cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

911
Views
0
Helpful
7
Replies
Pete475
Beginner

RV260 and Client-to-Site VPN from macOS with native client

Hi all,

 

today I spent the whole day and tried to get a macOS client (built-in native VPN-client) connect to my brand-new RV260 via VPN.

 

The RV260 has a public ip-address and is reachable over the internet. To verify this, I configured port-forwarding for http-traffic to another macOS client behind the router. I was able to access the website running on that internal macOS-client via the public-ip of the RV260.

 

I also managed to get OpenVPN to work and connect to the same internal website, after removing the port-forwarding rule. So the RV260 is reachable from the internet-side of things.

 

However, I have the requirement to use L2TP/IPSec or CiscoIPSec for the VPN-tunnel, but here I am lost. I have tried so many different settings on the RV260, but none seem to match the settings on macOS. On macOS, there is not much to configure in the native VPN-client. I desperately need to find the matching settings here.

 

Here is an excerpt from the log on macOS. The log on the RV260 is of little use here.

Mon Aug 23 13:05:47 2021 : L2TP connecting to server '****************.de' (2**.1**.1**.1**)...
Mon Aug 23 13:05:47 2021 : IPSec connection started
Mon Aug 23 13:05:47 2021 : IPSec phase 1 client started
Mon Aug 23 13:05:47 2021 : IPSec connection failed <IKE Error 14 (0xe) No proposal chosen>
Mon Aug 23 13:05:47 2021 : L2TP IPSec aggressive mode retry with DH group 2
Mon Aug 23 13:05:47 2021 : l2tp_get_router_address
Mon Aug 23 13:05:47 2021 : l2tp_get_router_address 1**.0**.0**.1** from dict 1
Mon Aug 23 13:05:47 2021 : L2TP connecting to server 'trainvpn.brainworks-training.de' (2**.1**.1**.1**)...
Mon Aug 23 13:05:47 2021 : IPSec connection started
Mon Aug 23 13:05:47 2021 : IPSec phase 1 client started
Mon Aug 23 13:05:47 2021 : IPSec connection failed <IKE Error 14 (0xe) No proposal chosen>

 

Does anyone have a VPN-setup on RV260 working for macOS clients and does not mind to share the config?

 

Any help much appreciated. Thank you very much.

 

Regards,

 

Peter 

1 ACCEPTED SOLUTION

Accepted Solutions
nagrajk1969
Enthusiast

Hi

 

If you want to establish Client-to-Site IKEv2 tunnels to RV34X/RV260/RV160 routers from multiple MacOS_iOS_Ipad clients using PSK for IKEv2-Auth, then please find below the steps/procedures and info to configure the same on RV34X/RV260/RV160 (C2S config) and on the MacOS/iOS-Ipad clients using IKEv2-PSK-auth only (meaning there is NO username/passwd/useraccounts required for the clients)

 


----------------------------------------------------------------------------
1. RV260/RV34X C2S IKEv2 VPN Server for MacOS-iOS Clients using PSK-auth only
---------------------------------------------------------------------------

- Configure the C2S server on RV34X/RV260 as below:


Step-1: In the Ipsec-Profiles, configure the below ipsec-algo-profile used by Mac-iOS clients

 

Name: Ikve2MaciOSClientsProfile
Version: IKEv2
Phase-1: AES128-SHA1-GROUP2; Lifetime: 28800sec
Phase-2: ESP; AES256-SHA256; pfs=no; lifetime:3600sec

- apply and do a permanent save too

 

Step-2: In Basic Settings tab

 

- add and configure a C2S vpn server as below:

Enable: Yes/Checked
Tunnel Name: Ikev2_MaciOSClients_wPSKonly
Ipsec Profile: Ikve2MaciOSClientsProfile
Interface: WAN

IKE Authentication Method
Pre-shared Key: Test$123456789

 

Local Identifier:
- select FQDN
- enter this server fqdn/dns-name: rv34x.servergw.local

 

Remote Identifier:
- select FQDN
- enter * (star/asterix) as the wildcard value here.

