You would think VPN, being a vital part of network security, that Apple would have given you a ton of options and unlimited control over it's setting. But no, in Lion Server this is not the case. The PPTP protocol has been axed from Server App and the L2TP settings are a shadow of their former self.
Lion VPN Settings.
Click Image To Enlarge
Now compare this to the VPN settings in 10.6 server.
Snow Leopard Snow Leopard
Click Images To Enlarge
As you can see, the Lion VPN configuration options are –for lack of a better term– slim to none. Now, as Dave mentioned in his post Changing VPN and DNS in Lion Server, the auto setup has it's problems, but it does gets the job done; for better or worse. And if need be, some of the settings like the "Client Configuration" setting, can be handled by editing the: com.apple.RemoteAccsessServers.plist. Other L2TP setting are handled by new services like, SSL Certificates, or other options in Server App. But what about PPTP? Maybe you have some older Macs and Windows clients. Do you need to setup a different server or router for those clients? The good news is, no; no you don't. As fate would have it, Apple hasn't removed the PPTP server from the OS, just from the GUI.
You now need to use the Command Line serveradmin tool to setup PPTP. The commands are below, as well as a link to the online Admin Guide page where I found the settings. And before you ask, yes, I set this up on Lion server and was able to connect with Windows 7, Windows XP and Ubuntu 11. You have to read the logs in Terminal or Console, but at least the service works, right.
Terminal Setup.
- Type the following in to Terminal.
$ sudo serveradmin settings
Authenticate if requested.
Enter the following:
vpn:Servers:com.apple.ppp.pptp:enabled = yes vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = value vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = value vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_ index:0 = value vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = value vpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_index:0:Address = value vpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_ index:0:SharedSecret = value vpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_index:1:Address = value vpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_index:1:SharedSecret = value vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeysize40 = value vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeysize128 = value
a) there's a typo: there should NOT be a space in "AuthenticatorProtocol:_array_ index:0"
b) even without the typo it just does not work even though Apple says it does. Apple's 10.7 Server vpn server can't find its MPPE keys.
Hi Ernst,
You know, that doesn't suprise me, Lion server has proven to be unpredictable and temperamental. Not sure what your server configuration is, but the Mac Mini I set this up on was built in a style that would be more appropriate for 10.6. It has a USB to Ethernet adapter that allows the server to be on the internet, while the built-in ethernet does LAN duty. The users were built with Workgroup Manager and not Server App, and the other services running at the time of VPN config were AFP, Firewall, OD and DNS. Not sure if any of that will help. Our time with Lion Server has been frustrating at best, and lets just say it has lots of room for improvement. That said, it did work for me, so don't throw in the towel.
And thanks for the heads-up on the typo.
Today, Apple has finally fixed the typo in HT4748 (the erroneous space is no longer there).
http://support.apple.com/kb/HT4748
Even so, when following the instructions mentioned in HT4748 we have not been able to get PPTP to work, even on a vanilla Lion server.
Apple wants us to use the saver L2TP/IPSec solution which would be great if Apple had actually implemented the UDP port 4500 NAT Traversal fallback properly so that it would be possible for NATted users in the same subnet to simultaneously use VPN (instead of being kicked out when someone else logs in as is what happens now).
Very frustrated with Lion server…
Hi Ernst,
Again not a surprise, we have several 10.7 Lion Servers in the field and they all react differently to the same setup. Not sure what the deal is, but the only server that the PPTP setup worked on was the test server we build. Hopefully Apple will take the same path with Lion Server as they have with Final Cut X.
The referred kb article http://support.apple.com/kb/HT4748 does not longer exist. It's gone gone gone. We can only hope that this means a soliton is imminent?
Wow, your right, but I noticed that the page is still in the Admin guide. I have been using iVPN to get the PPTP to work. Have had 99% success, and it's not to expensive. But I agree, lets hope we see a GUI update in the OS.
Thanks for this. I've been banging my head trying to figure out why the PPTP connection wasn't working. Still having "MPPE required" errors when using Authentication but that's another story. Also wanted to point out that you copied the L2TP version of the terminal commands not the PPTP version.
HI hford,
Glad we could be of some help. As for the link, I have fixed it like five times now and keeps switching back on me. But thanks for the heads-up. I'll fix it again.
Good news, 10.7.3 Server brings PPTP back to the GUI. One caveat, for servers upgraded from 10.7.2 some extra handling is required as stated in (the new version of) http://support.apple.com/kb/HT4748 and PPTP is only available for Open Directory users, not local users (which is not an issue of course).
Basically it's just a matter of setting the correct policy for the vpn keyagent user (which might work with 10.7.2 as well).
HI Ernst,
Thanks for the return the visit. The remergence of PPTP, is a great sign. We spent all last week at an advanced training camp held by Apple, and all I can say (we are bound by an NDA) is that Apple is aware that 10.7 Server is light on functionality. How long it takes them to change that is unknown, but the addition PPTP and some other missing tools that were reintroduced in the last up date are a good start.