Has anybody found the right way by now? I am still struggeling to be able to connect.
My server says:
The ports are open, but my iBook cannot connect using Apple's Tool "Internet Connect".
I have also added the com.apple.net.racoon to the root keychain.
I have also created the com.apple.RemoteAccess.plist file using myzel's post of 11-30-2003.
Can anybody pleeeeeease post a clear and complete walk-through of how to setup your server? TIA a lot.

Has anybody found the right way ????

can you try setting it up without L2TP?

Need Help
 

Could someone help me please?! Same problem as posted above. I tried various plist-configs, but it doesn't work.

VPND Configuration
 

I am a newby. This has been a bit of a trial and error. I beg your indulgence and hope that it is useful.

My system consists of two Powerbooks
The G4 17'" is connected via the Ethernet port en0 to an ADSL line using PPPOE.

I have a Fixed IP address from my ISP 212.xxx.xxx.xxx

The G4 15" Powerbook shares the 17's connection via the Airport port en1.

This strange setup has some advantages;
By virtual of 'Sharing' , and only whilst connected to the Internet, the 17" becomes a server running NAT and DHCP services for the 15". This allows me to serve its attached firewire disk storage over Secure (ssh) APF, which is only available to clients connected to a Mac OS X "Server".

On the 17" I set the Airport IP manually to 10.0.2.1, because it is the acting server and It only serves DHCP addresses in the range 10.0.2.2/24.

17" Ethernet En0 IP 212.xxx.xxx.xx (set by Connection using PPPoE)
17" Airport En1 IP 10.0.2.1 (set manually)
15" Airport En1 IP 10.0.2.2 (allocated by DHCP)
15" VPN (L2PT) IP 10.0.2.100

My reason for using VPN is to have a secure WIFI connection for non AFP traffic, such as HTTP, IMAP and POP. I would have liked to use a ssh tunnel for the Wifi but I don't know how to do it for HTTP,

Howto Mac OSX VPN

1. Get your /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist. Change it to your requirements using the property list editor from the Developer Tools, or as a last resort the Text editor..

Myzel's earlier post has a couple of errors.

CCPEnabled should be CPPEnabled.
MPPEKeySize40 should have a value 1 not 40.
AuthenticatorEAPPlugins should be AuthenticatorPlugins.

This is my plagiarized plist, from this thread, a few notes MPPE is disabled. The system.log said that support was not compiled into the kernel. The AuthenticatorPlugins DSACL, enables the DSACL group. Login users not in the group fail authentication, if successfully authenticated by MSCHAP2.

Remove MSCHAP2 and no passwords are required, other than the IPsec shared secret.


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ActiveServers</key>
<array>
<string>com.apple.ppp.l2tp</string>
</array>
<key>Servers</key>
<dict>
<key>com.apple.ppp.l2tp</key>
<dict>
<key>DNS</key>
<dict>
<key>OfferedSearchDomains</key>
<array/>
<key>OfferedServerAddresses</key>
<array/>
</dict>
<key>DSACL</key>
<dict>
<key>Group</key>
<string>admin</string>
</dict>
<key>IPv4</key>
<dict>
<key>ConfigMethod</key>
<string>Manual</string>
<key>DestAddressRanges</key>
<array>
<string>10.0.2.100</string>
<string>10.0.2.105</string>
</array>
<key>OfferedRouteAddresses</key>
<array/>
<key>OfferedRouteMasks</key>
<array/>
<key>OfferedRouteTypes</key>
<array/>
</dict>
<key>Interface</key>
<dict>
<key>SubType</key>
<string>L2TP</string>
<key>Type</key>
<string>PPP</string>
</dict>
<key>L2TP</key>
<dict>
<key>IPSecSharedSecret</key>
<string>com.apple.ppp.l2tp</string>
<key>IPSecSharedSecretEncryption</key>
<string>Keychain</string>
<key>Transport</key>
<string>IPSec</string>
</dict>
<key>PPP</key>
<dict>
<key>ACSPEnabled</key>
<integer>1</integer>
<key>AuthenticatorPlugins</key>
<array>
<string>DSACL</string>
</array>
<key>AuthenticatorProtocol</key>
<array>
<string>MSCHAP2</string>
</array>
<key>CCPEnabled</key>
<integer>0</integer>
<key>CCPProtocols</key>
<array>
<string>MPPE</string>
</array>
<key>IPCPCompressionVJ</key>
<integer>0</integer>
<key>LCPEchoEnabled</key>
<integer>1</integer>
<key>LCPEchoFailure</key>
<integer>5</integer>
<key>LCPEchoInterval</key>
<integer>60</integer>
<key>Logfile</key>
<string></string>
<key>MPPEKeySize40</key>
<integer>1</integer>
<key>VerboseLogging</key>
<integer>1</integer>
<key>_UI_DSACLEnabled</key>
<true/>
</dict>
<key>Server</key>
<dict>
<key>Logfile</key>
<string>/var/log/ppp/vpnd.log</string>
<key>MaximumSessions</key>
<integer>128</integer>
<key>VerboseLogging</key>
<integer>1</integer>
</dict>
</dict>
</dict>
</dict>
</plist>

Save the above text file with a .plist file extention

remove the following line to avoid CHAP authentication. You can add it back when you have a successful connection.

<string>MSCHAP2</string>

The file name is /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist it should be owned by system:admin with read/write:read:read privileges. Tip is to create it on the Desktop and then drag to /Library/Preferences/SystemConfiguration/ and use the option key to add it.

2 Authentication by Shared Pass phrase
Since for me this system is a replacement WEP. Shared keys are a straight replacement

For this you need use finder to drag
/Library/Keychains/System.keychain to ~/Library/Keychains/
double click on the and it will open up. Unlock the keychain, and add a new "Password" with Name: com.apple.net.racoon Account : com.apple.ppp.l2tp
Password : YOUR SHARED SECRET GOES HERE<DONT FORGET IT>

After hitting ADD you will not be able to Look at the Password, or change the record. All changes will require your Admin or Root Password and Keychain will tell you it is INVALID. Keychain will only accept your admin / Root password for deletion.

Now from the file menu Delete the keychain "System" you have just created (you are not authorized to the real one) and select "Delete References" quit keychain

Drag the System.keychain back to /Library/Keychains (press option to add) and authenticate the replacement. Delete your ~/Library/Keychains/System.keychain


3.In terminal
Welcome to Darwin!

Create the VPND Log files
Moon:~ Alan$ sudo touch /var/log/ppp/vpnd.log

Create the chaps-secrets file if you have not removed MSCHAP2 from the .plist
Moon:~ Alan$ touch ~/Desktop/chaps-secrets

Open the file in editor and add your: user, *, password,* separated by a space. I could not get CHAPS to authenticate any Server so I recommend an asterisk. The User name must be in lower case. The password can contain capitals. the string "vpn * vpn *' works. The chaps-secret user and password are not related to Apple Users and passwords, they are just another level of security for the network. I have linked them by specifying the DSACL plugin and DSACL group - admin . Only "admin'' users as defined by netinfo may authenticate.

The chaps-secrets file is called /private/etc/ppp/chap-secrets and should be owned by system:wheel with read/write:read:read privileges

Launch Console and monitor the System.Log


Launch the daemon
Moon:~ Alan$ vpnd

Sep 28 22:50:30 localhost vpnd: VPND: launched vpnd process id '540' for server id 'com.apple.ppp.l2tp'
Sep 28 22:50:30 localhost vpnd: VPND: vpn plugin loaded
Sep 28 22:50:30 localhost vpnd: VPND: Listening for connections
Sep 28 22:50:30 localhost vpnd: VPND L2TP plugin: start racoon...
Sep 28 22:50:34 localhost kernel: L2TP command (0x1dfa804): get flags = 0x22
Sep 28 22:50:34 localhost kernel: L2TP command (0x1dfa804): set flags = 0x26
Sep 28 22:50:34 localhost kernel: L2TP command (0x1dfa804): set our IP address = 0.0.0.0, port 1701
Sep 28 22:50:34 localhost kernel: L2TP command (0x1dfa804): get our IP address = 0.0.0.0, port 1701


If you cannot get this far look at the Console messages. The com.apple.RemoteAccessServers.plist has an error in it. The console will give you a clue.



4. The VPN Client. (on my 15")

Get a wifi connection with the Server

Launch Internet Connect application. Select VPN, select L2TP over IPSec. and Continue.
Configuration: Edit Configuration - Change the Discription if you want;
Server Address: 10.0.2.1
Shared Secret: YOUR SHARED SECRET GOES HERE<DONT FORGET IT> same as the system.keychain entry. click OK.
Account name = chaps user else blank
Password = chaps password else blank
click connect.

THE SERVER (the 17") Asks Confirm Access to Keychain - raccon wants permission to use the "com.apple.net.racoon" item from your keychain. Do you want to allow this? Select Always Allow

The chances are your VPN client has timed out

Connect again. and you should be there.

