|
|
#1 |
|
Prospect
Join Date: Nov 2003
Posts: 13
|
Hello,
I noticed that Panther includes the VPN-Server vpnd from Mac OS X 10.3 Server. The new vpnd now supports L2TP. The man page for vpnd isn't very useful. The configuration for vpnd is stored in a *.plist file, but that file is not included in Panther (client). I tried to set up vpnd with the corresponding *.plist file from 10.3 Server that somebody e-mailed me, but i wasn't able to log in using L2TP. There is some problem with the authentication and as i don't have 10.3 Server i can't test which values should be in the .plist. Here is all information i gathered: In /etc/hostconfig change VPNSERVERS=-NO- to VPNSERVERS=-YES- The configuration *.plist is: /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist (it's a rather complex XML file with the configuration for pptp and l2tp) It can be copied form 10.3 server but I don't know which values should be in there. The main problem i have is that l2tp cant get the pskey. It should be stored in a keychain (if I'm correct). So authentication with racoon doesn't work. /private/etc/racoon/remote/anonymous.conf points to a com.apple.ppp.l2tp keychain, I don't know where it should be located and which user should create it (or what name it should have) and I don't know what entries it should have. Maybe somebody who has 10.3 Server can fit in the missing parts. It might be helpful to create a fake vpn server with descriptive values so we could figure out how to configure vpnd with L2TP/IPSec. I think that would be a very useful hint - if it works. |
|
|
|
|
|
#2 |
|
Triple-A Player
Join Date: Feb 2003
Posts: 101
|
I haven't tried this yet, but here's a web site:
http://www.afp548.com/Articles/Jaguar/vpnd.html please post results... |
|
|
|
|
|
#3 |
|
Prospect
Join Date: Nov 2003
Posts: 13
|
That site only describes setting up pptp in Jaguar server (and there is already a hint about that).
It seems that vpnd has changed in Panther and now supports L2TP (supposed to be more secure). I'm trying to set up a L2TP/IPSec vpn server. And from all I know the configuration method has changed - even for pptp. |
|
|
|
|
|
#4 | |||||||||||||||||||
|
Prospect
Join Date: Nov 2003
Location: Zaandam, The Netherlands
Posts: 2
|
Re: vpnd in Mac OS X 10.3 client - how to configure?
Note that IPsec uses preshared keys or certificates (located in keychain) but L2TP is used to tunnel PPP so it is very much like a PPP server. You might need to add the PPP passwords to /etc/ppp/chap-secrets, but I am not sure. The L2TP protocol also supports authentication but Windows does not use it. And I would think Apple doesn't either. IPsec and PPP authentication should be enough. BTW, does anyone know on what software vpnd is based? Is it Apple proprietary? |
|||||||||||||||||||
|
|
|
|
|
#5 | ||||||||||||||||||||||||||||||||||||||
|
Prospect
Join Date: Nov 2003
Posts: 13
|
Re: Re: vpnd in Mac OS X 10.3 client - how to configure?
Yes, the problem is, that that key is stored some how in the system keychain. I found out, that in the system keychain following objects are: com.apple.net.racoon with account com.apple.ppp.l2tp com.apple.ras with account vpn_[MACADDRESS] But i don't know where, and how exactly the pskey is stored. I get this error if i try to connect to my vpn-server from a remote Mac: Code:
localhost racoon: ERROR: localconf.c:195:getpskfromkeychain(): failed to get preshared key from system keychain (error -25308)
For all i know it's Apple proprietary. I guess that's why it's so easy to set it up in Panther server with a nice GUI but so hard to recreate that set up in Panther client - without knowing what to do ;-) |
||||||||||||||||||||||||||||||||||||||
|
|
|
|
|
#6 | ||||||||||||||||||||||||||||||||||||||
|
Prospect
Join Date: Nov 2003
Location: Zaandam, The Netherlands
Posts: 2
|
Re: Re: Re: vpnd in Mac OS X 10.3 client - how to configure?
What if you configure a VPN connection to the client on the server? Then the PSK you enter should be in the keychain. After all, it is a shared key so it should work both ways.
Silly question, but why don't you use sshd? |
||||||||||||||||||||||||||||||||||||||
|
|
|
|
|
#7 | |||||||||||||||||||
|
Prospect
Join Date: Nov 2003
Posts: 13
|
Re: Re: Re: Re: vpnd in Mac OS X 10.3 client - how to configure?
