Go Back   The macosxhints Forums > OS X Help Requests > Networking



Reply
 
Thread Tools Rating: Thread Rating: 17 votes, 4.88 average. Display Modes
Old 11-03-2003, 08:38 AM   #1
myzel
Prospect
 
Join Date: Nov 2003
Posts: 13
Question vpnd in Mac OS X 10.3 client - how to configure?

Hello,
I noticed that Panther includes the VPN-Server vpnd from Mac OS X 10.3 Server. The new vpnd now supports L2TP.
The man page for vpnd isn't very useful. The configuration for vpnd is stored in a *.plist file, but that file is not included in Panther (client).
I tried to set up vpnd with the corresponding *.plist file from 10.3 Server that somebody e-mailed me, but i wasn't able to log in using L2TP. There is some problem with the authentication and as i don't have 10.3 Server i can't test which values should be in the .plist.

Here is all information i gathered:
In /etc/hostconfig change VPNSERVERS=-NO- to VPNSERVERS=-YES-

The configuration *.plist is:
/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

(it's a rather complex XML file with the configuration for pptp and l2tp) It can be copied form 10.3 server but I don't know which values should be in there.

The main problem i have is that l2tp cant get the pskey. It should be stored in a keychain (if I'm correct). So authentication with racoon doesn't work.
/private/etc/racoon/remote/anonymous.conf points to a com.apple.ppp.l2tp keychain, I don't know where it should be located and which user should create it (or what name it should have) and I don't know what entries it should have.

Maybe somebody who has 10.3 Server can fit in the missing parts. It might be helpful to create a fake vpn server with descriptive values so we could figure out how to configure vpnd with L2TP/IPSec.
I think that would be a very useful hint - if it works.
myzel is offline   Reply With Quote
Old 11-03-2003, 10:49 AM   #2
srmc710
Triple-A Player
 
Join Date: Feb 2003
Posts: 101
I haven't tried this yet, but here's a web site:
http://www.afp548.com/Articles/Jaguar/vpnd.html
please post results...
srmc710 is offline   Reply With Quote
Old 11-03-2003, 11:13 AM   #3
myzel
Prospect
 
Join Date: Nov 2003
Posts: 13
That site only describes setting up pptp in Jaguar server (and there is already a hint about that).
It seems that vpnd has changed in Panther and now supports L2TP (supposed to be more secure).

I'm trying to set up a L2TP/IPSec vpn server.

And from all I know the configuration method has changed - even for pptp.
myzel is offline   Reply With Quote
Old 11-04-2003, 05:34 PM   #4
Jacco
Prospect
 
Join Date: Nov 2003
Location: Zaandam, The Netherlands
Posts: 2
Re: vpnd in Mac OS X 10.3 client - how to configure?

Quote:
Originally posted by myzel

I noticed that Panther includes the VPN-Server vpnd from Mac OS X 10.3 Server. The new vpnd now supports L2TP.

The main problem i have is that l2tp cant get the pskey. It should be stored in a keychain (if I'm correct). So authentication with racoon doesn't work.
/private/etc/racoon/remote/anonymous.conf points to a com.apple.ppp.l2tp keychain, I don't know where it should be located and which user should create it (or what name it should have) and I don't know what entries it should have.

Note that IPsec uses preshared keys or certificates (located in keychain) but L2TP is used to tunnel PPP so it is very much like a PPP server. You might need to add the PPP passwords to /etc/ppp/chap-secrets, but I am not sure.

The L2TP protocol also supports authentication but Windows does not use it. And I would think Apple doesn't either. IPsec and PPP authentication should be enough.

BTW, does anyone know on what software vpnd is based? Is it Apple proprietary?
Jacco is offline   Reply With Quote
Old 11-04-2003, 05:51 PM   #5
myzel
Prospect
 
Join Date: Nov 2003
Posts: 13
Re: Re: vpnd in Mac OS X 10.3 client - how to configure?

