08-23-2021 11:45 AM
Hi all,
today I spent the whole day and tried to get a macOS client (built-in native VPN-client) connect to my brand-new RV260 via VPN.
The RV260 has a public ip-address and is reachable over the internet. To verify this, I configured port-forwarding for http-traffic to another macOS client behind the router. I was able to access the website running on that internal macOS-client via the public-ip of the RV260.
I also managed to get OpenVPN to work and connect to the same internal website, after removing the port-forwarding rule. So the RV260 is reachable from the internet-side of things.
However, I have the requirement to use L2TP/IPSec or CiscoIPSec for the VPN-tunnel, but here I am lost. I have tried so many different settings on the RV260, but none seem to match the settings on macOS. On macOS, there is not much to configure in the native VPN-client. I desperately need to find the matching settings here.
Here is an excerpt from the log on macOS. The log on the RV260 is of little use here.
Mon Aug 23 13:05:47 2021 : L2TP connecting to server '****************.de' (2**.1**.1**.1**)...
Mon Aug 23 13:05:47 2021 : IPSec connection started
Mon Aug 23 13:05:47 2021 : IPSec phase 1 client started
Mon Aug 23 13:05:47 2021 : IPSec connection failed <IKE Error 14 (0xe) No proposal chosen>
Mon Aug 23 13:05:47 2021 : L2TP IPSec aggressive mode retry with DH group 2
Mon Aug 23 13:05:47 2021 : l2tp_get_router_address
Mon Aug 23 13:05:47 2021 : l2tp_get_router_address 1**.0**.0**.1** from dict 1
Mon Aug 23 13:05:47 2021 : L2TP connecting to server 'trainvpn.brainworks-training.de' (2**.1**.1**.1**)...
Mon Aug 23 13:05:47 2021 : IPSec connection started
Mon Aug 23 13:05:47 2021 : IPSec phase 1 client started
Mon Aug 23 13:05:47 2021 : IPSec connection failed <IKE Error 14 (0xe) No proposal chosen>
Does anyone have a VPN-setup on RV260 working for macOS clients and does not mind to share the config?
Any help much appreciated. Thank you very much.
Regards,
Peter
Solved! Go to Solution.
08-25-2021 12:10 PM
Hi
If you want to establish Client-to-Site IKEv2 tunnels to RV34X/RV260/RV160 routers from multiple MacOS_iOS_Ipad clients using PSK for IKEv2-Auth, then please find below the steps/procedures and info to configure the same on RV34X/RV260/RV160 (C2S config) and on the MacOS/iOS-Ipad clients using IKEv2-PSK-auth only (meaning there is NO username/passwd/useraccounts required for the clients)
----------------------------------------------------------------------------
1. RV260/RV34X C2S IKEv2 VPN Server for MacOS-iOS Clients using PSK-auth only
---------------------------------------------------------------------------
- Configure the C2S server on RV34X/RV260 as below:
Step-1: In the Ipsec-Profiles, configure the below ipsec-algo-profile used by Mac-iOS clients
Name: Ikve2MaciOSClientsProfile
Version: IKEv2
Phase-1: AES128-SHA1-GROUP2; Lifetime: 28800sec
Phase-2: ESP; AES256-SHA256; pfs=no; lifetime:3600sec
- apply and do a permanent save too
Step-2: In Basic Settings tab
- add and configure a C2S vpn server as below:
Enable: Yes/Checked
Tunnel Name: Ikev2_MaciOSClients_wPSKonly
Ipsec Profile: Ikve2MaciOSClientsProfile
Interface: WAN
IKE Authentication Method
Pre-shared Key: Test$123456789
Local Identifier:
- select FQDN
- enter this server fqdn/dns-name: rv34x.servergw.local
Remote Identifier:
- select FQDN
- enter * (star/asterix) as the wildcard value here.
- Note: This wildcard */asterix-star is required, to support multiple mac-ios clients to connect to this vpn-server using psk-auth
Extended Authentication: DISABLE/UNCHECKED
- Note: DO NOT ENABLE/SELECT EXTENDED AUTHENTICATION
Pool Range for client lan:
Start ip: 10.30.1.100
End ip: 10.30.1.150
Step-3: In the Advanced settings tab
Remote Endpoint : Dynamic IP
- It should be Dynamic IP only as multiple clients will be connecting to this server
Local Group Setup
Local IP Type: ANY
Mode Configuration
dns/wins/default-domain/etc: to be configured as per the user requirements
Step-4: Click on Apply and do a permanent save too
-----------------------------------------------
2. IKEv2 with PSK configuration on MacOS/iOS clients
-----------------------------------------------
For IKEv2 tunnel with PSK only:
step-1: On the desktop of Mac-client..click on the wifi-icon...and Go to “Open Network Preferences”
step-2. Click on + to create a new service..
