Mobile Ipsec VPN Apple Mac client settings
-
Hi All, I've got my Windows clients all connecting no problem to my ipsec vpn.
Now I'm trying to get some Apple Max OSX (10.x) clients to connect.
I've followed the instructions but all i get is an authentication failure... and 11[IKE] <bypasslan|13> peer requested EAP, config inacceptable in the log.I'm trying to get it to authenticate via our RADIUS which is all setup and working for the windows clients... I'm googling all over the place trying to figure it out, but if anyone can save me some time that'd be great...
Kind regards.
Paul.
-
Anything in the OSX logs?
What settings are you using now in pfSense?
Still close to this?: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ikev2-with-eap-radius.htmlSteve
-
@stephenw10 Hi, yes exactly as per.... windows clients work no problem Mac native client prompts for username and passwords no checked logs on the Mac not sure I know where to go to do find them
-
Have a look at the hangout we did on this:
https://youtu.be/iJ5GACqfIGs?t=1847I suspect some of the default ciphers used may have been set to high levels since then in OSX but the error you're seeing seems more like an authentication issue.
Steve
-
@stephenw10 hi, the video seems to show using the OpenVPN client.. the mac's in question have viscosity and can connect with OpenVPN. What I'm looking to do is use an Ipsec vpn client with radius for the authentication.
-
The point where I linked to in the video is covering mobile IPSex IKEv2 EAP to OSX/iOS. OpenVPN was covered in the first part of the hangout.
Steve
-
@stephenw10 Ahh sorry my apologies... so in your setup you're using SHA1 and 3DES, however I've already got this setup for my windows clients and they're using SHA256 and AES 256 oh and DH group 14 (2048)... is there a way of forcing that on OSX that you've come across or do I need to "downgrade" it for OSX?
thanks again for your help.
Paul.
-
It's been while since I tried it but I think you had to deploy it as a profile to OSX to use anything but the default options there.
However since that hangout was made I also think OSX may have stepped up the encryption levels it uses by default... so maybe a bit of both in play here. I know at the time we chose those settings as the only thing that would work with everything.
Try setting it to the values in the hangout to make sure it connects and it is a encryption settings issue. If so look at deploying via a profile.
Steve