MacOS Ventura and IPSec Mobile Clients

mattsowders1989 · Jan 17, 2023, 8:52 PM

cant figure out how to make Ventura connect.login-to-view

mattsowders1989 · Jan 17, 2023, 8:55 PM

the only thing i can come up with is an algorithm issue but i cant find any info. Any help would be greatly appreciated. Thanks in advance!

rcoleman-netgate · Jan 18, 2023, 1:44 PM

@mattsowders1989 I have had no issues getting my Macs to connect on V2... you're using a V1, though.

Try changing to V2 and enabling MOBIKE and see if that works

NogBadTheBad · Jan 18, 2023, 8:38 AM

@mattsowders1989 The following works for me with Monterey and IOS:-

login-to-view

Could do with tightening up a bit as I don't use any Windows clients anymore.

mattsowders1989 · Jan 18, 2023, 1:44 PM

@rcoleman-netgate I am using IKEv2 and MOBIKE enabled.login-to-view

mattsowders1989 · Jan 18, 2023, 1:47 PM

@rcoleman-netgate I have no issues with Monterey or iOS either. I do with Ventura though. No error on the Mac side, it just switches back to disconnected right after to try to connect.

jimp · Jan 18, 2023, 2:32 PM

Use a profile, don't rely on the defaults. If you have plus, use the Apple IPsec Export function to make a profile (VPN > IPsec Export: Apple Profile). If you are on CE, then download the utility from Apple to create a profile manually.

That's going to be the most reliable way to make sure it uses the appropriate configuration.

Also it's helpful to review the profile reference to make sure you're using what Apple considers a valid combination of options:

https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf

Using a profile, I have no problem getting macOS 13.1 to connect and pass traffic.

NogBadTheBad · Jan 18, 2023, 4:26 PM

@jimp I tried ages back with the profiles and it would only seem to export my self signed CA and not the certificate used in phase 1, maybe I'm just doing it wrong.

jimp · Jan 18, 2023, 4:27 PM

@nogbadthebad said in MacOS Ventura and IPSec Mobile Clients:

@jimp I tried ages back with the profiles and it would only seem to export my self signed CA and not the certificate used in phase 1, maybe I'm just doing it wrong

The CA is what gets imported to the client (so it can validate the server cert), the server certificate never gets copied to the client.

Client certificates would get copied to the client as well if it's using EAP-TLS.

NogBadTheBad · Jan 18, 2023, 4:29 PM

@jimp Ah I'm using EAP-RADIUS.

jimp · Jan 18, 2023, 4:34 PM

@nogbadthebad said in MacOS Ventura and IPSec Mobile Clients:

@jimp Ah I'm using EAP-RADIUS.

Then all you'd need is the CA that signed the server cert so the client can validate it as needed.

mattsowders1989 · Jan 18, 2023, 9:26 PM

I've tried everything to no avail. This is the first time I'm seeing this but when i try to import a vpn profile using Apple Configurator, I get an error "VPN Profile installation failed". Giving up for the day. Been a long one. Will keep digging tomorrow. Thanks everyone.

mattsowders1989 · Jan 27, 2023, 5:32 PM

Anyone ever experience a similar issue? I am still stumped.

jimp · Jan 27, 2023, 6:04 PM

Hard to say what might have happened from that error message. Apple can sometimes be a bit generic/unhelpful in that department.

I can say, though, that using our profile export tool on Plus I've generated and imported profiles for EAP-MSCHAPv2, EAP-RADIUS, and EAP-TLS using a variety of different P1/P2 configuration combinations and they all work perfectly with the latest version of the package (1.1_1).

mattsowders1989 · Mar 2, 2023, 7:48 PM

Turns out my issue was within phase 2 on the tunnel. I mistakenly unchecked "SHA384". Smh...... Just wanted to share.