![]() |
vpnd in Mac OS X 10.3 client - how to configure?
Hello,
I noticed that Panther includes the VPN-Server vpnd from Mac OS X 10.3 Server. The new vpnd now supports L2TP. The man page for vpnd isn't very useful. The configuration for vpnd is stored in a *.plist file, but that file is not included in Panther (client). I tried to set up vpnd with the corresponding *.plist file from 10.3 Server that somebody e-mailed me, but i wasn't able to log in using L2TP. There is some problem with the authentication and as i don't have 10.3 Server i can't test which values should be in the .plist. Here is all information i gathered: In /etc/hostconfig change VPNSERVERS=-NO- to VPNSERVERS=-YES- The configuration *.plist is: /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist (it's a rather complex XML file with the configuration for pptp and l2tp) It can be copied form 10.3 server but I don't know which values should be in there. The main problem i have is that l2tp cant get the pskey. It should be stored in a keychain (if I'm correct). So authentication with racoon doesn't work. /private/etc/racoon/remote/anonymous.conf points to a com.apple.ppp.l2tp keychain, I don't know where it should be located and which user should create it (or what name it should have) and I don't know what entries it should have. Maybe somebody who has 10.3 Server can fit in the missing parts. It might be helpful to create a fake vpn server with descriptive values so we could figure out how to configure vpnd with L2TP/IPSec. I think that would be a very useful hint - if it works. |
I haven't tried this yet, but here's a web site:
http://www.afp548.com/Articles/Jaguar/vpnd.html please post results... |
That site only describes setting up pptp in Jaguar server (and there is already a hint about that).
It seems that vpnd has changed in Panther and now supports L2TP (supposed to be more secure). I'm trying to set up a L2TP/IPSec vpn server. And from all I know the configuration method has changed - even for pptp. |
Re: vpnd in Mac OS X 10.3 client - how to configure?
Quote:
The L2TP protocol also supports authentication but Windows does not use it. And I would think Apple doesn't either. IPsec and PPP authentication should be enough. BTW, does anyone know on what software vpnd is based? Is it Apple proprietary? |
Re: Re: vpnd in Mac OS X 10.3 client - how to configure?
Quote:
I found out, that in the system keychain following objects are: com.apple.net.racoon with account com.apple.ppp.l2tp com.apple.ras with account vpn_[MACADDRESS] But i don't know where, and how exactly the pskey is stored. I get this error if i try to connect to my vpn-server from a remote Mac: Code:
localhost racoon: ERROR: localconf.c:195:getpskfromkeychain(): failed to get preshared key from system keychain (error -25308)Quote:
|
Re: Re: Re: vpnd in Mac OS X 10.3 client - how to configure?
Quote:
Quote:
|
Re: Re: Re: Re: vpnd in Mac OS X 10.3 client - how to configure?
Quote:
vpnd is in Panther client and it would be nice to use a vpn server for friends and family without the need to buy Panther server. The main problem that prevents vpnd with l2tp/IPSec to run on Panther client seems to be authentication. I don't know if Panther server uses a special way to authenticate remote users. The user ho wants to log in through a vpn has to be a regular user on the server. |
Myzel,
did you ever got this to work? i just found vpnd on my panther, so was searching information on this.. the source is even available on apple's site (ppp-142.tar.gz). can anyone with 10.3 Server send me /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist (or do you have it Myzel?) would be very interesting if we could get this to work. |
|
Use the source luke!
using the source code I downloaded (dont you just love Apple's opensource) I was able to see what settings it checks and using that I was able to slowly build up my own config with vi :)
Here's my "simple" config to make a working vpn server for windows clients (tested on WinXP and Win2kAS). Code:
[savage@powerbook ppp]$ cat /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plistCode:
[savage@powerbook ppp]$ sudo cat /etc/ppp/chap-secrets also make sure that file is chmodded with 600, so only root can read that file. then run the vpn deamon anywhere with: Code:
vpnd -dxi testrun with -h swith to get the available commandline options. also it logs to /etc/ppp/vpnd.log Important thing to change is the Address key I think, 192.168.0.7 is my powerbook's ip. DestAddresses is an array with ip's it will assign to the clients that will connect. Alot of keys speaks for its own. i dont understand them all either, just got into using vpn. You can disable encryption by removing the MSCHAP's key. There are alot of other settings, just take a peek at the source. Cant quite get arpproxy working yet, couldnt get it working on redhat either :( (like 2 clients connect, and the clients try to ping each other) Anyways, Apple's vpnd works alot better than PoPToP/pptpd on redhat! please post feedback!, positive or negative, I dont care ;) |
Tried it, the server actually started up this time :).
