</string>
</dict>
<key>PPP</key>
<dict>
<key>ACSPEnabled</key>
<integer>1</integer>
<key>AuthenticatorACLPlugins</key>
<array>
<string>DSACL</string>
</array>
<key>AuthenticatorEAPPlugins</key>
<array>
<string>EAP-KRB</string>
</array>
<key>AuthenticatorPlugins</key>
<array>
<string>DSAuth</string>
</array>
<key>AuthenticatorProtocol</key>
<array>
<string>MSCHAP2</string>
</array>
<key>DisconnectOnIdle</key>
<integer>1</integer>
<key>DisconnectOnIdleTimer</key>
<integer>7200</integer>
<key>IPCPCompressionVJ</key>
<integer>0</integer>
<key>LCPEchoEnabled</key>
<integer>1</integer>
<key>LCPEchoFailure</key>
<integer>5</integer>
<key>LCPEchoInterval</key>
<integer>60</integer>
<key>Logfile</key>
<string>/var/log/ppp/vpnd.log</string>
<key>VerboseLogging</key>
<integer>1</integer>
</dict>
<key>Radius</key>
<dict>
<key>Servers</key>
<array>
<dict>
<key>Address</key>
<string>1.1.1.1</string>
<key>SharedSecret</key>
<string>1</string>
</dict>
<dict>
<key>Address</key>
<string>2.2.2.2</string>
<key>SharedSecret</key>
<string>2</string>
</dict>
</array>
</dict>
<key>Server</key>
<dict>
<key>LoadBalancingAddress</key>
<string>1.2.3.4</string>
<key>LoadBalancingEnabled</key>
<integer>0</integer>
<key>Logfile</key>
<string>/var/log/ppp/vpnd.log</string>
<key>MaximumSessions</key>
<integer>128</integer>
<key>VerboseLogging</key>
<integer>1</integer>
</dict>
</dict>
<key>com.apple.ppp.pptp</key>
<dict>
<key>DNS</key>
<dict>
<key>OfferedSearchDomains</key>
<array>
<string>8.8.8.8</string>
<string>8.8.4.4</string>
</array>
<key>OfferedServerAddresses</key>
<array>
<string>192.168.0.248</string>
</array>
</dict>
<key>EAP</key>
<dict>
<key>KerberosServicePrincipalName</key>
<string>vpn/[email protected]</string>
</dict>
<key>IPv4</key>
<dict>
<key>ConfigMethod</key>
<string>Manual</string>
<key>DestAddressRanges</key>
<array/>
<key>OfferedRouteAddresses</key>
<array/>
<key>OfferedRouteMasks</key>
<array/>
<key>OfferedRouteTypes</key>
<array/>
</dict>
<key>Interface</key>
<dict>
<key>SubType</key>
<string>PPTP</string>
<key>Type</key>
<string>PPP</string>
</dict>
<key>PPP</key>
<dict>
<key>ACSPEnabled</key>
<integer>1</integer>
<key>AuthenticatorACLPlugins</key>
<array>
<string>DSACL</string>
</array>
<key>AuthenticatorEAPPlugins</key>
<array>
<string>EAP-RSA</string>
</array>
<key>AuthenticatorPlugins</key>
<array>
<string>DSAuth</string>
</array>
<key>AuthenticatorProtocol</key>
<array>
<string>MSCHAP2</string>
</array>
<key>CCPEnabled</key>
<integer>1</integer>
<key>CCPProtocols</key>
<array>
<string>MPPE</string>
</array>
<key>DisconnectOnIdle</key>
<integer>1</integer>
<key>DisconnectOnIdleTimer</key>
<integer>7200</integer>
<key>IPCPCompressionVJ</key>
<integer>0</integer>
<key>LCPEchoEnabled</key>
<integer>1</integer>
<key>LCPEchoFailure</key>
<integer>5</integer>
<key>LCPEchoInterval</key>
<integer>60</integer>
<key>Logfile</key>
<string>/var/log/ppp/vpnd.log</string>
<key>MPPEKeySize128</key>
<integer>1</integer>
<key>MPPEKeySize40</key>
<integer>0</integer>
<key>VerboseLogging</key>
<integer>1</integer>
</dict>
<key>Radius</key>
<dict>
<key>Servers</key>
<array>
<dict>
<key>Address</key>
<string>1.1.1.1</string>
<key>SharedSecret</key>
<string>1</string>
</dict>
<dict>
<key>Address</key>
<string>2.2.2.2</string>
<key>SharedSecret</key>
<string>2</string>
</dict>
</array>
</dict>
<key>Server</key>
<dict>
<key>Logfile</key>
<string>/var/log/ppp/vpnd.log</string>
<key>MaximumSessions</key>
<integer>128</integer>
<key>VerboseLogging</key>
<integer>1</integer>
</dict>
</dict>
</dict>
</dict>
</plist>
Thinking i was half clever i thought id do a restore to when i first set the server up... not successful
Secondly i wiped the drive with zero data and did a fresh install... still not successful.
