Before you start doing this, make sure the following ports are not blocked by your router or ISP.
UDP 500 for ISAKMP/IKE
UDP 1701 for L2TP
UDP 4500 for IPsec NAT Traversal
Usually, you should be able to configure your router to enable these ports for designated IP address. Therefore, you would probably need to assign static IP address for your to-be-server machine first, based on the physical address, and then open up the ports necessary.
Now, let us dive into the setup. First, create /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist file with the following content
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ActiveServers</key>
<array>
<string>com.apple.ppp.l2tp</string>
</array>
<key>Servers</key>
<dict>
<key>com.apple.ppp.l2tp</key>
<dict>
<key>DNS</key>
<dict>
<key>OfferedSearchDomains</key>
<array/>
<key>OfferedServerAddresses</key>
<array>
<string>168.126.63.1</string>
<string>8.8.4.4</string>
</array>
</dict>
<key>IPv4</key>
<dict>
<key>ConfigMethod</key>
<string>Manual</string>
<key>DestAddressRanges</key>
<array>
<string>192.168.0.201</string>
<string>192.168.0.255</string>
</array>
</dict>
<key>Interface</key>
<dict>
<key>SubType</key>
<string>L2TP</string>
<key>Type</key>
<string>PPP</string>
</dict>
<key>L2TP</key>
<dict>
<key>IPSecSharedSecret</key>
<string>com.apple.ppp.l2tp</string>
<key>IPSecSharedSecretEncryption</key>
<string>Keychain</string>
<key>Transport</key>
<string>IPSec</string>
</dict>
<key>PPP</key>
<dict>
<key>AuthenticatorACLPlugins</key>
<array>
<string>DSACL</string>
</array>
<key>AuthenticatorPlugins</key>
<array>
<string>DSAuth</string>
</array>
<key>AuthenticatorProtocol</key>
<array>
<string>PAP</string>
</array>
<key>LCPEchoEnabled</key>
<integer>1</integer>
<key>LCPEchoFailure</key>
<integer>5</integer>
<key>LCPEchoInterval</key>
<integer>60</integer>
<key>Logfile</key>
<string>/var/log/ppp/vpnd.log</string>
<key>VerboseLogging</key>
<integer>1</integer>
</dict>
<key>Server</key>
<dict>
<key>Logfile</key>
<string>/var/log/ppp/vpnd.log</string>
<key>MaximumSessions</key>
<integer>128</integer>
<key>VerboseLogging</key>
<integer>1</integer>
</dict>
</dict>
</dict>
</dict>
</plist>
Make modifications in line 19-20 and 29-30. Lines 19-20 will be your DNS addresses whereas lines 29-30 will be the start and end client addresses to be assigned by the server. Make sure that these addresses do not overlap with your router's assignment.
Next, change the owner of the file by
$ sudo chown root:wheel /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
and change the access control by
$ sudo chmod 644 /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
Now you will need to provide the L2TP secret phrase. Run the following command where you replace SHARED-SECRET-PHRASE with your own.
$ sudo security add-generic-password -a com.apple.ppp.l2tp -s com.apple.net.racoon -T /usr/sbin/racoon -p "SHARED-SECRET-PHRASE" /Library/Keychains/System.keychain
Create /Library/LaunchDaemons/com.apple.ppp.l2tp.plist with the following content
<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN”
“http://www.apple.com/DTDs/PropertyList-1.0.dtd“>
<plist version=”1.0″>
<dict>
<key>Label</key>
<string>com.apple.ppp.l2tp</string>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/vpnd</string>
<string>-x</string>
<string>-i</string>
<string>com.apple.ppp.l2tp</string>
</array>
<key>OnDemand</key>
<false/>
</dict>
</plist>
Finally, you need to load the launchd config and start the daemon after reboot:
$ sudo launchctl load -w /Library/LaunchDaemons/com.apple.ppp.l2tp.plist
If you want to disable VPN service and not start the daemon after reboot, run
$ sudo launchctl unload -w /Library/LaunchDaemons/com.apple.ppp.l2tp.plist
Now, you should be able to connect to your VPN server! To login, use your Mac OS X's username and password.
brah! thanks a million
ReplyDelete