But.... The client gets stuck at "negotiating..." |
ok need more info than that, is the client in the same network (so far i only tested it on my own LAN).
what client is it? windows xp? and what settings did you use.. (standard windows vpn connection works here) |
Yes same LAN... Still I think it should work. It is another mac running 10.3.1. Thanks!
|
not sure if this is the problem but make sure you change the Addresses key:
Code:
<key>Addresses</key>if that doesnt work, i dont know, i only have 1 mac :( so i cant really test |
Should I use my external ip address, my internal ip address, or my domain name?
my internal ip address is 192.168.1.100, external is 24.*.*.*, and domain name is *.dnsalias.com (stars are actually other things) Thanks again!!!!! |
OK here's some more detailed info:
Code:
Last login: Fri Nov 14 21:14:49 on ttyp2Code:
2003-11-14 21:16:21 EST Incoming call... Address given to client = 192.168.1.200Code:
2003-11-14 21:16:52 EST --> Client with address = 192.168.1.200 has hungup |
Re: Use the source luke!
Quote:
I will try it with the source code and if i get it running i will post a HowTo. |
Quote:
You can also specify more than 1 address to listen on: Code:
<key>Addresses</key> |
VerboseLogging
enable verboselogging with:
Code:
<key>VerboseLogging</key>You will then get extra debug info in the system.log. |
I just noticed, it works fine if connecting through the local IP address, but it doesn't work if connecting from the router's ip address (the external ip address). The computer seems to think that the incoming request is from the router (192.168.1.1)! I don't know how to fix this, but just being able to connect it all is a big step! Thanks for your help!
|
Quote:
[edit] put this under PPP to enable session debug info to the file /var/log/ppp/ppplog. Code:
<key>VerboseLogging</key> |
Yes, vpnd definitely thinks that th request is coming from the router. Here is a line from the log:
Code:
Nov 16 19:49:15 localhost pppd[3774]: PPTP incoming call in progress from '192.168.1.1'...[edit] I just found a setting called port triggering on my router. It has the following settings already set: Application Name---------------VPN---------------VPN Trigger port Range------------47~47-----------50~50 Incoming Port Range------1723~1723------500~500 Something tells me this is the problem..... [/edit] |
Your problem likely does not lie in your config. IPSec has problems when there are NAT devices (like firewalls) in between the client and the server. The problem is that the NAT changes the ip on the ESP packet and when it gets to it's destination, it gets thrown out because it has been modified in transit. There is something which gets around this, called NAT Traversal, or NAT-T. NAT-T encapsulates the ESP packet inside of the UDP 500 (ISAKMP) packet, and gets decapsulated on the remote side. Some vendors, like Cisco and Nortel use UDP 10000 or 10001.
In any case, you will probably not have any luck making this work through a firewall because apple's implementation of IPSec is based on KAME, which does not have NAT-T support. If you're behind a firewall, you will be stuck using PPTP for now. Since most users are behind some sort of firewall, apple's IPSec implementation is useless to most of them. It's nice to have the functionality of basic IPSec available, but it's not usable in most real world situations. I've heard rumors that next version of OS X will support NAT-T, but it's only rumors. There's a product called VPN Tracker which I think costs $99. They had planned NAT-T support by the end of the year, but when I looked a couple of weeks ago, it still was not available. Keep in mind that *both* the client and the server need to support NAT-T, not just one or the other. |
Quote:
Probably something todo with arp_proxy? |
Guybrush, how did you get VPN to work? Do you not have a NAT router?
|
i have a Linksys WRT54G router, and forwarded port 1723 and 47 to my powerbook. that was all i needed to do.
|
Which Protocols? TCP? UDP? Both?
