vpnd in Mac OS X 10.3 client - how to configure?
 

Hello,
I noticed that Panther includes the VPN-Server vpnd from Mac OS X 10.3 Server. The new vpnd now supports L2TP.
The man page for vpnd isn't very useful. The configuration for vpnd is stored in a *.plist file, but that file is not included in Panther (client).
I tried to set up vpnd with the corresponding *.plist file from 10.3 Server that somebody e-mailed me, but i wasn't able to log in using L2TP. There is some problem with the authentication and as i don't have 10.3 Server i can't test which values should be in the .plist.

Here is all information i gathered:
In /etc/hostconfig change VPNSERVERS=-NO- to VPNSERVERS=-YES-

The configuration *.plist is:
/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

(it's a rather complex XML file with the configuration for pptp and l2tp) It can be copied form 10.3 server but I don't know which values should be in there.

The main problem i have is that l2tp cant get the pskey. It should be stored in a keychain (if I'm correct). So authentication with racoon doesn't work.
/private/etc/racoon/remote/anonymous.conf points to a com.apple.ppp.l2tp keychain, I don't know where it should be located and which user should create it (or what name it should have) and I don't know what entries it should have.

Maybe somebody who has 10.3 Server can fit in the missing parts. It might be helpful to create a fake vpn server with descriptive values so we could figure out how to configure vpnd with L2TP/IPSec.
I think that would be a very useful hint - if it works.

I haven't tried this yet, but here's a web site:
http://www.afp548.com/Articles/Jaguar/vpnd.html
please post results...

That site only describes setting up pptp in Jaguar server (and there is already a hint about that).
It seems that vpnd has changed in Panther and now supports L2TP (supposed to be more secure).

I'm trying to set up a L2TP/IPSec vpn server.

And from all I know the configuration method has changed - even for pptp.

Re: vpnd in Mac OS X 10.3 client - how to configure?
 

Note that IPsec uses preshared keys or certificates (located in keychain) but L2TP is used to tunnel PPP so it is very much like a PPP server. You might need to add the PPP passwords to /etc/ppp/chap-secrets, but I am not sure.

The L2TP protocol also supports authentication but Windows does not use it. And I would think Apple doesn't either. IPsec and PPP authentication should be enough.

BTW, does anyone know on what software vpnd is based? Is it Apple proprietary?

Re: Re: vpnd in Mac OS X 10.3 client - how to configure?
 

Yes, the problem is, that that key is stored some how in the system keychain.

I found out, that in the system keychain following objects are:
com.apple.net.racoon with account com.apple.ppp.l2tp
com.apple.ras with account vpn_[MACADDRESS]

But i don't know where, and how exactly the pskey is stored.

I get this error if i try to connect to my vpn-server from a remote Mac:


For all i know it's Apple proprietary. I guess that's why it's so easy to set it up in Panther server with a nice GUI but so hard to recreate that set up in Panther client - without knowing what to do ;-)

Re: Re: Re: vpnd in Mac OS X 10.3 client - how to configure?
 

What if you configure a VPN connection to the client on the server? Then the PSK you enter should be in the keychain. After all, it is a shared key so it should work both ways.

Silly question, but why don't you use sshd?

Re: Re: Re: Re: vpnd in Mac OS X 10.3 client - how to configure?
 

I use ssh. I just thought that it might be nice to find out if it's possible to run a l2tp vpn server on Panther client.
vpnd is in Panther client and it would be nice to use a vpn server for friends and family without the need to buy Panther server.

The main problem that prevents vpnd with l2tp/IPSec to run on Panther client seems to be authentication.
I don't know if Panther server uses a special way to authenticate remote users.
The user ho wants to log in through a vpn has to be a regular user on the server.

Myzel,

did you ever got this to work?
i just found vpnd on my panther, so was searching information on this..

the source is even available on apple's site (ppp-142.tar.gz).

can anyone with 10.3 Server send me /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist (or do you have it Myzel?)

would be very interesting if we could get this to work.

That is the file I need also. Will someone please send it to me!

samsprograms@mac.com

Use the source luke!
 

using the source code I downloaded (dont you just love Apple's opensource) I was able to see what settings it checks and using that I was able to slowly build up my own config with vi :)

Here's my "simple" config to make a working vpn server for windows clients (tested on WinXP and Win2kAS).

