Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mac can´t connect to VPN with IKEv2 with EAP-MSCHAPv2

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Fauk
      last edited by

      Hello folks,

      I have a problem with my pfsense firewall regarding Mac clients who want to connect to the firewall via VPN. I installed VPN via IKEv2 with EAP-MSCHAPv2 by doing everything this tutorial mentioned:

      https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#OS_X_10.11.2B_Setup

      For Windows, everything works fine. The users can connect and work with the VPN. But our Mac just can´t connect to it. He doesn´t even get an error message. Mac tries to connect for about 1 second and then nothing else. Are there some known problems regarding Macs? Or do I have to change certain settings to enable both windows and mac to work with the vpn?

      On some windows machines I had to disable the EKU check via registry, so I was wondering if there is something similiar for the Mac?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        If you had to disable the EKU check then you didn't make the server cert properly, which may also explain the Mac failing.

        Redo the server cert making sure to follow this part exactly: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Create_a_Server_Certificate

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          CloudJourneyman
          last edited by

          Thanks jimp. This answer helped me resolve our issues with Mac's not being able to connect (and also Windows clients needing to disable the EKU check).

          When I created the Server Certificate initially I had used one address in the Common Name and a different one in the Subject Alternate Name. I created a new key with the Common Name and SAN matching (in System > Cert. Manager > Certificates) and then changed the certificate being used in the Mobile IPSec Phase 1 entry (VPN > IPSec > Tunnels > - Edit the Mobile IPSec Phase 1 entry - My Certificate).

          Everything now works perfectly for both Mac and Windows (without the registry setting change).

          Much appreciated.

          Perhaps it's worthwhile providing some more info in the documentation about why the IKE auth error occurs as well as providing the EKU Check registry hack to get around it.

          Thanks again, we can now move from PPTP over to a secure VPN technology. :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.