Do you have anthing set up under Port Triggering? (for me it's under the forwarding page) |
Quote:
|
Hmmmm.... Same here. What options do you have enabled at the bottom of the Filters page?
|
Quote:
|
sorry, on my router that's where the vpn passthrough, block wan request, etc. settings are. I'll keep trying, thanks for all of your help! I'm sure I will figure it out eventually ! :D
|
OK, a quick update on my efforts to get a VPN with L2TP to run on my Panther client.
L2TP now works. The shared secret is stored in the system keychain. com.apple.net.racoon account name: com.apple.net.racoon location: com.apple.net.racoon password: <shared secret> Now the problem is the ppp authentication. this is stored in the keychain (system again) com.apple.ras account: vpn_<MACaddress> location: com.apple.ras Password - now there is the Problem: the password seems to be encrypted, so i can't find out what password is required. Does somebody know the encryption method used here? I think it's the root password or the password of an administrator. Login should work with normal User accounts on the VPN server. |
i wish to help, but first of all, what did you all do to make it work? what changes in the config etc, and i dont seem to have that racoon file..
|
Quote:
This is what i did: I activated the root user. Logged in as "root" i opened "keychain" and added a new application password name: com.apple.net.racoon account: com.apple.ppp.l2tp Password: the shared secret I had to do this with root as I'm not able to change the password using an admin account (it should work, but it doesn't work) In hostconfig I changed VPNSERVER=-YES- I created a com.apple.RemoteAccessServer.plist Using the PlistEditor (from the Developertools) creating a plist file is quite easy. My com.apple.RemoteAccessServer.plist: Code:
<?xml version="1.0" encoding="UTF-8"?>(I erased some parts of the plist (the ppptp things) - so there might be some errors) Then i created the /etc/ppp/cap-secrets file. Now i can create a VPN using L2TP. Thanks for all the help. OS X server seems to use a special user (vpn_<mac_address>) that handles the ppp login for users on the server. I was unable to recreate that special user - mainly because I how the password is encrypted or how to get the encrypted password out of NetInfo - if i create a new user the encrypted password is hashed. |
nice, im glad you got it to work :)
I've been using apple's vpnd for a week now and have been playing Command and Conquer: Generals with firends without any problems over pptp in windows xp/98/2k. Would be nice if a developer creates a vpnd configuring tool :) if I had the time I definatly would. btw, does Panther server configuring tool for vpnd work in the client version of Panther? |
Quote:
|
Password_Server or Shadowhash authentication?
FWIW, when I was running Panther server the only user accounts that could connect over L2TP were the ones showing up in Netinfo as using Password Server (if I remember the name right). The accounts I added after setting up server were not using Pasword Server for their authentication_authority, but rather Shadowhash. The result is that only my "Administrator" account could connect, but it did work. This may be a roadblock in getting it working on workstaation.
--MM |
Authenticate against user accounts?
Does anyone know how to get vpnd, when doing pptp, to
allow the clients to autheticate against normal user accounts instead of against passwords in /etc/ppp/chap-secrets? |
Mac OS X Server 10.3 plist file
here u got that plist:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>ActiveServers</key> <array/> <key>Globals</key> <dict> <key>PSKeyAccount</key> <string>vpn_0030654e3512</string> </dict> <key>Servers</key> <dict> <key>com.apple.ppp.l2tp</key> <dict> <key>DNS</key> <dict> <key>OfferedSearchDomains</key> <array/> <key>OfferedServerAddresses</key> <array/> </dict> <key>DSACL</key> <dict> <key>Group</key> <string></string> </dict> <key>IPv4</key> <dict> <key>ConfigMethod</key> <string>Manual</string> <key>DestAddressRanges</key> <array/> <key>OfferedRouteAddresses</key> <array/> <key>OfferedRouteMasks</key> <array/> <key>OfferedRouteTypes</key> <array/> </dict> <key>Interface</key> <dict> <key>SubType</key> <string>L2TP</string> <key>Type</key> <string>PPP</string> </dict> <key>L2TP</key> <dict> <key>IPSecSharedSecret</key> <string></string> <key>IPSecSharedSecretEncryption</key> <string>Keychain</string> <key>Transport</key> <string>IPSec</string> </dict> <key>PPP</key> <dict> <key>ACSPEnabled</key> <integer>1</integer> <key>AuthenticatorPlugins</key> <array> <string>DSAuth</string> </array> <key>AuthenticatorProtocol</key> <array> <string>MSCHAP2</string> </array> <key>IPCPCompressionVJ</key> <integer>0</integer> <key>LCPEchoEnabled</key> <integer>1</integer> <key>LCPEchoFailure</key> <integer>5</integer> <key>LCPEchoInterval</key> <integer>60</integer> <key>Logfile</key> <string>/var/log/ppp/vpnd.log</string> <key>VerboseLogging</key> <integer>1</integer> <key>_UI_DSACLEnabled</key> <false/> </dict> <key>Server</key> <dict> <key>Logfile</key> <string>/var/log/ppp/vpnd.log</string> <key>MaximumSessions</key> <integer>128</integer> <key>VerboseLogging</key> <integer>1</integer> </dict> </dict> <key>com.apple.ppp.pptp</key> <dict> <key>DNS</key> <dict> <key>OfferedSearchDomains</key> <array/> <key>OfferedServerAddresses</key> <array/> </dict> <key>DSACL</key> <dict> <key>Group</key> <string></string> </dict> <key>IPv4</key> <dict> <key>ConfigMethod</key> <string>Manual</string> <key>DestAddressRanges</key> <array/> <key>OfferedRouteAddresses</key> <array/> <key>OfferedRouteMasks</key> <array/> <key>OfferedRouteTypes</key> <array/> </dict> <key>Interface</key> <dict> <key>SubType</key> <string>PPTP</string> <key>Type</key> <string>PPP</string> </dict> <key>PPP</key> <dict> <key>ACSPEnabled</key> <integer>1</integer> <key>AuthenticatorPlugins</key> <array> <string>DSAuth</string> </array> <key>AuthenticatorProtocol</key> <array> <string>MSCHAP2</string> </array> <key>CCPEnabled</key> <integer>1</integer> <key>CCPProtocols</key> <array> <string>MPPE</string> </array> <key>IPCPCompressionVJ</key> <integer>0</integer> <key>LCPEchoEnabled</key> <integer>1</integer> <key>LCPEchoFailure</key> <integer>5</integer> <key>LCPEchoInterval</key> <integer>60</integer> <key>Logfile</key> <string>/var/log/ppp/vpnd.log</string> <key>MPPEKeySize128</key> <integer>1</integer> <key>MPPEKeySize40</key> <integer>0</integer> <key>VerboseLogging</key> <integer>1</integer> <key>_UI_DSACLEnabled</key> <false/> </dict> <key>Server</key> <dict> <key>Logfile</key> <string>/var/log/ppp/vpnd.log</string> <key>MaximumSessions</key> <integer>128</integer> <key>VerboseLogging</key> <integer>1</integer> </dict> </dict> </dict> </dict> </plist> hope it helps |
Need vpnd help from square 1
OK, I've read through this thread, but I can't even get out of square one.
1. I added com.apple.net.racoon to the root keychain. 2. I created a /Library/Preferences/SystemConfiguration/com.apple.RemoteAccess.plist file using myzel's post of 11-30-2003 3. I run vpnd as root. - nothing happens: vpnd and vpnd -d do nothing and leave no logs that I can find. vpnd -di com.apple.ppp.l2tp gives the following errors: 2004-04-20 10:48:08 EDT VPND: could not get servers dictionary 2004-04-20 10:48:08 EDT VPND: error processing prefs file The Properties List Editor opens the plist file and shows everything. :confused: Any clues for this clueless administrator? |
Has anybody found the right way by now? I am still struggeling to be able to connect.
My server says: Code:
mac:~ root# vpnd -dxi com.apple.ppp.l2tpI have also added the com.apple.net.racoon to the root keychain. I have also created the com.apple.RemoteAccess.plist file using myzel's post of 11-30-2003. Can anybody pleeeeeease post a clear and complete walk-through of how to setup your server? TIA a lot. |
Has anybody found the right way ????
|
Quote:
|
Need Help
Could someone help me please?! Same problem as posted above. I tried various plist-configs, but it doesn't work.
|
VPND Configuration
I am a newby. This has been a bit of a trial and error. I beg your indulgence and hope that it is useful.
My system consists of two Powerbooks The G4 17'" is connected via the Ethernet port en0 to an ADSL line using PPPOE. I have a Fixed IP address from my ISP 212.xxx.xxx.xxx The G4 15" Powerbook shares the 17's connection via the Airport port en1. This strange setup has some advantages; By virtual of 'Sharing' , and only whilst connected to the Internet, the 17" becomes a server running NAT and DHCP services for the 15". This allows me to serve its attached firewire disk storage over Secure (ssh) APF, which is only available to clients connected to a Mac OS X "Server". On the 17" I set the Airport IP manually to 10.0.2.1, because it is the acting server and It only serves DHCP addresses in the range 10.0.2.2/24. 17" Ethernet En0 IP 212.xxx.xxx.xx (set by Connection using PPPoE) 17" Airport En1 IP 10.0.2.1 (set manually) 15" Airport En1 IP 10.0.2.2 (allocated by DHCP) 15" VPN (L2PT) IP 10.0.2.100 My reason for using VPN is to have a secure WIFI connection for non AFP traffic, such as HTTP, IMAP and POP. I would have liked to use a ssh tunnel for the Wifi but I don't know how to do it for HTTP, Howto Mac OSX VPN 1. Get your /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist. Change it to your requirements using the property list editor from the Developer Tools, or as a last resort the Text editor.. Myzel's earlier post has a couple of errors. CCPEnabled should be CPPEnabled. MPPEKeySize40 should have a value 1 not 40. AuthenticatorEAPPlugins should be AuthenticatorPlugins. This is my plagiarized plist, from this thread, a few notes MPPE is disabled. The system.log said that support was not compiled into the kernel. The AuthenticatorPlugins DSACL, enables the DSACL group. Login users not in the group fail authentication, if successfully authenticated by MSCHAP2. Remove MSCHAP2 and no passwords are required, other than the IPsec shared secret. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>ActiveServers</key> <array> <string>com.apple.ppp.l2tp</string> </array> <key>Servers</key> <dict> <key>com.apple.ppp.l2tp</key> <dict> <key>DNS</key> <dict> <key>OfferedSearchDomains</key> <array/> <key>OfferedServerAddresses</key> <array/> </dict> <key>DSACL</key> <dict> <key>Group</key> <string>admin</string> </dict> <key>IPv4</key> <dict> <key>ConfigMethod</key> <string>Manual</string> <key>DestAddressRanges</key> <array> <string>10.0.2.100</string> <string>10.0.2.105</string> </array> <key>OfferedRouteAddresses</key> <array/> <key>OfferedRouteMasks</key> <array/> <key>OfferedRouteTypes</key> <array/> </dict> <key>Interface</key> <dict> <key>SubType</key> <string>L2TP</string> <key>Type</key> <string>PPP</string> </dict> <key>L2TP</key> <dict> <key>IPSecSharedSecret</key> <string>com.apple.ppp.l2tp</string> <key>IPSecSharedSecretEncryption</key> <string>Keychain</string> <key>Transport</key> <string>IPSec</string> </dict> <key>PPP</key> <dict> <key>ACSPEnabled</key> <integer>1</integer> <key>AuthenticatorPlugins</key> <array> <string>DSACL</string> </array> <key>AuthenticatorProtocol</key> <array> <string>MSCHAP2</string> </array> <key>CCPEnabled</key> <integer>0</integer> <key>CCPProtocols</key> <array> <string>MPPE</string> </array> <key>IPCPCompressionVJ</key> <integer>0</integer> <key>LCPEchoEnabled</key> <integer>1</integer> <key>LCPEchoFailure</key> <integer>5</integer> <key>LCPEchoInterval</key> <integer>60</integer> <key>Logfile</key> <string></string> <key>MPPEKeySize40</key> <integer>1</integer> <key>VerboseLogging</key> <integer>1</integer> <key>_UI_DSACLEnabled</key> <true/> </dict> <key>Server</key> <dict> <key>Logfile</key> <string>/var/log/ppp/vpnd.log</string> <key>MaximumSessions</key> <integer>128</integer> <key>VerboseLogging</key> <integer>1</integer> </dict> </dict> </dict> </dict> </plist> Save the above text file with a .plist file extention remove the following line to avoid CHAP authentication. You can add it back when you have a successful connection. <string>MSCHAP2</string> The file name is /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist it should be owned by system:admin with read/write:read:read privileges. Tip is to create it on the Desktop and then drag to /Library/Preferences/SystemConfiguration/ and use the option key to add it. 2 Authentication by Shared Pass phrase Since for me this system is a replacement WEP. Shared keys are a straight replacement For this you need use finder to drag /Library/Keychains/System.keychain to ~/Library/Keychains/ double click on the and it will open up. Unlock the keychain, and add a new "Password" with Name: com.apple.net.racoon Account : com.apple.ppp.l2tp Password : YOUR SHARED SECRET GOES HERE<DONT FORGET IT> After hitting ADD you will not be able to Look at the Password, or change the record. All changes will require your Admin or Root Password and Keychain will tell you it is INVALID. Keychain will only accept your admin / Root password for deletion. Now from the file menu Delete the keychain "System" you have just created (you are not authorized to the real one) and select "Delete References" quit keychain Drag the System.keychain back to /Library/Keychains (press option to add) and authenticate the replacement. Delete your ~/Library/Keychains/System.keychain 3.In terminal Welcome to Darwin! Create the VPND Log files Moon:~ Alan$ sudo touch /var/log/ppp/vpnd.log Create the chaps-secrets file if you have not removed MSCHAP2 from the .plist Moon:~ Alan$ touch ~/Desktop/chaps-secrets Open the file in editor and add your: user, *, password,* separated by a space. I could not get CHAPS to authenticate any Server so I recommend an asterisk. The User name must be in lower case. The password can contain capitals. the string "vpn * vpn *' works. The chaps-secret user and password are not related to Apple Users and passwords, they are just another level of security for the network. I have linked them by specifying the DSACL plugin and DSACL group - admin . Only "admin'' users as defined by netinfo may authenticate. The chaps-secrets file is called /private/etc/ppp/chap-secrets and should be owned by system:wheel with read/write:read:read privileges Launch Console and monitor the System.Log Launch the daemon Moon:~ Alan$ vpnd Sep 28 22:50:30 localhost vpnd: VPND: launched vpnd process id '540' for server id 'com.apple.ppp.l2tp' Sep 28 22:50:30 localhost vpnd: VPND: vpn plugin loaded Sep 28 22:50:30 localhost vpnd: VPND: Listening for connections Sep 28 22:50:30 localhost vpnd: VPND L2TP plugin: start racoon... Sep 28 22:50:34 localhost kernel: L2TP command (0x1dfa804): get flags = 0x22 Sep 28 22:50:34 localhost kernel: L2TP command (0x1dfa804): set flags = 0x26 Sep 28 22:50:34 localhost kernel: L2TP command (0x1dfa804): set our IP address = 0.0.0.0, port 1701 Sep 28 22:50:34 localhost kernel: L2TP command (0x1dfa804): get our IP address = 0.0.0.0, port 1701 If you cannot get this far look at the Console messages. The com.apple.RemoteAccessServers.plist has an error in it. The console will give you a clue. 4. The VPN Client. (on my 15") Get a wifi connection with the Server Launch Internet Connect application. Select VPN, select L2TP over IPSec. and Continue. Configuration: Edit Configuration - Change the Discription if you want; Server Address: 10.0.2.1 Shared Secret: YOUR SHARED SECRET GOES HERE<DONT FORGET IT> same as the system.keychain entry. click OK. Account name = chaps user else blank Password = chaps password else blank click connect. THE SERVER (the 17") Asks Confirm Access to Keychain - raccon wants permission to use the "com.apple.net.racoon" item from your keychain. Do you want to allow this? Select Always Allow The chances are your VPN client has timed out Connect again. and you should be there. If the Client System log shows packets being sent but there is nothing on the Server check / redo the shared secret. Other errors are reported in the system.log. Firewalls - the Apple Gui does not block UDP so there is no need to open any ports for IPSec to work. I sudo ipfw add 3000 allow tcp from 10.0.2.0/24 recv ppp1 on the 17" server which in the transport to my external IP Problems: Racoon when it access the System keychain it alters the System.keychain access, to 'no access' except for system. This must be changed back to read access for admin and others, otherwise Mail and Safari cannot make a secure connection to .Mac Whilst connected via VPN the IDISK is available but not its utilization via .Mac preferences (no Mount Point) McAfee Virex claims it is not able to connect to the Internet. I can't use the VPNSERVER=-YES- option of ifconfig. When the system boots it gets a network and starts VPN but before my ISP has allocated my static IP. I can then only connect to 10.64.64.64 until I kill vpnd and racoon and restart it manually. Racoon on leaves 1 of the 2 setkey -D entries on each disconnect, |
WOW! Thanks for those ellaborate instructions. Will try that once I have the time.