First of all make a /etc/ppp/chap-secrets file, this file contains the users+passwords for authentication using CHAP (Challenge Handshake Authentication Protocol:
So i have 1 user: "vpn" that can login with the pass "vpn", just add more users if you need to.

also make sure that file is chmodded with 600, so only root can read that file.

then run the vpn deamon anywhere with:
test is the Server config, you can add more or change the name.

run with -h swith to get the available commandline options. also it logs to /etc/ppp/vpnd.log

Important thing to change is the Address key I think, 192.168.0.7 is my powerbook's ip.
DestAddresses is an array with ip's it will assign to the clients that will connect.
Alot of keys speaks for its own. i dont understand them all either, just got into using vpn.
You can disable encryption by removing the MSCHAP's key.
There are alot of other settings, just take a peek at the source.

Cant quite get arpproxy working yet, couldnt get it working on redhat either :( (like 2 clients connect, and the clients try to ping each other)

Anyways, Apple's vpnd works alot better than PoPToP/pptpd on redhat!

please post feedback!, positive or negative, I dont care ;)

Tried it, the server actually started up this time :).
But.... The client gets stuck at "negotiating..."

ok need more info than that, is the client in the same network (so far i only tested it on my own LAN).

what client is it? windows xp? and what settings did you use.. (standard windows vpn connection works here)

Yes same LAN... Still I think it should work. It is another mac running 10.3.1. Thanks!

not sure if this is the problem but make sure you change the Addresses key:

my ip is 192.168.0.7, you should change it in yours..

if that doesnt work, i dont know, i only have 1 mac :(
so i cant really test

Should I use my external ip address, my internal ip address, or my domain name?
my internal ip address is 192.168.1.100, external is 24.*.*.*, and domain name is *.dnsalias.com (stars are actually other things)

Thanks again!!!!!

OK here's some more detailed info:
(This is where it is after it has started, no connections have been made. After this, a connection will be started from the client.)
(After this the client just says "negotiating..." for about a minute then errors out right before the following line)
Thank you again for your help!

Re: Use the source luke!
 

Thank you for that information. I almost gave it up as i never got it running. I only had the plist form a Mac OS X 10.3 Server install and Server uses the keychain to control authentication.

I will try it with the source code and if i get it running i will post a HowTo.

It depends if your mac is directly connected to the internet or not, if it is and you want to have connections from outside your LAN you need to listen on you internet ip.
You can also specify more than 1 address to listen on:

I'm not sure if the problem lies there, the debug information vpnd gives is kinda limited :(

VerboseLogging
 

enable verboselogging with:

put this in the dict of PPP, and not anywhere else or it wont work.

You will then get extra debug info in the system.log.

I just noticed, it works fine if connecting through the local IP address, but it doesn't work if connecting from the router's ip address (the external ip address). The computer seems to think that the incoming request is from the router (192.168.1.1)! I don't know how to fix this, but just being able to connect it all is a big step! Thanks for your help!

I'm not exactly sure what your situation is. But if you are behind a router and you want to allow incoming connections from outside your LAN you will need to forward the ports 1723 and 47 (not exactly sure about other ports) to your Mac that's running vpnd.

[edit]
put this under PPP to enable session debug info to the file /var/log/ppp/ppplog.
[/edit]

Yes, vpnd definitely thinks that th request is coming from the router. Here is a line from the log:
There is probably some setting in the router to fix this, I just need to find out what....

[edit]
I just found a setting called port triggering on my router. It has the following settings already set:

Application Name---------------VPN---------------VPN
Trigger port Range------------47~47-----------50~50
Incoming Port Range------1723~1723------500~500

Something tells me this is the problem.....
[/edit]

Your problem likely does not lie in your config. IPSec has problems when there are NAT devices (like firewalls) in between the client and the server. The problem is that the NAT changes the ip on the ESP packet and when it gets to it's destination, it gets thrown out because it has been modified in transit. There is something which gets around this, called NAT Traversal, or NAT-T. NAT-T encapsulates the ESP packet inside of the UDP 500 (ISAKMP) packet, and gets decapsulated on the remote side. Some vendors, like Cisco and Nortel use UDP 10000 or 10001.

In any case, you will probably not have any luck making this work through a firewall because apple's implementation of IPSec is based on KAME, which does not have NAT-T support. If you're behind a firewall, you will be stuck using PPTP for now.

Since most users are behind some sort of firewall, apple's IPSec implementation is useless to most of them. It's nice to have the functionality of basic IPSec available, but it's not usable in most real world situations. I've heard rumors that next version of OS X will support NAT-T, but it's only rumors. There's a product called VPN Tracker which I think costs $99. They had planned NAT-T support by the end of the year, but when I looked a couple of weeks ago, it still was not available.

