I am working with a 10.5.1 client and a 10.5.1 server on a LAN
and I want to tes the possibility to make a VPN connection.
So, I set up VPN service. I have enabled L2TP over IPsec, have
PPP authentication set to Directory Service using MS-CHAPv2 and
I want to use a self-signed certificate. But on the client, when
I ask for a certificate it says there is no usable certificate
in my keychain and I am unable to get one in. When I try to
trust the certificate I got in I get
Dec 21 22:50:31 hermione-e /usr/sbin/ocspd[1752]: starting
Dec 21 22:50:40 hermione-e Keychain Access[1685]: Couldn't
register server "com.apple.KeychainProxyServer" on this host.
Dec 21 22:50:40 hermione-e Keychain Access[1685]: Exception
raised during start of kcproxy: Couldn't register server
"com.apple.KeychainProxyServer" on this host.
I have no idea what this means.
So I decided to try a shared secret first. But this also does
not work. I get on the client the message that IPsec has failed
(foo.example.com is in reality my server system):
Dec 21 22:46:55 hermione-e pppd[1740]: pppd 2.4.2 (Apple version
314) started by root, uid 501
Dec 21 22:46:55 hermione-e pppd[1740]: L2TP connecting to server
'foo.example.com' (192.168.2.66)...
Dec 21 22:46:58 hermione-e pppd[1740]: IPSec connection started
Dec 21 22:47:08 hermione-e pppd[1740]: IPSec connection failed
Is there a recipe somewhere to get VPN working between a leopard
client and a leopard server?
Adding to this: I can make a PPTP VPN connection connect. But it
could as well not be there. The menu bar shows I have a working
VPN connection, but when I ssh to another machine on the network
it says I come from my non-VPN IP-address and not from the one I
got from PPTP. So, I have a connection but it is not used.
PPTP connect gave me IP 192.168.2.41. I can ping form my VPN
server to 192.168.2.41 after connecting and that works.
I do not have a DHCP running.
Clearly I do not understand well enough what is happening.
Most likely LT2P is failing b/c you are not passing the proper IP
protocols in addition to TCP. What stands between the two
machines? I'll guess you're traversing firewalls, perhaps even
involving NAT.
Well, as I was experimenting before doing anything serious, I had
VPN on my local LAN only and my server firewall set to accept
everything on the local subnet. It is the simplest setup I could
imagine to experiment with setting up the service.
Define "everything"? No, seriously. You see if you open up all TCP
ports, and even all UDP ports, that's not enough since L2TP and
IPSec require other IP protocols than TCP. In fact some so-called
"routers" won't even let you open anything other than TCP or UDP
ports -- so they won't work.
Everything = "all" in Firewall settings of Server Admin. Another way
to get Everything is to turn the firewall off altogether. As these are
on the same ethernet switch and talk directly there are no other
components involved afaik.
You can get the PPTP running b/c it doesn't require very much in
the way of additional protocols aside from TCP.
As for checking to see if your PPTP connection is up and running,
what does ifconfig tell you? It should list something like:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1444
inet 192.168.1.97 --> 192.168.1.25 netmask 0xffffff00
Looks good with PPTP:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1444
inet 192.168.2.41 --> 192.168.2.66 netmask 0xffffff00
This sounds good if 192.168.2.66 is the VPN host and 192.168.2.41 is
a IP address on the remote subnet.
Yes. In this case, remote subnet = local subnet.
But w/o explaining more about your network architecture it's going
t be hard to tell you more. For instance you say that you get an
IP address of 192.168.2.41 yet don't tell us if that's on your
target subnet or if it's different or the same from your true
local subnet. Likewise you don't explain how or why you believe
that the ssh connection is coming from an unexpected IP address.
And what does netstat have to say?
I wanted just to get this working in the simplest of circumstances.
Well there's nothing "simple" about VPNs. They involve very
complicated concepts of networking that all most work properly
together.
Both machines on my 192.168.2 local subnet, firewall turned off
(for the duration of the experiment). Basically, because I
understand that L2TP is more secure than PPTP, I would like to use
it.
Can be more secure, not is always more secure. PPTP can be used to
establish secure connections.
I want to set it up in my local subnet forst between my laptop and
my server. I want all traffic to go via the VPN.
You can't set things up inside a local subnet properly. You need two
distinct networks that each is on.
Why? If my VPN server hands out 192.168.2.40-49 and my client is using
192.168.2.87 it can establish a VPN connection to my server
(192.168.2.66), can't it? Actually, this works fine using PPTP.
As far as "all traffic going to the VPN", there really is no such
thing, it's not a real network, it's a virtual construct an
If the default route of my client says everything is going to my VPN
server, isn't all my IP traffic (except VPN itself) part of that?
Lastly, have you read the Land Crab book to develop a
understanding of IP and TCP networking? There's also
"Troubleshooting Virtual Private Networks" by Mark Lewis which has
a very nice chapter on Troubleshooting IPSec VPNs. Without a good
understanding of the fundamentals troubleshooting VPNs is almost
impossible.
I get the feeling that this is the case. Apple's documentation is
in any case not good enough for me.
That said, PPTP is much easier to set up and get working through
foreign networks. While certainly not as secure as IPSec or LT2P
it does function more often through difficult networks (as do ssh
and ssl tunnels.) Is there a reason you need LT2P? Are you sure
it's even possible given your networks?
On my local subnet for my experiment it should be possible.
Yes, but in order to do so on a local subnet it' much more completed
than trying to get it to work on two discrete networks.
I do not even get that working.
Not unexpected.
Maybe I should stick to PPTP. I would like to know however why this
does not work.
The regions could be legion, and the troubleshooting complex; but in
any case you haven't provided enough information and this type of
issue is hardly conducive for troubleshooting over email on a list.
However we could suffice to say that if you're trying to do this
inside a single subnet then it's just woolly thinking from the
beginning and leave it as that as your problem.
Friendly. In the spirit of the season and all that.
Let's just say I am not a VPN expert nor a networking guru. That is
why I go to the list if teh documentation does not help me out. If you
have a problem with non-perfect people addressing the list and your
idea is that all should be guru's in the first place, what is the
reason a) of there being a list in the first place and b) you
answering questions on that list (unless you just enjoy telling people
that they are not perfect)?
G
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