- select the VPN interface
- IKEv2 as VPN type, and
- give a name “ClientV2_wPSK”
Step-3: In page that is displayed, click first on “Authentication Settings”
- Select “None” only, and do not select certificate (or Use-Certificate)
- For PSK-based IKEv2-auth, Select the “Secret” and enter the Pre-Shared-Key e.g: Test$123456789
Step-4: Now, back to main config page
a) Enter the "Server Address" as dns-name of the RV34X/RV260 Router's wan-ipaddress - say for e.g "rv34x.servergw.local"
Note: This FQDN/dns-name should-be/MUST-be resolvable by the dns-server configured on the mac-client to the public-ipaddress of the wan-interface of RV34X/RV260
b) For "Remote-ID" enter the value "rv34x.servergw.local" (enter without the quotes)
c) For "Local-ID" keep the value empty, do not edit or enter any value here
Step-5: you are done (and save the config). If the C2S-server on RV34X/RV260 is ready, then you may click on connect on this mac-os/ipad/ios client
The above configs have been tested by me with 2 mac-clients on a RV345-router. Its a working config.
I have checked by connecting from Mac-clients that are behind a NAT-router too...so NAT-T also works perfectly with the above configs on server and the clients. You can connect multiple macos clients concurrently to this vpn server using just PSK.
Try it out and i hope it works for you too
08-24-2021 12:27 AM
- Check if this document can help :
M.
08-24-2021 06:22 PM
Hi
With the L2TP-with-IPsec server enabled/configured on RV260/RV34X, you should note that
1. If your l2tp-ipsec clients are using CHAP for user-authentication then, You will need to configure a Radius-server in the lan-network of your RV260 offloading the user-authentication (for chap)
a) so if you dont have a Radius-server and using the local user-accounts created in a user-group on the RV260 (in System-Mgmnt/User-Accts and User-Groups), then you will need to enable PAP for user-auth on the L2TP-clients
2. The native "CiscoIPsec for VPN" client on MacOS is a built in Cisco-EzVPN Client for macOS & iOS (ipad/iphone). So this will require a Cisco-EzVPN-server which is available/supported ONLY on RV34X routers. This uses IKEv1 only
3. So the pure Ipsec vpn client that is built-in on MacOS (and iOS/ipad) is a IKEv2 client that will use EAP-authentication. For this you will need to configure on RV260/RV34X a Client-to-Site server with IKEv2 and EAP-auth. And further for EAP-authentication on RV260, you WILL need to offload the user-auth (EAP-auth) to a Radius-server. Without Radius-server, you cannot use a C2S-server-with-IKEv2-EAP
08-24-2021 06:25 PM
For using L2TP-wIPsec server on RV260, with MacOS, ensure:
1. that the algorithm-profile you have set on L2TP-IPsec-server of RV260 is also used on MacOS-L2tp-wIPsec client
- windows clients by default use 3DES-SHA1-Modp1024...maybe MacOS uses AES128-SHA1-Modp1024....check this out for MacOS
2. As i mentioned, assuming that you are using user-accts in the local-db of RV260, ensure that the L2TP-wIpsec client is set to use PAP on the macOS
08-25-2021 12:10 PM
Hi
If you want to establish Client-to-Site IKEv2 tunnels to RV34X/RV260/RV160 routers from multiple MacOS_iOS_Ipad clients using PSK for IKEv2-Auth, then please find below the steps/procedures and info to configure the same on RV34X/RV260/RV160 (C2S config) and on the MacOS/iOS-Ipad clients using IKEv2-PSK-auth only (meaning there is NO username/passwd/useraccounts required for the clients)
----------------------------------------------------------------------------
1. RV260/RV34X C2S IKEv2 VPN Server for MacOS-iOS Clients using PSK-auth only
---------------------------------------------------------------------------
- Configure the C2S server on RV34X/RV260 as below:
Step-1: In the Ipsec-Profiles, configure the below ipsec-algo-profile used by Mac-iOS clients
Name: Ikve2MaciOSClientsProfile
Version: IKEv2
Phase-1: AES128-SHA1-GROUP2; Lifetime: 28800sec
Phase-2: ESP; AES256-SHA256; pfs=no; lifetime:3600sec
- apply and do a permanent save too
Step-2: In Basic Settings tab
- add and configure a C2S vpn server as below:
Enable: Yes/Checked
Tunnel Name: Ikev2_MaciOSClients_wPSKonly
Ipsec Profile: Ikve2MaciOSClientsProfile
Interface: WAN
IKE Authentication Method
Pre-shared Key: Test$123456789
Local Identifier:
- select FQDN
- enter this server fqdn/dns-name: rv34x.servergw.local
Remote Identifier:
- select FQDN
- enter * (star/asterix) as the wildcard value here.