There must be a way to fix this BS error!
my source for the original setup was here: http://dreaming-artemis.com/2011/07/18/setting-up-vpn-on-the-imac-osx-snow-leopa rd-10-6-8/
Thanks in advance
TMCI would think you could copy them over using rsync, which is part of the OS X server package. If you're not familiar with rsync there is a tutorial here:
http://everythinglinux.org/rsync/
Skip the stuff about installing and configuring rsync and just go to the part about using it to copy files between servers. -
Error 720 when establishing VPN connection to RRAS server in Windows 8.1
Hi,
I am unable to establish a VPN connection to my Windows Server 2008 R2 RRAS server. I have tried all protocols, but always getting the same error: "Error 720: A connection to the remote computer could not be established. You might need to change
the network settings for this connection".
I am able to connect using another Windows 7 computer, on the same network and with exactly the same VPN parameters. So this is clearly not a problem with RRAS, the remote router or firewall and/or the local router.
Strangely, the connection works by unchecking IPv4 and checking IPv6 in the connection properties. But I need IPv4 to work. All IPv4 settings are blank, nothing statically configured here.
Note: This is a clean install of Windows 8.1, not an upgrade from a previous version.
Thank you for helping me out!Hi,
This behavior can occur if your computer and the RAS server don't have a protocol in common, or if RAS is not configured correctly. The error code 720 indicates no PPP control protocols configured.
Assuming the RRAS is using, we need to make the Windows client is running PPTP too. To do this follow these steps:
1. Right click VPN connection, and then click Properties.
2. In the VPN Connection Properties dialog box, click the Networking tab, and make sure you have a protocol that the RAS server runing.
If you don't have a protocol that the RAS server is running, add the needed protocol:
1. Click install, click Protocol, and then click Add;
2. Click the protocol that you need to install, and then click OK.
3. Click Close in the VPN Connection Properties dialog box.
Karen Hu
TechNet Community Support -
Need help setting up VPN with OS X Server 2.2
I just bought OS X Server in the hopes that it would be a simpler way to set up VPN for use with my iPhone. I've tried a couple third party VPN configuration tools before with older versions of OSX but was never able to get it working. Now I'm running 10.8.2 and Server 2.2. I've made some progress, but I'm not quite there yet.
Here's what I have set up in the VPN window:
And the user I created:
The User services show that VPN is selected:
I let the Server app configure my Airport Extreme, and it looks like it set up the port mapping:
Here are my iPhone settings
-Server is set to my iMac's public IP address assigned by my ISP
-Password is the password I gave the user account
When I turn the VPN on in the iPhone I get:
"Connecting..."
"Starting..."
"Authenticating..."
then an error:
"VPN Connection
Authentification failed."
What am I missing?
Thanks,
SeanHi,
1701
UDP
L2TP
l2f
Mac OS X Server VPN service
1723
TCP
PPTP
pptp
Mac OS X Server VPN service
Try L2TP
Maybe you are looking for
-
One of my apps wont update and says installing on my phone. I get a message on my phone to check itunes store for the problem but I cant find anything in itunes store to help me
-
iPod 5 generation. ios 8.1.2 I forgot the restrictions code, and I'm trying to reset my iPod, but because of restrictions, it won't let me! I cannot do the thing with the computer, because I never backed it up on a PC before. I've also tried the so-c
-
ISE 1.1.2 failover - Syncronization issue
Hi everone, Scenário: I've deployed two Cisco ISE 1.1.2 nodes as follows: Node 1 as Primrary Admin, Policy Server and Monitoring Node 2 as Secondary Admin, Policy Server and Monitoring All configured roles works as expected. Problem: Once I promote t
-
Can't create connection to SAP BW in Desinger
I could connect to BW and see a lot of BW infocubes. And I created an universe based on infocube and created the webi reports and refreshed the reports. Everything looks ok. Now I get the error message when I tried to create a connection to BW in BO
-
How do I add a site to the exception list using Mac book Air OS Lion 10.7.4
Any advice please?