Does the following VPN log look familiar?

CHAP peer authentication succeeded for charlie

DSAccessControl plugin: User ‘charlie’ authorized for access

MPPE required, but keys are not available. Possible plugin problem?

sent LCP TermReq id=0×4 \”MPPE required but not available\”

Does your WGM have a user with the UID # 57 ?

Does your WGM list a user “vpn_XXXXX” (you might need to enable: View ->”Show System Users and Groups”)

I manage two OS X leopard servers one is a Intel Harpertown XServe and the other is a iMac G4. The Xserve managed to create the vpn_XXXXX user on its own (and have a functioning VPN for 10 days). My personal machine is the PPC G4 and although the DNS – OD – VPN are configured identically between the machines the G4 never managed to create the system user vpn_XXXXX Hence VPN never connected.

After further investigation It looks like the G4 did manage to create a keychain access file for the VPN but it never got added to the OD database, I tried to just add an OD DB entry for the keychain file that the system created. This however did not solve the problem, I assume this is because I thought it smart to cross reference the UID # from the Xserve (I figured the xserve did it correctly on its own so I should use the UID # it picked) this I believe is the only reason it didn’t work.

So after abandoning UID # 57 I created yet another keychain ticket using:

“vpnaddkeyagentuser /LDAPv3/127.0.0.1” – this creates an entry in system keychain called com.apple.ras (this will require authenticating with the OD Admin credentials)

Next up is to head over to the Keychain Access.app and locate the “com.apple.ras” double click to open the info on this record, check the box for “Show password” Leave this window up!

Open the WGM authenticate as the OD admin (be sure you are editing the /LDAPv3/127.0.0.1)

Create a new user:

Copy the text from the Keychain window titled Account paste this into the Name field of the WGM (this should auto populate the Short Name field)

Copy the PW from the keychain window over to WGM.

Don’t mess with the User ID that the WGM picks….

Back to the terminal

use:mkpassdb -dump (This command will get a list of the users credentials. Find the entry corresponding to the vpn_xxxxx user we just created in WGM.)

The last step is to run: “mkpassdb -setkeyagent 0×12345″ Replacing the 12345 with the ID we found in the last command

On the Xserve all I had to do was use the “vpnaddkeyagentuser /LDAPv3/127.0.0.1” this managed to create the keychain ticket – create a OD record and mkpassdb -setkeyagent on the OD record it created. This resulted in the VPN coming right back online.

So in both cases I had to do similar things to fix the issue however as I mentioned above they were configured identically yet the both had unique failures surrounding the same problem. I guess getting the Xserve back online got me thinking about the box at home and how nice it would be for the service to work correctly.

I figured most of this by reading threads on the Apple OS X Server Forum, a really good resource for anyone running OS X server.