|
and for pptp?
i'm trying to set up a vpn pptp server so i can access my home network from university, via multiple routers/firewalls...
so i figure L2TP won't work... i've managed to set up VPN (using PPTP) on my eMac at home, and it works when connecting from the LAN. however, when i connect from the WAN (via a router), the connection gets stuck at the "negotiating..." stage.... (just like other people posted here) does anyone know a solution to this? is it possible to use L2TP and connect from the WAN if there's a router? |
You need to forward at least port 1701 through your router for L2TP. Perhaps other ports for to satisfy your VPN. Use this reference from Apple as a guide.
|
I am on tiger client (10.4.2). I followed Smokin Jake's directions and was able to get vpnd to launch racoon, and a listener for l2tp. Notably, racoon did not mess with the system keychain permissions.
But, I only get half of the logged output that he got, and no ports are opened to listen for incoming connections. This is what my log looks like: Quote:
|
If anything VPND on Tiger is easier. An Admin account can add / delete System keychain passwords, and as Hunk of Cheese mentioned Racoon no longer corrupts the system keychain permissions.
I am writing this post using a L2TP VPN connection. I set up my initial connections at home, with one Mac connected to the internet (called "Server"), sharing its connection (ppp0 or en0) to another mac via (airport or firewire) (called "Client") For "Client" to access the internet, "Server" must open the firewall to allow TCP requests from "Client". (Internet sharing - Personal Web Sharing for Http port 80). Tiger also allows blocking of UDP ports. If these are blocked create a Port sharing description called IPsec to open UDP ports "67, 500, 1701, 4500" in the firewall. I added a New Password item to the "Server" system keychain, Name = "com.apple.net.racoon", Account "MyNetwork", Password - "My secret password" on "Server". On Server: My L2TP Dictionary item of com.apple.RemoteAccessServers.plist reads: IPSecSharedSecret String MyNetwork IPSecSharedSecretEncryption String Keychain Transport String IPSec On "Server" to start VPN Daemon server com.apple.ppp.l2tp run $ VPND vpnd[650]: Server 'com.apple.ppp.l2tp' starting... vpnd[650]: Loading plugin /System/Library/Extensions/L2TP.ppp vpnd[651]: Server 'com.apple.ppp.l2tp' moved to background vpnd[651]: Listening for connections... Check IPsec transport $ sudo setkey -DP 0.0.0.0/0[any] 0.0.0.0/0[1701] udp in ipsec esp/transport//require spid=4 seq=1 pid=654 refcnt=1 0.0.0.0/0[1701] 0.0.0.0/0[any] udp out ipsec esp/transport//require spid=3 seq=0 pid=654 refcnt=1 $ sudo setkey -D No SAD entries. On "Client" Application Internet connect Select VPN Tab, and choose L2TP over IPsec. Edit Configuration, Server Address - IP address of "Server" Account Name - chaps-secret username (helpful if this user belongs to the DSACL group) Password - chaps-secret password Machine Authentication Shared Secret "My secret password" Select OK and Connect. On the first Connection Racoon will request keychain access to the System keychains on "Client" and "Server" Enter your password and select Always Log on "Server": pppd[657]: pppd 2.4.2 (Apple version 229) started by alan, uid 0 pppd[657]: L2TP incoming call in progress pppd[657]: L2TP connection established. pppd[657]: Connect: ppp0 <--> socket[34:18] pppd[657]: DSAccessControl plugin: User 'xxxxx' authorized for access pppd[657]: Unsupported protocol 0x8057 received pppd[657]: local IP address xx.xxx.xx.xxx pppd[657]: remote IP address 10.0.2.100 $ sudo setkey -D Password: 8x.xx7.xx.xx6 8x.x5.xx.x3 esp mode=transport spi=73100055(0x045b6b17) reqid=0(0x00000000) E: rijndael-cbc b4c84d62 5a6a6781 ac99a129 5504ea0b A: hmac-sha1 99e67b4f 6fbcca6c afa131a1 12f99246 