Thursday, July 21, 2011

Lion Server, VPN and Time Capsule as Router Issue

Well, today I upgraded all my machines to Lion and the experience overall was pleasant. Since I had 4 machines to upgrade, rather than downloading the install 4 times I was able to save the install to a flash drive. I was able to copy the installer to the flash drive so I can copy to the other machines (this can only be done before installing right after the download is complete from the app store - app is in Applications folder).

Anyways getting down to the point. Once I was done, I purchased and downloaded Lion Server for my mac mini so I can enable the VPN services. This should really be an easy 1-2-3 click process but the VPN would fail outside of the network (which is where we needed it to work).

The admin tool set up my Time Capsule (Airport Extreme) base station appropriately as far as ports to open. For 2 hours I was beating my head into a wall trying to figure out why the requests would not pass thru to the server from an external request. I tried many different things from opening other ports, setting a default host etc. But the issue lies in the latest firmware for the stations (7.5.2). I was finally able to find that information in the apple support forums. So I went ahead and downgraded my station to firmware 7.4.2 and everything worked fine. You can easily do this by following these steps:
  1. Launch AirPort Utility found in Applications>Utilities>Airport Utility
  2. Click on the base station you want to downgrade from the sidebar (left column of the window)
  3. In the Menubar select 'Base Station'
  4. Select 'Upload Firmware...'
  5. Select ‘7.4.2'
  6. Select 'OK'
Do that and then try your VPN connection and Voila! It works! Thank you apple for wasting 2+ hours of my day.


For this to work on 7.4.2+ make sure you do not have any accounts set in your Back to My Mac settings on the station!


  1. You are an absolute life saver my friend, i've been banging my head against the desk for hours trying to figure this crap out. Your fix was perfect and everything is working fine now. Thank you so much. You really would think apple would be on top of the ball but i guess not.

  2. I am having trouble locating 7.4.2. Apple no longer has it on their site, it now just takes you to an article. Any ideas where I might find it?

  3. Problem solved! Thank you so much for the troubleshooting, I was tearing my hair out trying to figure it out!

  4. I'm suffering the same problems not being able to use Lion Server VPN on firmware 7.5.2.

    Does anyone have a link to 7.4.2? Where can I get it to downgrade since it's not an option in my Airport Utilitiy?

  5. I had this issue, but this fixed it for me on 7.5.2:

    - Create 3 NAT rules, one for each port (500, 1701, 4500)
    - Forward both TCP and UDP for each one

    It seems like the rule automatically applied by the lion server admin tool, though it appears totally correct (UDP only, everything in one rule) was not forwarding packets - I confirmed this with tcpdump on the server machine.

  6. Negative dom, that still does not work if you have firmware 7.5.2 installed.

  7. It worked for me with 7.5.2, verified with tcpdump. I have full connectivity through my TC (version 3) with the above settings.

    I've not been able to downgrade to 7.4.2, due to not having a 7.4.2 image about - 7.5 was the oldest I had. I'm not even sure 7.4.2 is compatible with the latest TC's that just came out...

  8. I can confirm that this method doesn't work on 7.5.2. I have three TC's at the various offices. Only one VPN is working - 7.4.2

  9. Check this out, may be the answer. Apparently you can't use special characters in the shared secret...

    I removed the special character and can connect right away from iPad using 7.5.2 on the TC firmware.

  10. Anonymous2:02 AM

    Thank you for creating a tutorial on VPN's it worked perfectly like you said.
    US VPN

  11. Well today I upgraded to firmware version 1.6 and I still had the issue. BUt just for kicks I decided to reconfigure the Airport station from my mac server and this time it stated that VPN can interfere with the Back to My Mac option on the device.

    Believe it or not, that was the issue!!!!!

    Remove your .me account from the back to my mac preference of the router and then everything works again.

  12. It's really running like a time capsule. Thanks for posting how to update the firmware on my Mac.

    colocation chicago