I use ssh. I just thought that it might be nice to find out if it's possible to run a l2tp vpn server on Panther client. vpnd is in Panther client and it would be nice to use a vpn server for friends and family without the need to buy Panther server. The main problem that prevents vpnd with l2tp/IPSec to run on Panther client seems to be authentication. I don't know if Panther server uses a special way to authenticate remote users. The user ho wants to log in through a vpn has to be a regular user on the server. |
|||||||||||||||||||
|
|
|
|
|
#8 |
|
Triple-A Player
Join Date: May 2003
Location: homeless
Posts: 111
|
Myzel,
did you ever got this to work? i just found vpnd on my panther, so was searching information on this.. the source is even available on apple's site (ppp-142.tar.gz). can anyone with 10.3 Server send me /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist (or do you have it Myzel?) would be very interesting if we could get this to work. |
|
|
|
|
|
#9 |
|
Triple-A Player
Join Date: Feb 2003
Posts: 101
|
|
|
|
|
|
|
#10 |
|
Triple-A Player
Join Date: May 2003
Location: homeless
Posts: 111
|
using the source code I downloaded (dont you just love Apple's opensource) I was able to see what settings it checks and using that I was able to slowly build up my own config with vi
![]() Here's my "simple" config to make a working vpn server for windows clients (tested on WinXP and Win2kAS). Code:
[savage@powerbook ppp]$ cat /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist <dict> <key>Servers</key> <dict> <key>test</key> <dict> <key>Interface</key> <dict> <key>Type</key> <string>PPP</string> <key>SubType</key> <string>PPTP</string> </dict> <key>Addresses</key> <array> <string>192.168.0.7</string> </array> <key>IPv4</key> <dict> <key>DestAddresses</key> <array> <string>192.168.0.200</string> <string>192.168.0.201</string> <string>192.168.0.202</string> <string>192.168.0.203</string> </array> </dict> <key>PPP</key> <dict> <key>CCPEnabled</key> <integer>1</integer> <key>CCPProtocols</key> <array> <string>MPPE</string> </array> <key>MPPEKeySize40</key> <integer>40</integer> <key>AuthenticatorProtocol</key> <array> <string>MSCHAP2</string> <string>MSCHAP</string> </array> </dict> <key>AuthenticatorEAPPlugins</key> <array> </array> <key>Server</key> <dict> <key>VerboseLogging</key> <integer>100</integer> </dict> </dict> </dict> </dict> Code:
[savage@powerbook ppp]$ sudo cat /etc/ppp/chap-secrets # Secret for authentication using CHAP # client server secret IP addresses vpn * vpn * also make sure that file is chmodded with 600, so only root can read that file. then run the vpn deamon anywhere with: Code:
vpnd -dxi test run with -h swith to get the available commandline options. also it logs to /etc/ppp/vpnd.log Important thing to change is the Address key I think, 192.168.0.7 is my powerbook's ip. DestAddresses is an array with ip's it will assign to the clients that will connect. Alot of keys speaks for its own. i dont understand them all either, just got into using vpn. You can disable encryption by removing the MSCHAP's key. There are alot of other settings, just take a peek at the source. Cant quite get arpproxy working yet, couldnt get it working on redhat either (like 2 clients connect, and the clients try to ping each other)Anyways, Apple's vpnd works alot better than PoPToP/pptpd on redhat! please post feedback!, positive or negative, I dont care
|
|
|
|
|
|
#11 |
|
Triple-A Player
Join Date: Feb 2003
Posts: 101
|
Tried it, the server actually started up this time
.But.... The client gets stuck at "negotiating..." |
|
|
|
|
|
#12 |
|
Triple-A Player
Join Date: May 2003
Location: homeless
Posts: 111
|
ok need more info than that, is the client in the same network (so far i only tested it on my own LAN).
what client is it? windows xp? and what settings did you use.. (standard windows vpn connection works here) |
|
|
|
|
|
#13 |
|
Triple-A Player
Join Date: Feb 2003
Posts: 101
|
Yes same LAN... Still I think it should work. It is another mac running 10.3.1. Thanks!
|
|
|
|
|
|
#14 |
|
Triple-A Player
Join Date: May 2003
Location: homeless
Posts: 111
|
not sure if this is the problem but make sure you change the Addresses key:
Code:
<key>Addresses</key> <array> <string>192.168.0.7</string> </array> if that doesnt work, i dont know, i only have 1 mac ![]() so i cant really test |
|
|
|
|
|
#15 |
|
Triple-A Player
Join Date: Feb 2003
Posts: 101
|
Should I use my external ip address, my internal ip address, or my domain name?
my internal ip address is 192.168.1.100, external is 24.*.*.*, and domain name is *.dnsalias.com (stars are actually other things) Thanks again!!!!! |
|
|
|
|
|
#16 |
|
Triple-A Player
Join Date: Feb 2003
Posts: 101
|
OK here's some more detailed info:
Code:
Last login: Fri Nov 14 21:14:49 on ttyp2 Welcome to Darwin! [Purple-iMac:~] sammccan% vpnd -dxi test 2003-11-14 21:15:58 EST 2 authentication methods specified - only the first will be used 2003-11-14 21:15:58 EST VPND: vpn plugin loaded 2003-11-14 21:15:58 EST VPND: Listening for connections Code:
2003-11-14 21:16:21 EST Incoming call... Address given to client = 192.168.1.200 Code:
2003-11-14 21:16:52 EST --> Client with address = 192.168.1.200 has hungup |
|
|
|
|
|
#17 | |||||||||||||||||||
|
Prospect
Join Date: Nov 2003
Posts: 13
|
Re: Use the source luke!
Thank you for that information. I almost gave it up as i never got it running. I only had the plist form a Mac OS X 10.3 Server install and Server uses the keychain to control authentication. I will try it with the source code and if i get it running i will post a HowTo. |
|||||||||||||||||||
|
|
|
|
|
#18 | |||||||||||||||||||
|
Triple-A Player
Join Date: May 2003
Location: homeless
Posts: 111
|
It depends if your mac is directly connected to the internet or not, if it is and you want to have connections from outside your LAN you need to listen on you internet ip. You can also specify more than 1 address to listen on: Code:
<key>Addresses</key> <array> <string>127.0.0.1</string> <string>192.168.1.100</string> <string>24.1.2.3</string> </array>
|
|||||||||||||||||||
|
|
|
|
|
#19 |
|
Triple-A Player
Join Date: May 2003
Location: homeless
Posts: 111
|
VerboseLogging
enable verboselogging with:
Code:
<key>VerboseLogging</key> <integer>1</integer> You will then get extra debug info in the system.log. |
|
|
|
|
|
#20 |
|
Triple-A Player
Join Date: Feb 2003
Posts: 101
|
I just noticed, it works fine if connecting through the local IP address, but it doesn't work if connecting from the router's ip address (the external ip address). The computer seems to think that the incoming request is from the router (192.168.1.1)! I don't know how to fix this, but just being able to connect it all is a big step! Thanks for your help!
|
|
|
|
![]() |
|
|