If the Client System log shows packets being sent but there is nothing on the Server check / redo the shared secret. Other errors are reported in the system.log.

Firewalls - the Apple Gui does not block UDP so there is no need to open any ports for IPSec to work.
I sudo ipfw add 3000 allow tcp from 10.0.2.0/24 recv ppp1 on the 17" server which in the transport to my external IP

Problems:

Racoon when it access the System keychain it alters the System.keychain access, to 'no access' except for system. This must be changed back to read access for admin and others, otherwise Mail and Safari cannot make a secure connection to .Mac

Whilst connected via VPN the IDISK is available but not its utilization via .Mac preferences (no Mount Point)
McAfee Virex claims it is not able to connect to the Internet.

I can't use the VPNSERVER=-YES- option of ifconfig. When the system boots it gets a network and starts VPN but before my ISP has allocated my static IP. I can then only connect to 10.64.64.64 until I kill vpnd and racoon and restart it manually.

Racoon on leaves 1 of the 2 setkey -D entries on each disconnect,

WOW! Thanks for those ellaborate instructions. Will try that once I have the time.

and for pptp?
 

i'm trying to set up a vpn pptp server so i can access my home network from university, via multiple routers/firewalls...

so i figure L2TP won't work...

i've managed to set up VPN (using PPTP) on my eMac at home, and it works when connecting from the LAN.
however, when i connect from the WAN (via a router), the connection gets stuck at the "negotiating..." stage.... (just like other people posted here)

does anyone know a solution to this?
is it possible to use L2TP and connect from the WAN if there's a router?

You need to forward at least port 1701 through your router for L2TP. Perhaps other ports for to satisfy your VPN. Use this reference from Apple as a guide.

I am on tiger client (10.4.2). I followed Smokin Jake's directions and was able to get vpnd to launch racoon, and a listener for l2tp. Notably, racoon did not mess with the system keychain permissions.

But, I only get half of the logged output that he got, and no ports are opened to listen for incoming connections. This is what my log looks like:
Is this a tiger issue, or is there something else I'm doing wrong?

If anything VPND on Tiger is easier. An Admin account can add / delete System keychain passwords, and as Hunk of Cheese mentioned Racoon no longer corrupts the system keychain permissions.

I am writing this post using a L2TP VPN connection.

I set up my initial connections at home, with one Mac connected to the internet (called "Server"), sharing its connection (ppp0 or en0) to another mac via (airport or firewire) (called "Client")

For "Client" to access the internet, "Server" must open the firewall to allow TCP requests from "Client". (Internet sharing - Personal Web Sharing for Http port 80). Tiger also allows blocking of UDP ports. If these are blocked create a Port sharing description called IPsec to open UDP ports "67, 500, 1701, 4500" in the firewall.

I added a New Password item to the "Server" system keychain, Name = "com.apple.net.racoon", Account "MyNetwork", Password - "My secret password" on "Server".

On Server:
My L2TP Dictionary item of com.apple.RemoteAccessServers.plist reads:
IPSecSharedSecret String MyNetwork
IPSecSharedSecretEncryption String Keychain
Transport String IPSec


On "Server" to start VPN Daemon server com.apple.ppp.l2tp run
$ VPND

vpnd[650]: Server 'com.apple.ppp.l2tp' starting...
vpnd[650]: Loading plugin /System/Library/Extensions/L2TP.ppp
vpnd[651]: Server 'com.apple.ppp.l2tp' moved to background
vpnd[651]: Listening for connections...

Check IPsec transport

$ sudo setkey -DP

0.0.0.0/0[any] 0.0.0.0/0[1701] udp
in ipsec
esp/transport//require
spid=4 seq=1 pid=654
refcnt=1
0.0.0.0/0[1701] 0.0.0.0/0[any] udp
out ipsec
esp/transport//require
spid=3 seq=0 pid=654
refcnt=1

$ sudo setkey -D

No SAD entries.


On "Client" Application Internet connect

Select VPN Tab, and choose L2TP over IPsec.
Edit Configuration,
Server Address - IP address of "Server"
Account Name - chaps-secret username (helpful if this user belongs to the DSACL group)
Password - chaps-secret password
Machine Authentication Shared Secret "My secret password"
Select OK and Connect.