Keep in mind that *both* the client and the server need to support NAT-T, not just one or the other.

Seems like you have more expierence with VPN, I have a problem that when a client connects to my vpn server he cant ping other computers in my LAN, but my computers in the LAN can ping to the client's ip that he got from the VPN server.

Probably something todo with arp_proxy?

Guybrush, how did you get VPN to work? Do you not have a NAT router?

i have a Linksys WRT54G router, and forwarded port 1723 and 47 to my powerbook. that was all i needed to do.

Which Protocols? TCP? UDP? Both?
Do you have anthing set up under Port Triggering? (for me it's under the forwarding page)

both TCP and UDP but I think only TCP is needed.. no port triggering at all.

Hmmmm.... Same here. What options do you have enabled at the bottom of the Filters page?

nothing, all disabled. (its getting a bit offtopic now tho :) )

sorry, on my router that's where the vpn passthrough, block wan request, etc. settings are. I'll keep trying, thanks for all of your help! I'm sure I will figure it out eventually ! :D

OK, a quick update on my efforts to get a VPN with L2TP to run on my Panther client.

L2TP now works. The shared secret is stored in the system keychain.

com.apple.net.racoon
account name: com.apple.net.racoon
location: com.apple.net.racoon
password: <shared secret>

Now the problem is the ppp authentication.

this is stored in the keychain (system again)
com.apple.ras
account: vpn_<MACaddress>
location: com.apple.ras

Password - now there is the Problem:
the password seems to be encrypted, so i can't find out what password is required.
Does somebody know the encryption method used here?
I think it's the root password or the password of an administrator.

Login should work with normal User accounts on the VPN server.

i wish to help, but first of all, what did you all do to make it work? what changes in the config etc, and i dont seem to have that racoon file..

I got it working. I gave up my attempt to use the same ppp authentication as in Mac OS X Server and used the same ppp authentication as you. Now everything works.

This is what i did:

I activated the root user.
Logged in as "root" i opened "keychain" and added a new application password

name: com.apple.net.racoon
account: com.apple.ppp.l2tp
Password: the shared secret

I had to do this with root as I'm not able to change the password using an admin account (it should work, but it doesn't work)

In hostconfig I changed
VPNSERVER=-YES-

I created a com.apple.RemoteAccessServer.plist
Using the PlistEditor (from the Developertools) creating a plist file is quite easy.

My com.apple.RemoteAccessServer.plist:

Notice that the ppp part is a bit different than the one you use - with your ppp part it wouldn't work on my Mac.
(I erased some parts of the plist (the ppptp things) - so there might be some errors)

Then i created the /etc/ppp/cap-secrets file.

Now i can create a VPN using L2TP. Thanks for all the help.

OS X server seems to use a special user (vpn_<mac_address>) that handles the ppp login for users on the server. I was unable to recreate that special user - mainly because I how the password is encrypted or how to get the encrypted password out of NetInfo - if i create a new user the encrypted password is hashed.

nice, im glad you got it to work :)

I've been using apple's vpnd for a week now and have been playing Command and Conquer: Generals with firends without any problems over pptp in windows xp/98/2k.

Would be nice if a developer creates a vpnd configuring tool :) if I had the time I definatly would.

btw, does Panther server configuring tool for vpnd work in the client version of Panther?

No, it doen't work.

Password_Server or Shadowhash authentication?
 

FWIW, when I was running Panther server the only user accounts that could connect over L2TP were the ones showing up in Netinfo as using Password Server (if I remember the name right). The accounts I added after setting up server were not using Pasword Server for their authentication_authority, but rather Shadowhash. The result is that only my "Administrator" account could connect, but it did work. This may be a roadblock in getting it working on workstaation.

--MM

Authenticate against user accounts?
 

Does anyone know how to get vpnd, when doing pptp, to
allow the clients to autheticate against normal user
accounts instead of against passwords in /etc/ppp/chap-secrets?