- Note: This wildcard */asterix-star is required, to support multiple mac-ios clients to connect to this vpn-server using psk-auth

 

Extended Authentication: DISABLE/UNCHECKED

- Note: DO NOT ENABLE/SELECT EXTENDED AUTHENTICATION

 

Pool Range for client lan:

Start ip: 10.30.1.100
End ip: 10.30.1.150


Step-3: In the Advanced settings tab

 

Remote Endpoint : Dynamic IP

- It should be Dynamic IP only as multiple clients will be connecting to this server

 

Local Group Setup
Local IP Type: ANY


Mode Configuration

dns/wins/default-domain/etc: to be configured as per the user requirements


Step-4: Click on Apply and do a permanent save too

 

 

-----------------------------------------------

2. IKEv2 with PSK configuration on MacOS/iOS clients

-----------------------------------------------

For IKEv2 tunnel with PSK only:

 

step-1: On the desktop of Mac-client..click on the wifi-icon...and Go to “Open Network Preferences”

step-2. Click on + to create a new service..


- select the VPN interface
- IKEv2 as VPN type, and
- give a name “ClientV2_wPSK”

 

Step-3: In page that is displayed, click first on “Authentication Settings”

- Select “None” only, and do not select certificate (or Use-Certificate)

- For PSK-based IKEv2-auth, Select the “Secret” and enter the Pre-Shared-Key e.g: Test$123456789

 

Step-4: Now, back to main config page

a) Enter the "Server Address" as dns-name of the RV34X/RV260 Router's wan-ipaddress - say for e.g "rv34x.servergw.local"
Note: This FQDN/dns-name should-be/MUST-be resolvable by the dns-server configured on the mac-client to the public-ipaddress of the wan-interface of RV34X/RV260

 

b) For "Remote-ID" enter the value "rv34x.servergw.local" (enter without the quotes)

c) For "Local-ID" keep the value empty, do not edit or enter any value here

 

Step-5: you are done (and save the config). If the C2S-server on RV34X/RV260 is ready, then you may click on connect on this mac-os/ipad/ios client

 

The above configs have been tested by me with 2 mac-clients on a RV345-router. Its a working config. 

 

I have checked by connecting from Mac-clients that are behind a NAT-router too...so NAT-T also works perfectly with the above configs on server and the clients. You can connect multiple macos clients concurrently to this vpn server using just PSK.

 

 

Try it out and i hope it works for you too

 

 

 

 

 

  

View solution in original post

7 REPLIES 7
marce1000
VIP Mentor

nagrajk1969
Enthusiast

Hi

 

With the L2TP-with-IPsec server enabled/configured on RV260/RV34X, you should note that

1. If your l2tp-ipsec clients are using CHAP for user-authentication then, You will need to configure a Radius-server in the lan-network of your RV260 offloading the user-authentication (for chap)

a) so if you dont have a Radius-server and using the local user-accounts created in a user-group on the RV260 (in System-Mgmnt/User-Accts and User-Groups), then you will need to enable PAP for user-auth on the L2TP-clients

 

2. The native "CiscoIPsec for VPN" client on MacOS is a built in Cisco-EzVPN Client for macOS & iOS (ipad/iphone). So this will require a Cisco-EzVPN-server which is available/supported ONLY on RV34X routers. This uses IKEv1 only

 

3. So the pure Ipsec vpn client that is built-in on MacOS (and iOS/ipad) is a IKEv2 client that will use EAP-authentication. For this you will need to configure on RV260/RV34X a Client-to-Site server with IKEv2 and EAP-auth. And further for EAP-authentication on RV260, you WILL need to offload the user-auth (EAP-auth) to a Radius-server. Without Radius-server, you cannot use a C2S-server-with-IKEv2-EAP

 

 

 

nagrajk1969
Enthusiast

For using L2TP-wIPsec server on RV260, with MacOS, ensure:

 

1. that the algorithm-profile you have set on L2TP-IPsec-server of RV260 is also used on MacOS-L2tp-wIPsec client

 - windows clients by default use 3DES-SHA1-Modp1024...maybe MacOS uses AES128-SHA1-Modp1024....check this out for MacOS

