|
Quote:
[edit] put this under PPP to enable session debug info to the file /var/log/ppp/ppplog. Code:
<key>VerboseLogging</key> |
Yes, vpnd definitely thinks that th request is coming from the router. Here is a line from the log:
Code:
Nov 16 19:49:15 localhost pppd[3774]: PPTP incoming call in progress from '192.168.1.1'...[edit] I just found a setting called port triggering on my router. It has the following settings already set: Application Name---------------VPN---------------VPN Trigger port Range------------47~47-----------50~50 Incoming Port Range------1723~1723------500~500 Something tells me this is the problem..... [/edit] |
Your problem likely does not lie in your config. IPSec has problems when there are NAT devices (like firewalls) in between the client and the server. The problem is that the NAT changes the ip on the ESP packet and when it gets to it's destination, it gets thrown out because it has been modified in transit. There is something which gets around this, called NAT Traversal, or NAT-T. NAT-T encapsulates the ESP packet inside of the UDP 500 (ISAKMP) packet, and gets decapsulated on the remote side. Some vendors, like Cisco and Nortel use UDP 10000 or 10001.
In any case, you will probably not have any luck making this work through a firewall because apple's implementation of IPSec is based on KAME, which does not have NAT-T support. If you're behind a firewall, you will be stuck using PPTP for now. Since most users are behind some sort of firewall, apple's IPSec implementation is useless to most of them. It's nice to have the functionality of basic IPSec available, but it's not usable in most real world situations. I've heard rumors that next version of OS X will support NAT-T, but it's only rumors. There's a product called VPN Tracker which I think costs $99. They had planned NAT-T support by the end of the year, but when I looked a couple of weeks ago, it still was not available. Keep in mind that *both* the client and the server need to support NAT-T, not just one or the other. |
Quote:
Probably something todo with arp_proxy? |
Guybrush, how did you get VPN to work? Do you not have a NAT router?
|
i have a Linksys WRT54G router, and forwarded port 1723 and 47 to my powerbook. that was all i needed to do.
|
Which Protocols? TCP? UDP? Both?
Do you have anthing set up under Port Triggering? (for me it's under the forwarding page) |
Quote:
|
Hmmmm.... Same here. What options do you have enabled at the bottom of the Filters page?
|
Quote:
|
sorry, on my router that's where the vpn passthrough, block wan request, etc. settings are. I'll keep trying, thanks for all of your help! I'm sure I will figure it out eventually ! :D
|
OK, a quick update on my efforts to get a VPN with L2TP to run on my Panther client.
L2TP now works. The shared secret is stored in the system keychain. com.apple.net.racoon account name: com.apple.net.racoon location: com.apple.net.racoon password: <shared secret> Now the problem is the ppp authentication. this is stored in the keychain (system again) com.apple.ras account: vpn_<MACaddress> location: com.apple.ras Password - now there is the Problem: the password seems to be encrypted, so i can't find out what password is required. Does somebody know the encryption method used here? I think it's the root password or the password of an administrator. Login should work with normal User accounts on the VPN server. |
i wish to help, but first of all, what did you all do to make it work? what changes in the config etc, and i dont seem to have that racoon file..
|
Quote:
This is what i did: I activated the root user. Logged in as "root" i opened "keychain" and added a new application password name: com.apple.net.racoon account: com.apple.ppp.l2tp Password: the shared secret I had to do this with root as I'm not able to change the password using an admin account (it should work, but it doesn't work) In hostconfig I changed VPNSERVER=-YES- I created a com.apple.RemoteAccessServer.plist Using the PlistEditor (from the Developertools) creating a plist file is quite easy. My com.apple.RemoteAccessServer.plist: Code:
<?xml version="1.0" encoding="UTF-8"?>(I erased some parts of the plist (the ppptp things) - so there might be some errors) Then i created the /etc/ppp/cap-secrets file. Now i can create a VPN using L2TP. Thanks for all the help. OS X server seems to use a special user (vpn_<mac_address>) that handles the ppp login for users on the server. I was unable to recreate that special user - mainly because I how the password is encrypted or how to get the encrypted password out of NetInfo - if i create a new user the encrypted password is hashed. |
nice, im glad you got it to work :)
I've been using apple's vpnd for a week now and have been playing Command and Conquer: Generals with firends without any problems over pptp in windows xp/98/2k. Would be nice if a developer creates a vpnd configuring tool :) if I had the time I definatly would. btw, does Panther server configuring tool for vpnd work in the client version of Panther? |
Quote:
|
Password_Server or Shadowhash authentication?
FWIW, when I was running Panther server the only user accounts that could connect over L2TP were the ones showing up in Netinfo as using Password Server (if I remember the name right). The accounts I added after setting up server were not using Pasword Server for their authentication_authority, but rather Shadowhash. The result is that only my "Administrator" account could connect, but it did work. This may be a roadblock in getting it working on workstaation.
--MM |
Authenticate against user accounts?
Does anyone know how to get vpnd, when doing pptp, to
allow the clients to autheticate against normal user accounts instead of against passwords in /etc/ppp/chap-secrets? |
Mac OS X Server 10.3 plist file
here u got that plist:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>ActiveServers</key> <array/> <key>Globals</key> <dict> <key>PSKeyAccount</key> <string>vpn_0030654e3512</string> </dict> <key>Servers</key> <dict> <key>com.apple.ppp.l2tp</key> <dict> <key>DNS</key> <dict> <key>OfferedSearchDomains</key> <array/> <key>OfferedServerAddresses</key> <array/> </dict> <key>DSACL</key> <dict> <key>Group</key> <string></string> </dict> <key>IPv4</key> <dict> <key>ConfigMethod</key> <string>Manual</string> <key>DestAddressRanges</key> <array/> <key>OfferedRouteAddresses</key> <array/> <key>OfferedRouteMasks</key> <array/> <key>OfferedRouteTypes</key> <array/> </dict> <key>Interface</key> <dict> <key>SubType</key> <string>L2TP</string> <key>Type</key> <string>PPP</string> </dict> <key>L2TP</key> <dict> <key>IPSecSharedSecret</key> <string></string> <key>IPSecSharedSecretEncryption</key> <string>Keychain</string> <key>Transport</key> <string>IPSec</string> </dict> <key>PPP</key> <dict> <key>ACSPEnabled</key> <integer>1</integer> <key>AuthenticatorPlugins</key> <array> <string>DSAuth</string> </array> <key>AuthenticatorProtocol</key> <array> <string>MSCHAP2</string> </array> <key>IPCPCompressionVJ</key> <integer>0</integer> <key>LCPEchoEnabled</key> <integer>1</integer> <key>LCPEchoFailure</key> <integer>5</integer> <key>LCPEchoInterval</key> <integer>60</integer> <key>Logfile</key> <string>/var/log/ppp/vpnd.log</string> <key>VerboseLogging</key> <integer>1</integer> <key>_UI_DSACLEnabled</key> <false/> </dict> <key>Server</key> <dict> <key>Logfile</key> <string>/var/log/ppp/vpnd.log</string> <key>MaximumSessions</key> <integer>128</integer> <key>VerboseLogging</key> <integer>1</integer> </dict> </dict> <key>com.apple.ppp.pptp</key> <dict> <key>DNS</key> <dict> <key>OfferedSearchDomains</key> <array/> <key>OfferedServerAddresses</key> <array/> </dict> <key>DSACL</key> <dict> <key>Group</key> <string></string> </dict> <key>IPv4</key> <dict> <key>ConfigMethod</key> <string>Manual</string> <key>DestAddressRanges</key> <array/> <key>OfferedRouteAddresses</key> <array/> <key>OfferedRouteMasks</key> <array/> <key>OfferedRouteTypes</key> <array/> </dict> <key>Interface</key> <dict> <key>SubType</key> <string>PPTP</string> <key>Type</key> <string>PPP</string> </dict> <key>PPP</key> <dict> <key>ACSPEnabled</key> <integer>1</integer> <key>AuthenticatorPlugins</key> <array> <string>DSAuth</string> </array> <key>AuthenticatorProtocol</key> <array> <string>MSCHAP2</string> </array> <key>CCPEnabled</key> <integer>1</integer> <key>CCPProtocols</key> <array> <string>MPPE</string> </array> <key>IPCPCompressionVJ</key> <integer>0</integer> <key>LCPEchoEnabled</key> <integer>1</integer> <key>LCPEchoFailure</key> <integer>5</integer> <key>LCPEchoInterval</key> <integer>60</integer> <key>Logfile</key> <string>/var/log/ppp/vpnd.log</string> <key>MPPEKeySize128</key> <integer>1</integer> <key>MPPEKeySize40</key> <integer>0</integer> <key>VerboseLogging</key> <integer>1</integer> <key>_UI_DSACLEnabled</key> <false/> </dict> <key>Server</key> <dict> <key>Logfile</key> <string>/var/log/ppp/vpnd.log</string> <key>MaximumSessions</key> <integer>128</integer> <key>VerboseLogging</key> <integer>1</integer> </dict> </dict> </dict> </dict> </plist> hope it helps |
Need vpnd help from square 1
OK, I've read through this thread, but I can't even get out of square one.
1. I added com.apple.net.racoon to the root keychain. 2. I created a /Library/Preferences/SystemConfiguration/com.apple.RemoteAccess.plist file using myzel's post of 11-30-2003 3. I run vpnd as root. - nothing happens: vpnd and vpnd -d do nothing and leave no logs that I can find. vpnd -di com.apple.ppp.l2tp gives the following errors: 2004-04-20 10:48:08 EDT VPND: could not get servers dictionary 2004-04-20 10:48:08 EDT VPND: error processing prefs file The Properties List Editor opens the plist file and shows everything. :confused: Any clues for this clueless administrator? |
| All times are GMT -5. The time now is 08:59 PM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.