Mac OS X Server 10.3 plist file
 

here u got that plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ActiveServers</key>
<array/>
<key>Globals</key>
<dict>
<key>PSKeyAccount</key>
<string>vpn_0030654e3512</string>
</dict>
<key>Servers</key>
<dict>
<key>com.apple.ppp.l2tp</key>
<dict>
<key>DNS</key>
<dict>
<key>OfferedSearchDomains</key>
<array/>
<key>OfferedServerAddresses</key>
<array/>
</dict>
<key>DSACL</key>
<dict>
<key>Group</key>
<string></string>
</dict>
<key>IPv4</key>
<dict>
<key>ConfigMethod</key>
<string>Manual</string>
<key>DestAddressRanges</key>
<array/>
<key>OfferedRouteAddresses</key>
<array/>
<key>OfferedRouteMasks</key>
<array/>
<key>OfferedRouteTypes</key>
<array/>
</dict>
<key>Interface</key>
<dict>
<key>SubType</key>
<string>L2TP</string>
<key>Type</key>
<string>PPP</string>
</dict>
<key>L2TP</key>
<dict>
<key>IPSecSharedSecret</key>
<string></string>
<key>IPSecSharedSecretEncryption</key>
<string>Keychain</string>
<key>Transport</key>
<string>IPSec</string>
</dict>
<key>PPP</key>
<dict>
<key>ACSPEnabled</key>
<integer>1</integer>
<key>AuthenticatorPlugins</key>
<array>
<string>DSAuth</string>
</array>
<key>AuthenticatorProtocol</key>
<array>
<string>MSCHAP2</string>
</array>
<key>IPCPCompressionVJ</key>
<integer>0</integer>
<key>LCPEchoEnabled</key>
<integer>1</integer>
<key>LCPEchoFailure</key>
<integer>5</integer>
<key>LCPEchoInterval</key>
<integer>60</integer>
<key>Logfile</key>
<string>/var/log/ppp/vpnd.log</string>
<key>VerboseLogging</key>
<integer>1</integer>
<key>_UI_DSACLEnabled</key>
<false/>
</dict>
<key>Server</key>
<dict>
<key>Logfile</key>
<string>/var/log/ppp/vpnd.log</string>
<key>MaximumSessions</key>
<integer>128</integer>
<key>VerboseLogging</key>
<integer>1</integer>
</dict>
</dict>
<key>com.apple.ppp.pptp</key>
<dict>
<key>DNS</key>
<dict>
<key>OfferedSearchDomains</key>
<array/>
<key>OfferedServerAddresses</key>
<array/>
</dict>
<key>DSACL</key>
<dict>
<key>Group</key>
<string></string>
</dict>
<key>IPv4</key>
<dict>
<key>ConfigMethod</key>
<string>Manual</string>
<key>DestAddressRanges</key>
<array/>
<key>OfferedRouteAddresses</key>
<array/>
<key>OfferedRouteMasks</key>
<array/>
<key>OfferedRouteTypes</key>
<array/>
</dict>
<key>Interface</key>
<dict>
<key>SubType</key>
<string>PPTP</string>
<key>Type</key>
<string>PPP</string>
</dict>
<key>PPP</key>
<dict>
<key>ACSPEnabled</key>
<integer>1</integer>
<key>AuthenticatorPlugins</key>
<array>
<string>DSAuth</string>
</array>
<key>AuthenticatorProtocol</key>
<array>
<string>MSCHAP2</string>
</array>
<key>CCPEnabled</key>
<integer>1</integer>
<key>CCPProtocols</key>
<array>
<string>MPPE</string>
</array>
<key>IPCPCompressionVJ</key>
<integer>0</integer>
<key>LCPEchoEnabled</key>
<integer>1</integer>
<key>LCPEchoFailure</key>
<integer>5</integer>
<key>LCPEchoInterval</key>
<integer>60</integer>
<key>Logfile</key>
<string>/var/log/ppp/vpnd.log</string>
<key>MPPEKeySize128</key>
<integer>1</integer>
<key>MPPEKeySize40</key>
<integer>0</integer>
<key>VerboseLogging</key>
<integer>1</integer>
<key>_UI_DSACLEnabled</key>
<false/>
</dict>
<key>Server</key>
<dict>
<key>Logfile</key>
<string>/var/log/ppp/vpnd.log</string>
<key>MaximumSessions</key>
<integer>128</integer>
<key>VerboseLogging</key>
<integer>1</integer>
</dict>
</dict>
</dict>
</dict>
</plist>


hope it helps

Need vpnd help from square 1
 

OK, I've read through this thread, but I can't even get out of square one.

1. I added com.apple.net.racoon to the root keychain.
2. I created a /Library/Preferences/SystemConfiguration/com.apple.RemoteAccess.plist file using myzel's post of 11-30-2003
3. I run vpnd as root. - nothing happens:
vpnd and vpnd -d do nothing and leave no logs that I can find.
vpnd -di com.apple.ppp.l2tp gives the following errors:
2004-04-20 10:48:08 EDT VPND: could not get servers dictionary
2004-04-20 10:48:08 EDT VPND: error processing prefs file

The Properties List Editor opens the plist file and shows everything.

