Vpn Options For Mac

Posted on
Vpn Options For Mac Rating: 4,5/5 504 votes

When setting up an L2TP VPN service for remote access on Windows Routing and Remote Access, we ran into an odd problem with setting options on the connecting clients. The way to provide these settings to L2TP clients in RRAS in through DHCP - an L2TP client sends a DHCPInform packet, which then applies the settings from DHCP options (option 15 for the DNS search suffix, and option 121 for split tunnel routes). In most L2TP client VPN endpoints like Cisco ASAs, the L2TP service crafts the DHCP response with the DNS and routing settings configured - but in RRAS, you use the DHCP relay built into RRAS, or a DHCP server on the local subnet - but these options must be set in DHCP, not via RADIUS attribute or RRAS setting or anything else.

Vpn Options For Mac

(for too much detail on how the DHCPInform works and why it's so necessary, follow between a couple of our Server Fault regulars) We found that no Mac (or iOS, for that matter) clients would successfully retrieve these options on our newly configured Windows Server 2016 VPN server, instead timing out on their attempts to get DHCP from the VPN server (from /var/log/ppp.log after turning on verbose logging). Fri Dec 1 12:: sent IP data Fri Dec 1 12:: sent IP data Fri Dec 1 12:: No DHCP server replied Watching the RRAS server as this happens, the DHCP Relay seems to see these packets, but oddly, reports them as discarded (the numbers in the circled columns both increment immediately when the client logs the DHCP requests being sent): After turning up the RRAS logging knobs to the max, I expected the Windows event log to shed some light on the reason for the discards (since the ), but none of these events began logging. Finally, after turning on the RRAS tracing logs, C: Windows system32 tracing IPBOOTP.LOG finally provided a hint as to why the Mac's DHCP packets were unacceptable: 9712 12:09:10: dropping REQUEST with secs-since-boot 0 on interface 42 (192.0.2.8) Why won't the RRAS DHCP Relay do its job and send these VPN clients' DHCP packets to the DHCP server? As it turns out, the defaults for the DHCP relay agent simply don't work for some L2TP clients.

Mac Vpn Setup

Mac

When you set up an interface for DHCP relaying in RRAS (on the 'Internal' interface, where VPN clients go), the default options look like this: It looks unassuming, but the cause of this entire issue is the 'Boot threshold' setting. The makes it sound so helpful! Office for mac torrent.

Vpn

The number of seconds the relay agent waits before forwarding DHCP messages. You can also click the arrows to select a new setting. The default value is 4 seconds. This option is useful when you want a local DHCP server to respond first, but if the local DHCP server does not respond, you want to forward messages to a remote DHCP server. Obviously that option sounds like it only has bearing on when you're doing actual DHCP relaying inside your network. Not even the for using the DHCP Relay for VPN options have any mention of needing to pay attention to the boot threshold setting.

But, the logs don't lie, and dropping REQUEST with secs-since-boot 0 seemed like a clear indication that the DHCP relay agent itself was at fault. That error pointed me to a from a helpful admin in Lichtenstein, which finally showed me what was going on. The 'Boot threshold' DHCP relay option isn't a delay, as the documentation implies - it's a hard packet filter, and will drop all DHCP packets under the threshold. Setting this to anything higher than 0 makes no sense when using the DHCP relay for VPN clients (on the 'Internal' interface), and will break many L2TP client implementations' ability to retrieve DHCP options, despite there being no indication of this behavior in the documentation.

After setting the boot threshold on the DHCP Relay to 0, Mac L2TP clients successfully retrieve settings from DHCP options 15 (DNS suffix) and 121 (split tunnel routes).