Mavericks Server 3.0 VPN

[techbri]

Workaround

I too, have not been able to get the VPN working in Mavericks Server. I purchased iVPN (latest version from their website, not from the AppStore) and installed it on my Mini. I configured the VPN in the app and set it initially to use the directory for authentication. Watching the log, I saw the same failures. I then switched iVPN to use a standalone account and made sure to use a different user name than my directory account which worked fine. It seems that the VPN issue with Mavericks is related to directory authentication. At least I have a good work around for now and it only cost me $15.

 

[Voch]

Workaround from ML...

As per that same Apple discussion forum thread, I just L2TP VPN working by replacing /usr/sbin/racoon file with the one from ML. I had to do it using sudo and had reboot first as the file was "in use" when the Mac was up-and-running (probably by the VPN server). It's a workaround for now but it seems to work with my MBP and iPhone clients.

 

[jmstacey]

I can confirm:
Replacing /usr/sbin/racoon with a backup from Mountain Lion fixes the problem for me. Changing kern.ipc.maxsockbuf does not fix the problem, at least for me.

My setup: iOS 7 -> OS X Mavericks

Please also file a bug report along with me so that this gets more attention from Apple: http://bugreport.apple.com

 

[Idgit]

LOL. How did this ever get past beta testing? Did anyone at Apple or anyone who had access to the dev version even try setting up a VPN server? It seems to me that would be one of the first things to set up and test. Pathetic and shameful QA on their part.

Spoke to Apple Enterprise Support this morning and they are aware of the issue now. We spent about 2 hours troubleshooting and trying everything the tech could think of, in the end he gathered logs from my server. At this point they are leaning towards an issues with NAT and Mavericks Server. They're working on it, most likely be addressed in an update to the Server app. Just wanted to share.

 

[mvmanolov]

I can confirm:
Replacing /usr/sbin/racoon with a backup from Mountain Lion fixes the problem for me. Changing kern.ipc.maxsockbuf does not fix the problem, at least for me.

My setup: iOS 7 -> OS X Mavericks

Please also file a bug report along with me so that this gets more attention from Apple: http://bugreport.apple.com

can you please describe your OsX setup? Was it a clean install? What is your HW configuration? What is your network setup? (are you using a apple router - AE/TC) If you are is your AE/TC providing DHCP services or not? Do you have Server app manage the AE/TC?

Also can you please post a description of the steps to change the racoon?


Lastly can other people with MAV installed try this and confirm that it works?


Thanks in advance

 

[Voch]

My Mavericks install was an upgrade from Mountain Lion, but the Mountain Lion install was a recently-cleaned installation (I added an SSD the two weeks before and did a clean installation of ML to make a Fusion drive).

Server is a mid-2011 Mac mini dual-core 2.3Ghz w/ 16GB RAM and 120GB SSD + 500GB stock hard drive.

Network setup is wired Ethernet to a "2009" third-generation Airport Extreme Base Station that provides DHCP services with consistent IP addresses based on my hardwares' MAC addresses. I allowed the Server.app to configure the VPN ports on my AEBS.

My VPN clients are an iPhone 4S (via WiFi and/or 3G...VPN works on both now) and 2011 MacBook Pro 15" (never leaves home, but was able to VPN in using my DynamicDNS "outside" name).

The VPN configuration I'm using is Password + Shared Secret...I never got around to figuring out the Certificate-based auth yet. If I need to I can SSH to my VPN server and enable/disable the VPN service out of paranoia ("sudo serveradmin stop vpn").