:confused: Any clues for this clueless administrator?

Has anybody found the right way by now? I am still struggeling to be able to connect.
My server says:
The ports are open, but my iBook cannot connect using Apple's Tool "Internet Connect".
I have also added the com.apple.net.racoon to the root keychain.
I have also created the com.apple.RemoteAccess.plist file using myzel's post of 11-30-2003.
Can anybody pleeeeeease post a clear and complete walk-through of how to setup your server? TIA a lot.

Has anybody found the right way ????

can you try setting it up without L2TP?

Need Help
 

Could someone help me please?! Same problem as posted above. I tried various plist-configs, but it doesn't work.

VPND Configuration
 

I am a newby. This has been a bit of a trial and error. I beg your indulgence and hope that it is useful.

My system consists of two Powerbooks
The G4 17'" is connected via the Ethernet port en0 to an ADSL line using PPPOE.

I have a Fixed IP address from my ISP 212.xxx.xxx.xxx

The G4 15" Powerbook shares the 17's connection via the Airport port en1.

This strange setup has some advantages;
By virtual of 'Sharing' , and only whilst connected to the Internet, the 17" becomes a server running NAT and DHCP services for the 15". This allows me to serve its attached firewire disk storage over Secure (ssh) APF, which is only available to clients connected to a Mac OS X "Server".

On the 17" I set the Airport IP manually to 10.0.2.1, because it is the acting server and It only serves DHCP addresses in the range 10.0.2.2/24.

17" Ethernet En0 IP 212.xxx.xxx.xx (set by Connection using PPPoE)
17" Airport En1 IP 10.0.2.1 (set manually)
15" Airport En1 IP 10.0.2.2 (allocated by DHCP)
15" VPN (L2PT) IP 10.0.2.100

My reason for using VPN is to have a secure WIFI connection for non AFP traffic, such as HTTP, IMAP and POP. I would have liked to use a ssh tunnel for the Wifi but I don't know how to do it for HTTP,

Howto Mac OSX VPN

1. Get your /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist. Change it to your requirements using the property list editor from the Developer Tools, or as a last resort the Text editor..

Myzel's earlier post has a couple of errors.

CCPEnabled should be CPPEnabled.
MPPEKeySize40 should have a value 1 not 40.
AuthenticatorEAPPlugins should be AuthenticatorPlugins.

This is my plagiarized plist, from this thread, a few notes MPPE is disabled. The system.log said that support was not compiled into the kernel. The AuthenticatorPlugins DSACL, enables the DSACL group. Login users not in the group fail authentication, if successfully authenticated by MSCHAP2.

Remove MSCHAP2 and no passwords are required, other than the IPsec shared secret.


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ActiveServers</key>
<array>
<string>com.apple.ppp.l2tp</string>
</array>
<key>Servers</key>
<dict>
<key>com.apple.ppp.l2tp</key>
<dict>
<key>DNS</key>
<dict>
<key>OfferedSearchDomains</key>
<array/>
<key>OfferedServerAddresses</key>
<array/>
</dict>
<key>DSACL</key>
<dict>
<key>Group</key>
<string>admin</string>
</dict>
<key>IPv4</key>
<dict>
<key>ConfigMethod</key>
<string>Manual</string>
<key>DestAddressRanges</key>
<array>
<string>10.0.2.100</string>
<string>10.0.2.105</string>
</array>
<key>OfferedRouteAddresses</key>
<array/>
<key>OfferedRouteMasks</key>
<array/>
<key>OfferedRouteTypes</key>
<array/>
</dict>
<key>Interface</key>
<dict>
<key>SubType</key>
<string>L2TP</string>
<key>Type</key>
<string>PPP</string>
</dict>
<key>L2TP</key>
<dict>
<key>IPSecSharedSecret</key>
<string>com.apple.ppp.l2tp</string>
<key>IPSecSharedSecretEncryption</key>
<string>Keychain</string>
<key>Transport</key>
<string>IPSec</string>
</dict>
<key>PPP</key>
<dict>
<key>ACSPEnabled</key>
<integer>1</integer>
<key>AuthenticatorPlugins</key>
<array>
<string>DSACL</string>
</array>
<key>AuthenticatorProtocol</key>
<array>
<string>MSCHAP2</string>
</array>
<key>CCPEnabled</key>
<integer>0</integer>
<key>CCPProtocols</key>
<array>
<string>MPPE</string>
</array>
<key>IPCPCompressionVJ</key>
<integer>0</integer>
<key>LCPEchoEnabled</key>
<integer>1</integer>
<key>LCPEchoFailure</key>
<integer>5</integer>
<key>LCPEchoInterval</key>
<integer>60</integer>
<key>Logfile</key>
<string></string>
<key>MPPEKeySize40</key>
<integer>1</integer>
<key>VerboseLogging</key>
<integer>1</integer>
<key>_UI_DSACLEnabled</key>
<true/>
</dict>
<key>Server</key>
<dict>
<key>Logfile</key>
<string>/var/log/ppp/vpnd.log</string>
<key>MaximumSessions</key>
<integer>128</integer>
<key>VerboseLogging</key>
<integer>1</integer>
</dict>
</dict>
</dict>
</dict>
</plist>

