I am working with a 10.5.1 client and a 10.5.1 server on a LAN
and I want to tes the possibility to make a VPN connection.
So, I set up VPN service. I have enabled L2TP over IPsec, have
PPP authentication set to Directory Service using MS-CHAPv2 and I
want to use a self-signed certificate. But on the client, when I
ask for a certificate it says there is no usable certificate in
my keychain and I am unable to get one in. When I try to trust
the certificate I got in I get
Dec 21 22:50:31 hermione-e /usr/sbin/ocspd[1752]: starting
Dec 21 22:50:40 hermione-e Keychain Access[1685]: Couldn't
register server "com.apple.KeychainProxyServer" on this host.
Dec 21 22:50:40 hermione-e Keychain Access[1685]: Exception
raised during start of kcproxy: Couldn't register server
"com.apple.KeychainProxyServer" on this host.
I have no idea what this means.
So I decided to try a shared secret first. But this also does not
work. I get on the client the message that IPsec has failed
(foo.example.com is in reality my server system):
Dec 21 22:46:55 hermione-e pppd[1740]: pppd 2.4.2 (Apple version
314) started by root, uid 501
Dec 21 22:46:55 hermione-e pppd[1740]: L2TP connecting to server
'foo.example.com' (192.168.2.66)...
Dec 21 22:46:58 hermione-e pppd[1740]: IPSec connection started
Dec 21 22:47:08 hermione-e pppd[1740]: IPSec connection failed
Is there a recipe somewhere to get VPN working between a leopard
client and a leopard server?
Adding to this: I can make a PPTP VPN connection connect. But it
could as well not be there. The menu bar shows I have a working
VPN connection, but when I ssh to another machine on the network
it says I come from my non-VPN IP-address and not from the one I
got from PPTP. So, I have a connection but it is not used.
PPTP connect gave me IP 192.168.2.41. I can ping form my VPN
server to 192.168.2.41 after connecting and that works.
I do not have a DHCP running.
Clearly I do not understand well enough what is happening.
Most likely LT2P is failing b/c you are not passing the proper IP
protocols in addition to TCP. What stands between the two machines?
I'll guess you're traversing firewalls, perhaps even involving NAT.
Well, as I was experimenting before doing anything serious, I had
VPN on my local LAN only and my server firewall set to accept
everything on the local subnet. It is the simplest setup I could
imagine to experiment with setting up the service.
Define "everything"? No, seriously. You see if you open up all TCP
ports, and even all UDP ports, that's not enough since L2TP and IPSec
require other IP protocols than TCP. In fact some so-called "routers"
won't even let you open anything other than TCP or UDP ports -- so
they won't work.
You can get the PPTP running b/c it doesn't require very much in
the way of additional protocols aside from TCP.
As for checking to see if your PPTP connection is up and running,
what does ifconfig tell you? It should list something like:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1444
inet 192.168.1.97 --> 192.168.1.25 netmask 0xffffff00
Looks good with PPTP:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1444
inet 192.168.2.41 --> 192.168.2.66 netmask 0xffffff00
This sounds good if 192.168.2.66 is the VPN host and 192.168.2.41 is a
IP address on the remote subnet.
But w/o explaining more about your network architecture it's going
t be hard to tell you more. For instance you say that you get an IP
address of 192.168.2.41 yet don't tell us if that's on your target
subnet or if it's different or the same from your true local
subnet. Likewise you don't explain how or why you believe that the
ssh connection is coming from an unexpected IP address. And what
does netstat have to say?
I wanted just to get this working in the simplest of circumstances.
Well there's nothing "simple" about VPNs. They involve very
complicated concepts of networking that all most work properly together.
Both machines on my 192.168.2 local subnet, firewall turned off (for
the duration of the experiment). Basically, because I understand
that L2TP is more secure than PPTP, I would like to use it.
Can be more secure, not is always more secure. PPTP can be used to
establish secure connections.
I want to set it up in my local subnet forst between my laptop and
my server. I want all traffic to go via the VPN.
You can't set things up inside a local subnet properly. You need two
distinct networks that each is on.
As far as "all traffic going to the VPN", there really is no such
thing, it's not a real network, it's a virtual construct an
Lastly, have you read the Land Crab book to develop a understanding
of IP and TCP networking? There's also "Troubleshooting Virtual
Private Networks" by Mark Lewis which has a very nice chapter on
Troubleshooting IPSec VPNs. Without a good understanding of the
fundamentals troubleshooting VPNs is almost impossible.
I get the feeling that this is the case. Apple's documentation is in
any case not good enough for me.
That said, PPTP is much easier to set up and get working through
foreign networks. While certainly not as secure as IPSec or LT2P it
does function more often through difficult networks (as do ssh and
ssl tunnels.) Is there a reason you need LT2P? Are you sure it's
even possible given your networks?
On my local subnet for my experiment it should be possible.
Yes, but in order to do so on a local subnet it' much more completed
than trying to get it to work on two discrete networks.
I do not even get that working.
Not unexpected.
Maybe I should stick to PPTP. I would like to know however why this
does not work.
The regions could be legion, and the troubleshooting complex; but in
any case you haven't provided enough information and this type of
issue is hardly conducive for troubleshooting over email on a list.
However we could suffice to say that if you're trying to do this
inside a single subnet then it's just woolly thinking from the
beginning and leave it as that as your problem.
-dhan
------------------------------------------------------------------------
Dan Shoop
Computer Scientist
iWiring / U.S. Technical Services