Quote:
Originally posted by Jacco
Note that IPsec uses preshared keys or certificates (located in keychain) but L2TP is used to tunnel PPP so it is very much like a PPP server. You might need to add the PPP passwords to /etc/ppp/chap-secrets, but I am not sure.

Yes, the problem is, that that key is stored some how in the system keychain.

I found out, that in the system keychain following objects are:
com.apple.net.racoon with account com.apple.ppp.l2tp
com.apple.ras with account vpn_[MACADDRESS]

But i don't know where, and how exactly the pskey is stored.

I get this error if i try to connect to my vpn-server from a remote Mac:

Code:
localhost racoon: ERROR: localconf.c:195:getpskfromkeychain(): failed to get preshared key from system keychain (error -25308)

Quote:
Originally posted by Jacco
BTW, does anyone know on what software vpnd is based? Is it Apple proprietary?

For all i know it's Apple proprietary. I guess that's why it's so easy to set it up in Panther server with a nice GUI but so hard to recreate that set up in Panther client - without knowing what to do ;-)
myzel is offline   Reply With Quote
Old 11-05-2003, 02:13 AM   #6
Jacco
Prospect
 
Join Date: Nov 2003
Location: Zaandam, The Netherlands
Posts: 2
Re: Re: Re: vpnd in Mac OS X 10.3 client - how to configure?

Quote:
Originally posted by myzel
But i don't know where, and how exactly the pskey is stored.

I get this error if i try to connect to my vpn-server from a remote Mac:

getpskfromkeychain(): failed to get preshared key from system keychain

What if you configure a VPN connection to the client on the server? Then the PSK you enter should be in the keychain. After all, it is a shared key so it should work both ways.

Quote:
For all i know it's Apple proprietary. I guess that's why it's so easy to set it up in Panther server with a nice GUI but so hard to recreate that set up in Panther client - without knowing what to do ;-)

Silly question, but why don't you use sshd?
Jacco is offline   Reply With Quote
Old 11-05-2003, 06:19 AM   #7
myzel
Prospect
 
Join Date: Nov 2003
Posts: 13
Re: Re: Re: Re: vpnd in Mac OS X 10.3 client - how to configure?

Quote:
Originally posted by Jacco
Silly question, but why don't you use sshd?

I use ssh. I just thought that it might be nice to find out if it's possible to run a l2tp vpn server on Panther client.
vpnd is in Panther client and it would be nice to use a vpn server for friends and family without the need to buy Panther server.

The main problem that prevents vpnd with l2tp/IPSec to run on Panther client seems to be authentication.
I don't know if Panther server uses a special way to authenticate remote users.
The user ho wants to log in through a vpn has to be a regular user on the server.
myzel is offline   Reply With Quote
Old 11-14-2003, 03:25 PM   #8
Guybrush
Triple-A Player
 
Join Date: May 2003
Location: homeless
Posts: 111
Myzel,

did you ever got this to work?
i just found vpnd on my panther, so was searching information on this..

the source is even available on apple's site (ppp-142.tar.gz).

can anyone with 10.3 Server send me /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist (or do you have it Myzel?)

would be very interesting if we could get this to work.
Guybrush is offline   Reply With Quote
Old 11-14-2003, 03:47 PM   #9
srmc710
Triple-A Player
 
Join Date: Feb 2003
Posts: 101
That is the file I need also. Will someone please send it to me!

samsprograms@mac.com
srmc710 is offline   Reply With Quote
Old 11-14-2003, 05:32 PM   #10
Guybrush
Triple-A Player
 
Join Date: May 2003
Location: homeless
Posts: 111
Talking Use the source luke!

using the source code I downloaded (dont you just love Apple's opensource) I was able to see what settings it checks and using that I was able to slowly build up my own config with vi

Here's my "simple" config to make a working vpn server for windows clients (tested on WinXP and Win2kAS).