35a59cbf replay=4 flags=0x00000002 state=mature seq=1 pid=658 created: Jul 29 19:12:50 2005 current: Jul 29 19:24:12 2005 diff: 682(s) hard: 3600(s) soft: 2880(s) last: Jul 29 19:24:11 2005 hard: 0(s) soft: 0(s) current: 6560(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 62 hard: 0 soft: 0 refcnt=2 8x.x5.xx.x3 8x.xx7.xx.xx6 esp mode=transport spi=139970116(0x0857c644) reqid=0(0x00000000) E: rijndael-cbc 0291dc80 186dc066 d689e9e1 0db3c5f9 A: hmac-sha1 e49213d5 c07cfb86 976906ce 0013c088 c7e31817 replay=4 flags=0x00000002 state=mature seq=0 pid=658 created: Jul 29 19:12:50 2005 current: Jul 29 19:24:12 2005 diff: 682(s) hard: 3600(s) soft: 2880(s) last: Jul 29 19:24:11 2005 hard: 0(s) soft: 0(s) current: 3330(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 62 hard: 0 soft: 0 refcnt=1 Firewalls are a major pain in trying to get a useful connection. Once the connection has been established. The "Server" needs to open some ports for the "Client" I use: sudo add 3000 allow ip from 10.0.2.100/30 to any rcvd ppp0 sudo add 3000 allow udp from any 53 to 10.0.2.100/30 via en0 However, if the "Server" connection to the Internet is via a PPPOE, ppp0 may already be allocated, in which case the VNP connection will create a ppp1 |
vpnd source
hello together,
with the help of Guybrush´s posting #10 I was able to set up the vpdn server in Tiger instantly (thank you). I would now like to read the source code but can not find it at developer.apple.com I´d highly appreciate if someone could post a link. Thanks. |
Hi all. I am new here and have gotten everything working successfully except for staying connected. I get the same error in my System Log as srmc710 . I connect, but then get disconnected right away. Here is the message in System Log that i get. "PPTP didn't get start_control_connection_request (got message : 256)"
Any help would be great. Thanks! |
Okay. I think my problem has something to do with PPPD when it is called or however that works.....
|
Nevermind. I have no clue on getting it to work. If anyone can help please do, or email me......
|
I have been able to get vpnd running and authenticating (well, basic chap) both mac and windows clients.
But, once connected, there is NO connectivity! The IP address is issued...and both the vpnd mac & pptp client (mac or win) lose connectivity to each other, to the world, etc. Strange! Any ideas? |
Quote:
|
Quote:
I picked up a plist from my buddy's OS X server and modified it - same situation. Code:
<plist version="1.0"> |
The configuration seems to check out. The next step I would take is to verify the IP configuration of the vpnd server, and the IP configurations of connected clients. Check things like:
The IP address assigned to the ppp0 device as it is listed in the output of ifconfig on the server, and the IP address assigned to the ppp0 device as it is listed in the output of ifconfig or ipconfig on the client (Mac or Windows). The state of IP forwarding on the server as is reported by the command sysctl net.inet.ip.forwarding. Any firewall rules on the server that might interfere with traffic entering and exiting the interface that PPTP clients are connecting through. Use sudo ipfw show all to dump the rules. The state of the routing table on the server and on Mac clients. Use netstat -r to dump the routing table. On Windows clients, use route print. The ability of connected clients to ping the vpnd server via the IP address reported by the ifconfig command above, and the ability of the vpnd server to ping connected clients. The ability of connected clients to ping IP addresses on the private network behind the vpnd server. The ability of connected clients to perform host resolution when connected. |
| All times are GMT -5. The time now is 08:59 PM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.