To make the change to racoon (this is from memory...I'll fix the instructions if memory fails):

• Make a zip of the older version from a Mountain Lion machine (doesn't need to be OS X Server necessarily) to your home's Downloads folder:
  

  cd /usr/sbin
  zip -u ~/Downloads/racoon-ml.zip racoon

• Copy the zip to the Mavericks-equipped Mac into, say, your home's Downloads folder
  
• On the Mavericks-equipped Mac, back up the current version of racoon to a zip file in your home's Downloads folder:
  

  cd /usr/sbin
  zip -u ~/Downloads/racoon-mavericks.zip racoon

• On the Mavericks-equipped Mac, unzip the ML-version of racoon over the Mavericks one (this assumes your Mac user is an Administrator)
  

  sudo unzip -o ~/Downloads/racoon-ml.zip

  (the "-o" option overwrites the existing racoon file without confirmation)

I had to reboot before that last step was possible (the racoon file was "in use"...presumably by the VPN service).

The instructions are a little more complicated if your Mavericks user is not an Administrator (chances are your user *is* an Administrator); you'll have to sudo as an Administrator user and put the racoon-ml.zip where the Administrator user can get at it to run that last "sudo unzip..." command.

 

[mvmanolov]

My Mavericks install ...

Thank you Voch for the details, and the instructions, and congrats on getting yours to do what it's supposed to.

Can you confirm that now the VPN works without any problems both on iOS as well OsX devices from outside of your home network? (could you do a file transfer from the server to the VPN client)


Also can anyone else that already has MAV installed try this fix and confirm?

Thank you all again for your help.

I need to do a clean install but don't want to start the process before i can be sure that this works…

Cheers,

 

[Voch]

Can you confirm that now the VPN works without any problems both on iOS as well OsX devices from outside of your home network? (could you do a file transfer from the server to the VPN client)

I confirmed that my iPhone 4S can connect to my VPN from outside the network by switching it from WiFi to Verizon's 3G (that's outside, right? ). I did that last night from home and confirmed it from work today.

I confirmed the VPN connection by doing a remote desktop VNC connection to the Mac mini by its LAN IP address from my iPhone using the iSSH client.

EDIT: I also just VPNed in from my iPhone over 3G, added an item to my iPhone's calendar, and it synced to the CalDAV server I have running on the mini (confirmed by running Calendar on the mini and "subscribing" locally). So cool....

 

[mvmanolov]

I confirmed that my iPhone 4S can connect to my VPN from outside the network by switching it from WiFi to Verizon's 3G (that's outside, right? ). I did that last night from home and confirmed it from work today.

I confirmed the VPN connection by doing a remote desktop VNC connection to the Mac mini by its LAN IP address from my iPhone using the iSSH client.

EDIT: I also just VPNed in from my iPhone over 3G, added an item to my iPhone's calendar, and it synced to the CalDAV server I have running on the mini (confirmed by running Calendar on the mini and "subscribing" locally). So cool....

Sorry, Voch, i did not mean to be rude/ungrateful.

What about a OsX client and the file transfer? these are the most important for me. That is also why i asked if others have been able to do those things

 

[Voch]

Sorry, Voch, i did not mean to be rude/ungrateful.

What about a OsX client and the file transfer? these are the most important for me. That is also why i asked if others have been able to do those things

No problem...you made me think to make sure I really *did* connect from the "outside" via 3G (I was physically in my apartment at the time).

For file transfer...you mean connecting Mac-to-Mac via an AFP or SMB file share over the VPN? That should work fine. I'd have to take my MBP to Starbucks or other free WiFi to try it for myself though.

 

[mvmanolov]

No problem...you made me think to make sure I really *did* connect from the "outside" via 3G (I was physically in my apartment at the time).

For file transfer...you mean connecting Mac-to-Mac via an AFP or SMB file share over the VPN? That should work fine. I'd have to take my MBP to Starbucks or other free WiFi to try it for myself though.

i think over 3G is about as outside as you being physical outside.

And yes AFP share over VPN mac to mac also if you have File Browser installed on iOS has similar capabilities over SMB though.

EDIT: Also are you logging into the VPN from a local user account or a services only account? - some in the apple discussion boards have been saying that services only account crashes MAV

 

[Voch]

Also are you logging into the VPN from a local user account or a services only account? - some in the apple discussion boards have been saying that services only account crashes MAV

I'm using my local user account and that user's password. I'm hoping that plus the Shared Secret is at least secure-ish.