Code:
[savage@powerbook ppp]$ cat /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist

<dict>
	<key>Servers</key>
	<dict>
		<key>test</key>
		<dict>
			<key>Interface</key>
			<dict>
				<key>Type</key>
				<string>PPP</string>
				<key>SubType</key>
				<string>PPTP</string>
			</dict>

			<key>Addresses</key>
			<array>
				<string>192.168.0.7</string>
			</array>


			<key>IPv4</key>
			<dict>
				<key>DestAddresses</key>
				<array>
					<string>192.168.0.200</string>
					<string>192.168.0.201</string>
					<string>192.168.0.202</string>
					<string>192.168.0.203</string>
				</array>
			</dict>

			<key>PPP</key>
			<dict>
				<key>CCPEnabled</key>
				<integer>1</integer>
				<key>CCPProtocols</key>
				<array>
					<string>MPPE</string>
				</array>
				<key>MPPEKeySize40</key>
				<integer>40</integer>

				<key>AuthenticatorProtocol</key>
				<array>
					<string>MSCHAP2</string>
					<string>MSCHAP</string>
				</array>
			</dict>

			<key>AuthenticatorEAPPlugins</key>
			<array>
			</array>

			<key>Server</key>
			<dict>
				<key>VerboseLogging</key>
				<integer>100</integer>
			</dict>

		</dict>

	</dict>

</dict>
First of all make a /etc/ppp/chap-secrets file, this file contains the users+passwords for authentication using CHAP (Challenge Handshake Authentication Protocol:
Code:
[savage@powerbook ppp]$ sudo cat /etc/ppp/chap-secrets 
# Secret for authentication using CHAP
# client    server   secret        IP addresses
vpn * vpn *
So i have 1 user: "vpn" that can login with the pass "vpn", just add more users if you need to.

also make sure that file is chmodded with 600, so only root can read that file.

then run the vpn deamon anywhere with:
Code:
vpnd -dxi test
test is the Server config, you can add more or change the name.

run with -h swith to get the available commandline options. also it logs to /etc/ppp/vpnd.log

Important thing to change is the Address key I think, 192.168.0.7 is my powerbook's ip.
DestAddresses is an array with ip's it will assign to the clients that will connect.
Alot of keys speaks for its own. i dont understand them all either, just got into using vpn.
You can disable encryption by removing the MSCHAP's key.
There are alot of other settings, just take a peek at the source.

Cant quite get arpproxy working yet, couldnt get it working on redhat either (like 2 clients connect, and the clients try to ping each other)

Anyways, Apple's vpnd works alot better than PoPToP/pptpd on redhat!

please post feedback!, positive or negative, I dont care
Guybrush is offline   Reply With Quote
Old 11-14-2003, 06:47 PM   #11
srmc710
Triple-A Player
 
Join Date: Feb 2003
Posts: 101
Tried it, the server actually started up this time .
But.... The client gets stuck at "negotiating..."
srmc710 is offline   Reply With Quote
Old 11-14-2003, 06:57 PM   #12
Guybrush
Triple-A Player
 
Join Date: May 2003
Location: homeless
Posts: 111
ok need more info than that, is the client in the same network (so far i only tested it on my own LAN).

what client is it? windows xp? and what settings did you use.. (standard windows vpn connection works here)
Guybrush is offline   Reply With Quote
Old 11-14-2003, 07:00 PM   #13
srmc710
Triple-A Player
 
Join Date: Feb 2003
Posts: 101
Yes same LAN... Still I think it should work. It is another mac running 10.3.1. Thanks!
srmc710 is offline   Reply With Quote
Old 11-14-2003, 07:15 PM   #14
Guybrush
Triple-A Player
 
Join Date: May 2003
Location: homeless
Posts: 111
not sure if this is the problem but make sure you change the Addresses key:

Code:
<key>Addresses</key>
<array>
   <string>192.168.0.7</string>
</array>
my ip is 192.168.0.7, you should change it in yours..