Save the above text file with a .plist file extention

remove the following line to avoid CHAP authentication. You can add it back when you have a successful connection.

<string>MSCHAP2</string>

The file name is /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist it should be owned by system:admin with read/write:read:read privileges. Tip is to create it on the Desktop and then drag to /Library/Preferences/SystemConfiguration/ and use the option key to add it.

2 Authentication by Shared Pass phrase
Since for me this system is a replacement WEP. Shared keys are a straight replacement

For this you need use finder to drag
/Library/Keychains/System.keychain to ~/Library/Keychains/
double click on the and it will open up. Unlock the keychain, and add a new "Password" with Name: com.apple.net.racoon Account : com.apple.ppp.l2tp
Password : YOUR SHARED SECRET GOES HERE<DONT FORGET IT>

After hitting ADD you will not be able to Look at the Password, or change the record. All changes will require your Admin or Root Password and Keychain will tell you it is INVALID. Keychain will only accept your admin / Root password for deletion.

Now from the file menu Delete the keychain "System" you have just created (you are not authorized to the real one) and select "Delete References" quit keychain

Drag the System.keychain back to /Library/Keychains (press option to add) and authenticate the replacement. Delete your ~/Library/Keychains/System.keychain


3.In terminal
Welcome to Darwin!

Create the VPND Log files
Moon:~ Alan$ sudo touch /var/log/ppp/vpnd.log

Create the chaps-secrets file if you have not removed MSCHAP2 from the .plist
Moon:~ Alan$ touch ~/Desktop/chaps-secrets

Open the file in editor and add your: user, *, password,* separated by a space. I could not get CHAPS to authenticate any Server so I recommend an asterisk. The User name must be in lower case. The password can contain capitals. the string "vpn * vpn *' works. The chaps-secret user and password are not related to Apple Users and passwords, they are just another level of security for the network. I have linked them by specifying the DSACL plugin and DSACL group - admin . Only "admin'' users as defined by netinfo may authenticate.

The chaps-secrets file is called /private/etc/ppp/chap-secrets and should be owned by system:wheel with read/write:read:read privileges

Launch Console and monitor the System.Log


Launch the daemon
Moon:~ Alan$ vpnd

Sep 28 22:50:30 localhost vpnd: VPND: launched vpnd process id '540' for server id 'com.apple.ppp.l2tp'
Sep 28 22:50:30 localhost vpnd: VPND: vpn plugin loaded
Sep 28 22:50:30 localhost vpnd: VPND: Listening for connections
Sep 28 22:50:30 localhost vpnd: VPND L2TP plugin: start racoon...
Sep 28 22:50:34 localhost kernel: L2TP command (0x1dfa804): get flags = 0x22
Sep 28 22:50:34 localhost kernel: L2TP command (0x1dfa804): set flags = 0x26
Sep 28 22:50:34 localhost kernel: L2TP command (0x1dfa804): set our IP address = 0.0.0.0, port 1701
Sep 28 22:50:34 localhost kernel: L2TP command (0x1dfa804): get our IP address = 0.0.0.0, port 1701


If you cannot get this far look at the Console messages. The com.apple.RemoteAccessServers.plist has an error in it. The console will give you a clue.



4. The VPN Client. (on my 15")

Get a wifi connection with the Server

Launch Internet Connect application. Select VPN, select L2TP over IPSec. and Continue.
Configuration: Edit Configuration - Change the Discription if you want;
Server Address: 10.0.2.1
Shared Secret: YOUR SHARED SECRET GOES HERE<DONT FORGET IT> same as the system.keychain entry. click OK.
Account name = chaps user else blank
Password = chaps password else blank
click connect.