 

[grumpyguybill]

Mavericks Server

I suspect Mavericks Server will not work on internet connections without signed certificates and registered domains.

I'm a newbie to OS X Server and all the literature I've read led me to believe that VPN's could operate with unsigned certificates and unregistered private domains.

I've been pulling my hair out for days trying to get this up and running.

Should I try a clean install of Mountain Lion and Mountain Lion Server?

 

[Voch]

SMB confirmation...

After enabling "Send all traffic over VPN connection" in the client setup, I VPNed in with my MBP from inside my LAN to my outside address (going out and coming in again). The VPN connection was assigned an IP address of 10.0.1.YYY...the first number of the "Starting at:" in the VPN's Client Addresses setup.

I then connected via SMB to the inside-the-LAN Mac mini (Go->Network, and entered smb://10.0.1.XXX/ShareName) and it connected to the share.

Then on the Mac mini I ran this command to see what IP addresses were using SMB port 445 (scrubbed with XXX and YYY for my internal network privacy):

MachineName:~ user$ netstat -f inet -n | grep '.445'
tcp4       0      0  10.0.1.XXX.445          10.0.1.YYY.61493       ESTABLISHED

The XXX IP is the Mac mini, the YYY IP is the VPN connection, so this should confirm that the SMB connection was done over the VPN.

Also, SSHing into the Mac mini, exiting, and then SSHing in again shows my last connection was made from 10.0.1.YYY.

 

[Jmx]

(ignore this post)

 

[Voch]

Server 3.0.1 is out...

Server 3.0.1 is out. I upgraded and my VPN still works, but I did the /usr/sbin/racoon hack. Anybody up for upgrading and seeing if their VPN is happier?

 

[mvmanolov]

Server 3.0.1 is out. I upgraded and my VPN still works, but I did the /usr/sbin/racoon hack. Anybody up for upgrading and seeing if their VPN is happier?

i need the machine for some work over the next month but i'll do the upgrade after and test

 

[iLoop2]

stil no luck

Updated to server 3.0.1 tried L2TP from my iPad using 3G, did not work

 

[mvmanolov]

Updated to server 3.0.1 tried L2TP from my iPad using 3G, did not work

that has been the general consensus on the apple forums. I don't really want to mess with the racoon file as, i'll have to do another clean install after they release a fix so…… waiting it is still

 

[houser]

3.0.1 fixed our server fwiw.

 

[jbeck22]

I'm having the same issue as everyone else.

Here is my setup:
macbook air with mavericks installed and server installed (don't judge me)

I went from ML to Mavericks to Server 3.0.1...no server when I was on ML.

I restored a copy of the racoon file from backup and rebooted, but it still didn't fix my issue.

Anything else I should try?

Thank you

 

[Voch]

Fix in 10.9.1?

Maybe the fix is coming in the 10.9.1 update. See the last item in the list here:

https://www.macrumors.com/2013/11/2...-of-os-x-mavericks-10-9-1-beta-to-developers/

 

[mvmanolov]

Maybe the fix is coming in the 10.9.1 update. See the last item in the list here:

https://www.macrumors.com/2013/11/2...-of-os-x-mavericks-10-9-1-beta-to-developers/

yeah, i'm hoping this as well. Any one here with a dev account that can test/verify ?

 

[thevidness]

i had high hopes for the 10.9.1 update, sadly it did not fix the issue.

but i took the plunge and used Voch's method of overwriting racoon with the mountain lion version as outlined in his post https://forums.macrumors.com/posts/18284153/

followed by an additional reboot that worked flawlessly. i encourage everybody on a small, personal setup to try that. it's easily reverted, too.

 

[Voch]

Same here. In fact, the 10.9.1 update stomped on /usr/sbin/racoon (the file is dated yesterday when I applied the update) so I'll have to reapply the hack again.