On the first Connection Racoon will request keychain access to the System keychains on "Client" and "Server" Enter your password and select Always

Log on "Server":

pppd[657]: pppd 2.4.2 (Apple version 229) started by alan, uid 0
pppd[657]: L2TP incoming call in progress
pppd[657]: L2TP connection established.
pppd[657]: Connect: ppp0 <--> socket[34:18]
pppd[657]: DSAccessControl plugin: User 'xxxxx' authorized for access
pppd[657]: Unsupported protocol 0x8057 received
pppd[657]: local IP address xx.xxx.xx.xxx
pppd[657]: remote IP address 10.0.2.100


$ sudo setkey -D
Password:
8x.xx7.xx.xx6 8x.x5.xx.x3
esp mode=transport spi=73100055(0x045b6b17) reqid=0(0x00000000)
E: rijndael-cbc b4c84d62 5a6a6781 ac99a129 5504ea0b
A: hmac-sha1 99e67b4f 6fbcca6c afa131a1 12f99246 35a59cbf
replay=4 flags=0x00000002 state=mature seq=1 pid=658
created: Jul 29 19:12:50 2005 current: Jul 29 19:24:12 2005
diff: 682(s) hard: 3600(s) soft: 2880(s)
last: Jul 29 19:24:11 2005 hard: 0(s) soft: 0(s)
current: 6560(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 62 hard: 0 soft: 0
refcnt=2
8x.x5.xx.x3 8x.xx7.xx.xx6
esp mode=transport spi=139970116(0x0857c644) reqid=0(0x00000000)
E: rijndael-cbc 0291dc80 186dc066 d689e9e1 0db3c5f9
A: hmac-sha1 e49213d5 c07cfb86 976906ce 0013c088 c7e31817
replay=4 flags=0x00000002 state=mature seq=0 pid=658
created: Jul 29 19:12:50 2005 current: Jul 29 19:24:12 2005
diff: 682(s) hard: 3600(s) soft: 2880(s)
last: Jul 29 19:24:11 2005 hard: 0(s) soft: 0(s)
current: 3330(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 62 hard: 0 soft: 0
refcnt=1

Firewalls are a major pain in trying to get a useful connection. Once the connection has been established. The "Server" needs to open some ports for the "Client"

I use:
sudo add 3000 allow ip from 10.0.2.100/30 to any rcvd ppp0
sudo add 3000 allow udp from any 53 to 10.0.2.100/30 via en0

However, if the "Server" connection to the Internet is via a PPPOE, ppp0 may already be allocated, in which case the VNP connection will create a ppp1

vpnd source
 

hello together,

with the help of Guybrush´s posting #10 I was able to set up the vpdn server in Tiger instantly (thank you).

I would now like to read the source code but can not find it at developer.apple.com

I´d highly appreciate if someone could post a link.

Thanks.

Hi all. I am new here and have gotten everything working successfully except for staying connected. I get the same error in my System Log as srmc710 . I connect, but then get disconnected right away. Here is the message in System Log that i get. "PPTP didn't get start_control_connection_request (got message : 256)"

Any help would be great.

Thanks!

Okay. I think my problem has something to do with PPPD when it is called or however that works.....

Nevermind. I have no clue on getting it to work. If anyone can help please do, or email me......

I have been able to get vpnd running and authenticating (well, basic chap) both mac and windows clients.

But, once connected, there is NO connectivity! The IP address is issued...and both the vpnd mac & pptp client (mac or win) lose connectivity to each other, to the world, etc.

Strange!

Any ideas?

What does your com.apple.RemoteAccessServers.plist look like?

I tried working with combinations from this forum. I got connections, but no communication.
I picked up a plist from my buddy's OS X server and modified it - same situation.

The configuration seems to check out. The next step I would take is to verify the IP configuration of the vpnd server, and the IP configurations of connected clients. Check things like:

The IP address assigned to the ppp0 device as it is listed in the output of ifconfig on the server, and the IP address assigned to the ppp0 device as it is listed in the output of ifconfig or ipconfig on the client (Mac or Windows).

The state of IP forwarding on the server as is reported by the command sysctl net.inet.ip.forwarding.

Any firewall rules on the server that might interfere with traffic entering and exiting the interface that PPTP clients are connecting through. Use sudo ipfw show all to dump the rules.

The state of the routing table on the server and on Mac clients. Use netstat -r to dump the routing table. On Windows clients, use route print.

The ability of connected clients to ping the vpnd server via the IP address reported by the ifconfig command above, and the ability of the vpnd server to ping connected clients.

The ability of connected clients to ping IP addresses on the private network behind the vpnd server.

The ability of connected clients to perform host resolution when connected.