I am working with a 10.5.1 client and a 10.5.1 server on a LAN and
I want to tes the possibility to make a VPN connection.
So, I set up VPN service. I have enabled L2TP over IPsec, have PPP
authentication set to Directory Service using MS-CHAPv2 and I want
to use a self-signed certificate. But on the client, when I ask for
a certificate it says there is no usable certificate in my keychain
and I am unable to get one in. When I try to trust the certificate
I got in I get
Dec 21 22:50:31 hermione-e /usr/sbin/ocspd[1752]: starting
Dec 21 22:50:40 hermione-e Keychain Access[1685]: Couldn't register
server "com.apple.KeychainProxyServer" on this host.
Dec 21 22:50:40 hermione-e Keychain Access[1685]: Exception raised
during start of kcproxy: Couldn't register server
"com.apple.KeychainProxyServer" on this host.
I have no idea what this means.
So I decided to try a shared secret first. But this also does not
work. I get on the client the message that IPsec has failed
(foo.example.com is in reality my server system):
Dec 21 22:46:55 hermione-e pppd[1740]: pppd 2.4.2 (Apple version
314) started by root, uid 501
Dec 21 22:46:55 hermione-e pppd[1740]: L2TP connecting to server
'foo.example.com' (192.168.2.66)...
Dec 21 22:46:58 hermione-e pppd[1740]: IPSec connection started
Dec 21 22:47:08 hermione-e pppd[1740]: IPSec connection failed
Is there a recipe somewhere to get VPN working between a leopard
client and a leopard server?
Adding to this: I can make a PPTP VPN connection connect. But it
could as well not be there. The menu bar shows I have a working VPN
connection, but when I ssh to another machine on the network it says
I come from my non-VPN IP-address and not from the one I got from
PPTP. So, I have a connection but it is not used.
PPTP connect gave me IP 192.168.2.41. I can ping form my VPN server
to 192.168.2.41 after connecting and that works.
I do not have a DHCP running.
Clearly I do not understand well enough what is happening.
Most likely LT2P is failing b/c you are not passing the proper IP
protocols in addition to TCP. What stands between the two machines?
I'll guess you're traversing firewalls, perhaps even involving NAT.
You can get the PPTP running b/c it doesn't require very much in the
way of additional protocols aside from TCP.
As for checking to see if your PPTP connection is up and running, what
does ifconfig tell you? It should list something like:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1444
inet 192.168.1.97 --> 192.168.1.25 netmask 0xffffff00
But w/o explaining more about your network architecture it's going t
be hard to tell you more. For instance you say that you get an IP
address of 192.168.2.41 yet don't tell us if that's on your target
subnet or if it's different or the same from your true local subnet.
Likewise you don't explain how or why you believe that the ssh
connection is coming from an unexpected IP address. And what does
netstat have to say?
Lastly, have you read the Land Crab book to develop a understanding of
IP and TCP networking? There's also "Troubleshooting Virtual Private
Networks" by Mark Lewis which has a very nice chapter on
Troubleshooting IPSec VPNs. Without a good understanding of the
fundamentals troubleshooting VPNs is almost impossible.
That said, PPTP is much easier to set up and get working through
foreign networks. While certainly not as secure as IPSec or LT2P it
does function more often through difficult networks (as do ssh and ssl
tunnels.) Is there a reason you need LT2P? Are you sure it's even
possible given your networks?
-dhan
------------------------------------------------------------------------
Dan Shoop
Computer Scientist
iWiring / U.S. Technical Services