- Note: This wildcard */asterix-star is required, to support multiple mac-ios clients to connect to this vpn-server using psk-auth
Extended Authentication: DISABLE/UNCHECKED
- Note: DO NOT ENABLE/SELECT EXTENDED AUTHENTICATION
Pool Range for client lan:
Start ip: 10.30.1.100
End ip: 10.30.1.150
Step-3: In the Advanced settings tab
Remote Endpoint : Dynamic IP
- It should be Dynamic IP only as multiple clients will be connecting to this server
Local Group Setup
Local IP Type: ANY
Mode Configuration
dns/wins/default-domain/etc: to be configured as per the user requirements
Step-4: Click on Apply and do a permanent save too
-----------------------------------------------
2. IKEv2 with PSK configuration on MacOS/iOS clients
-----------------------------------------------
For IKEv2 tunnel with PSK only:
step-1: On the desktop of Mac-client..click on the wifi-icon...and Go to “Open Network Preferences”
step-2. Click on + to create a new service..
- select the VPN interface
- IKEv2 as VPN type, and
- give a name “ClientV2_wPSK”
Step-3: In page that is displayed, click first on “Authentication Settings”
- Select “None” only, and do not select certificate (or Use-Certificate)
- For PSK-based IKEv2-auth, Select the “Secret” and enter the Pre-Shared-Key e.g: Test$123456789
Step-4: Now, back to main config page
a) Enter the "Server Address" as dns-name of the RV34X/RV260 Router's wan-ipaddress - say for e.g "rv34x.servergw.local"
Note: This FQDN/dns-name should-be/MUST-be resolvable by the dns-server configured on the mac-client to the public-ipaddress of the wan-interface of RV34X/RV260
b) For "Remote-ID" enter the value "rv34x.servergw.local" (enter without the quotes)
c) For "Local-ID" keep the value empty, do not edit or enter any value here
Step-5: you are done (and save the config). If the C2S-server on RV34X/RV260 is ready, then you may click on connect on this mac-os/ipad/ios client
The above configs have been tested by me with 2 mac-clients on a RV345-router. Its a working config.
I have checked by connecting from Mac-clients that are behind a NAT-router too...so NAT-T also works perfectly with the above configs on server and the clients. You can connect multiple macos clients concurrently to this vpn server using just PSK.
Try it out and i hope it works for you too
08-26-2021 05:00 AM
Hi nagrajk1969,
thank you so much for your provided solution. I could successfully establish an IKE connection to the RV260.
Unfortunately, the connection from the macOS client is not persistent, i.e. if the user logs out of macOS, the tunnel is closed. One important requirement is though that the tunnel remains, even after the user logs out of the client. Do you have any idea, how this could work without the use of certificates?
I know that this can be done with the built-in CiscoIPsec client in macOS, because I have seen this working in another setup. So I cannot use IKEv2.
Do you know for sure, whether the RV34x router supports the built in CiscoIPSec client in macOS?
Thanks again for your help. I appreciate it.
Regards,
Peter
08-26-2021 07:34 AM
Hi
The builtin CiscoIPsec Client on MacOS is a native Cisco-EzVPN Ipsec client that uses IKEv1. It will only connect to a Cisco-EzVPN server, and Cisco RV34X routers have support for configuring Cisco-EzVPN server.
So yes the built-in CiscoIpsec-Client (using IKEv1 only) on macos/ios will very easily and surely work with RV34X router. I have configurred and used it, and works....but i prefer using C2S-IKEv2 server-Client ipsec tunneling, so that i have a choice of using different ikev2 ipsec clients...
08-27-2021 08:45 AM
Thank you all very much.
Have a nice weekend.
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide