Mac can´t connect to VPN with IKEv2 with EAP-MSCHAPv2
-
Hello folks,
I have a problem with my pfsense firewall regarding Mac clients who want to connect to the firewall via VPN. I installed VPN via IKEv2 with EAP-MSCHAPv2 by doing everything this tutorial mentioned:
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#OS_X_10.11.2B_Setup
For Windows, everything works fine. The users can connect and work with the VPN. But our Mac just can´t connect to it. He doesn´t even get an error message. Mac tries to connect for about 1 second and then nothing else. Are there some known problems regarding Macs? Or do I have to change certain settings to enable both windows and mac to work with the vpn?
On some windows machines I had to disable the EKU check via registry, so I was wondering if there is something similiar for the Mac?
-
If you had to disable the EKU check then you didn't make the server cert properly, which may also explain the Mac failing.
Redo the server cert making sure to follow this part exactly: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Create_a_Server_Certificate
-
Thanks jimp. This answer helped me resolve our issues with Mac's not being able to connect (and also Windows clients needing to disable the EKU check).
When I created the Server Certificate initially I had used one address in the Common Name and a different one in the Subject Alternate Name. I created a new key with the Common Name and SAN matching (in System > Cert. Manager > Certificates) and then changed the certificate being used in the Mobile IPSec Phase 1 entry (VPN > IPSec > Tunnels > - Edit the Mobile IPSec Phase 1 entry - My Certificate).
Everything now works perfectly for both Mac and Windows (without the registry setting change).
Much appreciated.
Perhaps it's worthwhile providing some more info in the documentation about why the IKE auth error occurs as well as providing the EKU Check registry hack to get around it.
Thanks again, we can now move from PPTP over to a secure VPN technology. :)