THE SERVER (the 17") Asks Confirm Access to Keychain - raccon wants permission to use the "com.apple.net.racoon" item from your keychain. Do you want to allow this? Select Always Allow

The chances are your VPN client has timed out

Connect again. and you should be there.

If the Client System log shows packets being sent but there is nothing on the Server check / redo the shared secret. Other errors are reported in the system.log.

Firewalls - the Apple Gui does not block UDP so there is no need to open any ports for IPSec to work.
I sudo ipfw add 3000 allow tcp from 10.0.2.0/24 recv ppp1 on the 17" server which in the transport to my external IP

Problems:

Racoon when it access the System keychain it alters the System.keychain access, to 'no access' except for system. This must be changed back to read access for admin and others, otherwise Mail and Safari cannot make a secure connection to .Mac

Whilst connected via VPN the IDISK is available but not its utilization via .Mac preferences (no Mount Point)
McAfee Virex claims it is not able to connect to the Internet.

I can't use the VPNSERVER=-YES- option of ifconfig. When the system boots it gets a network and starts VPN but before my ISP has allocated my static IP. I can then only connect to 10.64.64.64 until I kill vpnd and racoon and restart it manually.

Racoon on leaves 1 of the 2 setkey -D entries on each disconnect,

WOW! Thanks for those ellaborate instructions. Will try that once I have the time.

and for pptp?
 

i'm trying to set up a vpn pptp server so i can access my home network from university, via multiple routers/firewalls...

so i figure L2TP won't work...

i've managed to set up VPN (using PPTP) on my eMac at home, and it works when connecting from the LAN.
however, when i connect from the WAN (via a router), the connection gets stuck at the "negotiating..." stage.... (just like other people posted here)

does anyone know a solution to this?
is it possible to use L2TP and connect from the WAN if there's a router?

You need to forward at least port 1701 through your router for L2TP. Perhaps other ports for to satisfy your VPN. Use this reference from Apple as a guide.

I am on tiger client (10.4.2). I followed Smokin Jake's directions and was able to get vpnd to launch racoon, and a listener for l2tp. Notably, racoon did not mess with the system keychain permissions.

But, I only get half of the logged output that he got, and no ports are opened to listen for incoming connections. This is what my log looks like:
Is this a tiger issue, or is there something else I'm doing wrong?

If anything VPND on Tiger is easier. An Admin account can add / delete System keychain passwords, and as Hunk of Cheese mentioned Racoon no longer corrupts the system keychain permissions.

I am writing this post using a L2TP VPN connection.

I set up my initial connections at home, with one Mac connected to the internet (called "Server"), sharing its connection (ppp0 or en0) to another mac via (airport or firewire) (called "Client")

For "Client" to access the internet, "Server" must open the firewall to allow TCP requests from "Client". (Internet sharing - Personal Web Sharing for Http port 80). Tiger also allows blocking of UDP ports. If these are blocked create a Port sharing description called IPsec to open UDP ports "67, 500, 1701, 4500" in the firewall.

I added a New Password item to the "Server" system keychain, Name = "com.apple.net.racoon", Account "MyNetwork", Password - "My secret password" on "Server".

On Server:
My L2TP Dictionary item of com.apple.RemoteAccessServers.plist reads:
IPSecSharedSecret String MyNetwork
IPSecSharedSecretEncryption String Keychain
Transport String IPSec


On "Server" to start VPN Daemon server com.apple.ppp.l2tp run
$ VPND

vpnd[650]: Server 'com.apple.ppp.l2tp' starting...
vpnd[650]: Loading plugin /System/Library/Extensions/L2TP.ppp
vpnd[651]: Server 'com.apple.ppp.l2tp' moved to background
vpnd[651]: Listening for connections...

Check IPsec transport

$ sudo setkey -DP

0.0.0.0/0[any] 0.0.0.0/0[1701] udp
in ipsec
esp/transport//require
spid=4 seq=1 pid=654
refcnt=1
0.0.0.0/0[1701] 0.0.0.0/0[any] udp
out ipsec
esp/transport//require
spid=3 seq=0 pid=654
refcnt=1

$ sudo setkey -D

No SAD entries.


On "Client" Application Internet connect

Select VPN Tab, and choose L2TP over IPsec.
Edit Configuration,
Server Address - IP address of "Server"
Account Name - chaps-secret username (helpful if this user belongs to the DSACL group)
Password - chaps-secret password
Machine Authentication Shared Secret "My secret password"
Select OK and Connect.

