Filter
Top Products
244 Chapter 14 Working with Network Services
 The form of IPSec security to use (certificate or shared-secret). Before choosing
certificate-based authentication, ensure that at least one certificate is currently
installed on the server.
s2svpnadmin will display a list of currently installed certificates
and prompt the user to choose one of these. Certificates can be created, self-signed,
and installed using the Server Admin application. If a shared secret is desired, ensure
that the same shared secret is configured on the VPN server at the other site.
 One or more policies consisting of local and remote subnet addresses. A policy is
made of a local network and a remote network. A network is specified by a network
address and the number of prefix bits that must be masked in an IPv4 address to
determine the network address it corresponds to. Ensure that a compatible policy is
configured on both VPN servers.
If an invalid entry is made,
s2svpnadmin will force you to start all over again.
Note: s2svpnadmin will ask if the server needs to be enabled. By default, it is enabled.
Currently, s2svpnadmin does not support editing a configuration, so if the server is not
enabled, the configuration will need to be deleted and recreated and enabled at a later
time; alternatively, you can edit the configuration file directly. The configuration file is a
plist file located in /Library/Preferences/SystemConfiguration/
com.apple.RemoteAccessServers.plist.
Adding a VPN Keyagent User
To enable the PPTP protocol in your VPN server, you must add a keyagent user in the
LDAP folder that hosts your users. If you have more than one folder with VPN users, you
must add a keyagent in each of the folders.
The vpnaddkeyagentuser tool lets you add the required VPN PPTP keyagent user to a
folder. The tool will prompt you for the administrator user name and password of the
folder. It will then set up the keyagent user. This step is necessary to be able to proceed
with the configuration of the VPN PPTP server.
Note: You must run the vpnaddkeyagentuser command on the computer running the
VPN service.
To add the keyagent user to the OpenLDAP master on your local computer:
$ sudo vpnaddkeyagentuser /LDAPv3/127.0.0.1
If your OpenLDAP master is not running on the local computer, replace 127.0.0.1 with
the IP address of the OpenLDAP master. vpnaddkeyagentuser must be run as root. If no
argument is specified, the keyagent user is added to the local netinfo directory domain.