if that doesnt work, i dont know, i only have 1 mac
so i cant really test
Guybrush is offline   Reply With Quote
Old 11-14-2003, 07:22 PM   #15
srmc710
Triple-A Player
 
Join Date: Feb 2003
Posts: 101
Should I use my external ip address, my internal ip address, or my domain name?
my internal ip address is 192.168.1.100, external is 24.*.*.*, and domain name is *.dnsalias.com (stars are actually other things)

Thanks again!!!!!
srmc710 is offline   Reply With Quote
Old 11-14-2003, 08:21 PM   #16
srmc710
Triple-A Player
 
Join Date: Feb 2003
Posts: 101
OK here's some more detailed info:
Code:
Last login: Fri Nov 14 21:14:49 on ttyp2
Welcome to Darwin!
[Purple-iMac:~] sammccan% vpnd -dxi test
2003-11-14 21:15:58 EST 2 authentication methods specified - only the first will be used
2003-11-14 21:15:58 EST VPND: vpn plugin loaded
2003-11-14 21:15:58 EST VPND: Listening for connections
(This is where it is after it has started, no connections have been made. After this, a connection will be started from the client.)
Code:
2003-11-14 21:16:21 EST Incoming call... Address given to client = 192.168.1.200
(After this the client just says "negotiating..." for about a minute then errors out right before the following line)
Code:
2003-11-14 21:16:52 EST    --> Client with address = 192.168.1.200 has hungup
Thank you again for your help!
srmc710 is offline   Reply With Quote
Old 11-15-2003, 05:03 AM   #17
myzel
Prospect
 
Join Date: Nov 2003
Posts: 13
Re: Use the source luke!

Quote:
Originally posted by Guybrush
using the source code I downloaded (dont you just love Apple's opensource) I was able to see what settings it checks and using that I was able to slowly build up my own config with vi

Thank you for that information. I almost gave it up as i never got it running. I only had the plist form a Mac OS X 10.3 Server install and Server uses the keychain to control authentication.

I will try it with the source code and if i get it running i will post a HowTo.
myzel is offline   Reply With Quote
Old 11-15-2003, 07:05 AM   #18
Guybrush
Triple-A Player
 
Join Date: May 2003
Location: homeless
Posts: 111
Quote:
Originally posted by srmc710
Should I use my external ip address, my internal ip address, or my domain name?
my internal ip address is 192.168.1.100, external is 24.*.*.*, and domain name is *.dnsalias.com (stars are actually other things)

Thanks again!!!!!

It depends if your mac is directly connected to the internet or not, if it is and you want to have connections from outside your LAN you need to listen on you internet ip.
You can also specify more than 1 address to listen on:

Code:
<key>Addresses</key>
<array>
  <string>127.0.0.1</string>
  <string>192.168.1.100</string>
  <string>24.1.2.3</string>
</array>
I'm not sure if the problem lies there, the debug information vpnd gives is kinda limited
Guybrush is offline   Reply With Quote
Old 11-15-2003, 08:06 AM   #19
Guybrush
Triple-A Player
 
Join Date: May 2003
Location: homeless
Posts: 111
VerboseLogging

enable verboselogging with:

Code:
<key>VerboseLogging</key>
<integer>1</integer>
put this in the dict of PPP, and not anywhere else or it wont work.

You will then get extra debug info in the system.log.
Guybrush is offline   Reply With Quote
Old 11-15-2003, 08:41 AM   #20
srmc710
Triple-A Player
 
Join Date: Feb 2003
Posts: 101
I just noticed, it works fine if connecting through the local IP address, but it doesn't work if connecting from the router's ip address (the external ip address). The computer seems to think that the incoming request is from the router (192.168.1.1)! I don't know how to fix this, but just being able to connect it all is a big step! Thanks for your help!
srmc710 is offline   Reply With Quote
Reply

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 07:10 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.