On the first Connection Racoon will request keychain access to the System keychains on "Client" and "Server" Enter your password and select Always

Log on "Server":

pppd[657]: pppd 2.4.2 (Apple version 229) started by alan, uid 0
pppd[657]: L2TP incoming call in progress
pppd[657]: L2TP connection established.
pppd[657]: Connect: ppp0 <--> socket[34:18]
pppd[657]: DSAccessControl plugin: User 'xxxxx' authorized for access
pppd[657]: Unsupported protocol 0x8057 received
pppd[657]: local IP address xx.xxx.xx.xxx
pppd[657]: remote IP address 10.0.2.100


$ sudo setkey -D
Password:
8x.xx7.xx.xx6 8x.x5.xx.x3
esp mode=transport spi=73100055(0x045b6b17) reqid=0(0x00000000)
E: rijndael-cbc b4c84d62 5a6a6781 ac99a129 5504ea0b
A: hmac-sha1 99e67b4f 6fbcca6c afa131a1 12f99246 35a59cbf
replay=4 flags=0x00000002 state=mature seq=1 pid=658
created: Jul 29 19:12:50 2005 current: Jul 29 19:24:12 2005
diff: 682(s) hard: 3600(s) soft: 2880(s)
last: Jul 29 19:24:11 2005 hard: 0(s) soft: 0(s)
current: 6560(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 62 hard: 0 soft: 0
refcnt=2
8x.x5.xx.x3 8x.xx7.xx.xx6
esp mode=transport spi=139970116(0x0857c644) reqid=0(0x00000000)
E: rijndael-cbc 0291dc80 186dc066 d689e9e1 0db3c5f9
A: hmac-sha1 e49213d5 c07cfb86 976906ce 0013c088 c7e31817
replay=4 flags=0x00000002 state=mature seq=0 pid=658
created: Jul 29 19:12:50 2005 current: Jul 29 19:24:12 2005
diff: 682(s) hard: 3600(s) soft: 2880(s)
last: Jul 29 19:24:11 2005 hard: 0(s) soft: 0(s)
current: 3330(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 62 hard: 0 soft: 0
refcnt=1

Firewalls are a major pain in trying to get a useful connection. Once the connection has been established. The "Server" needs to open some ports for the "Client"

I use:
sudo add 3000 allow ip from 10.0.2.100/30 to any rcvd ppp0
sudo add 3000 allow udp from any 53 to 10.0.2.100/30 via en0

However, if the "Server" connection to the Internet is via a PPPOE, ppp0 may already be allocated, in which case the VNP connection will create a ppp1

vpnd source
 

hello together,

with the help of Guybrush´s posting #10 I was able to set up the vpdn server in Tiger instantly (thank you).

I would now like to read the source code but can not find it at developer.apple.com

I´d highly appreciate if someone could post a link.

Thanks.

Hi all. I am new here and have gotten everything working successfully except for staying connected. I get the same error in my System Log as srmc710 . I connect, but then get disconnected right away. Here is the message in System Log that i get. "PPTP didn't get start_control_connection_request (got message : 256)"

Any help would be great.

Thanks!

Okay. I think my problem has something to do with PPPD when it is called or however that works.....

Nevermind. I have no clue on getting it to work. If anyone can help please do, or email me......

I have been able to get vpnd running and authenticating (well, basic chap) both mac and windows clients.

But, once connected, there is NO connectivity! The IP address is issued...and both the vpnd mac & pptp client (mac or win) lose connectivity to each other, to the world, etc.

Strange!

Any ideas?

What does your com.apple.RemoteAccessServers.plist look like?

I tried working with combinations from this forum. I got connections, but no communication.
I picked up a plist from my buddy's OS X server and modified it - same situation.

The configuration seems to check out. The next step I would take is to verify the IP configuration of the vpnd server, and the IP configurations of connected clients. Check things like:

The IP address assigned to the ppp0 device as it is listed in the output of ifconfig on the server, and the IP address assigned to the ppp0 device as it is listed in the output of ifconfig or ipconfig on the client (Mac or Windows).

The state of IP forwarding on the server as is reported by the command sysctl net.inet.ip.forwarding.

Any firewall rules on the server that might interfere with traffic entering and exiting the interface that PPTP clients are connecting through. Use sudo ipfw show all to dump the rules.

The state of the routing table on the server and on Mac clients. Use netstat -r to dump the routing table. On Windows clients, use route print.

The ability of connected clients to ping the vpnd server via the IP address reported by the ifconfig command above, and the ability of the vpnd server to ping connected clients.

The ability of connected clients to ping IP addresses on the private network behind the vpnd server.

The ability of connected clients to perform host resolution when connected.