 

2. As i mentioned, assuming that you are using user-accts in the local-db of RV260, ensure that the L2TP-wIpsec client is set to use PAP on the macOS

 

 

nagrajk1969
Enthusiast

Hi

 

If you want to establish Client-to-Site IKEv2 tunnels to RV34X/RV260/RV160 routers from multiple MacOS_iOS_Ipad clients using PSK for IKEv2-Auth, then please find below the steps/procedures and info to configure the same on RV34X/RV260/RV160 (C2S config) and on the MacOS/iOS-Ipad clients using IKEv2-PSK-auth only (meaning there is NO username/passwd/useraccounts required for the clients)

 


----------------------------------------------------------------------------
1. RV260/RV34X C2S IKEv2 VPN Server for MacOS-iOS Clients using PSK-auth only
---------------------------------------------------------------------------

- Configure the C2S server on RV34X/RV260 as below:


Step-1: In the Ipsec-Profiles, configure the below ipsec-algo-profile used by Mac-iOS clients

 

Name: Ikve2MaciOSClientsProfile
Version: IKEv2
Phase-1: AES128-SHA1-GROUP2; Lifetime: 28800sec
Phase-2: ESP; AES256-SHA256; pfs=no; lifetime:3600sec

- apply and do a permanent save too

 

Step-2: In Basic Settings tab

 

- add and configure a C2S vpn server as below:

Enable: Yes/Checked
Tunnel Name: Ikev2_MaciOSClients_wPSKonly
Ipsec Profile: Ikve2MaciOSClientsProfile
Interface: WAN

IKE Authentication Method
Pre-shared Key: Test$123456789

 

Local Identifier:
- select FQDN
- enter this server fqdn/dns-name: rv34x.servergw.local

 

Remote Identifier:
- select FQDN
- enter * (star/asterix) as the wildcard value here.

- Note: This wildcard */asterix-star is required, to support multiple mac-ios clients to connect to this vpn-server using psk-auth

 

Extended Authentication: DISABLE/UNCHECKED

- Note: DO NOT ENABLE/SELECT EXTENDED AUTHENTICATION

 

Pool Range for client lan:

Start ip: 10.30.1.100
End ip: 10.30.1.150


Step-3: In the Advanced settings tab

 

Remote Endpoint : Dynamic IP

- It should be Dynamic IP only as multiple clients will be connecting to this server

 

Local Group Setup
Local IP Type: ANY


Mode Configuration

dns/wins/default-domain/etc: to be configured as per the user requirements


Step-4: Click on Apply and do a permanent save too

 

 

-----------------------------------------------

2. IKEv2 with PSK configuration on MacOS/iOS clients

-----------------------------------------------

For IKEv2 tunnel with PSK only:

 

step-1: On the desktop of Mac-client..click on the wifi-icon...and Go to “Open Network Preferences”

step-2. Click on + to create a new service..


- select the VPN interface
- IKEv2 as VPN type, and
- give a name “ClientV2_wPSK”

 

Step-3: In page that is displayed, click first on “Authentication Settings”

- Select “None” only, and do not select certificate (or Use-Certificate)

- For PSK-based IKEv2-auth, Select the “Secret” and enter the Pre-Shared-Key e.g: Test$123456789

 

Step-4: Now, back to main config page

a) Enter the "Server Address" as dns-name of the RV34X/RV260 Router's wan-ipaddress - say for e.g "rv34x.servergw.local"
Note: This FQDN/dns-name should-be/MUST-be resolvable by the dns-server configured on the mac-client to the public-ipaddress of the wan-interface of RV34X/RV260

 

b) For "Remote-ID" enter the value "rv34x.servergw.local" (enter without the quotes)

c) For "Local-ID" keep the value empty, do not edit or enter any value here

 

Step-5: you are done (and save the config). If the C2S-server on RV34X/RV260 is ready, then you may click on connect on this mac-os/ipad/ios client

 

The above configs have been tested by me with 2 mac-clients on a RV345-router. Its a working config. 

 

I have checked by connecting from Mac-clients that are behind a NAT-router too...so NAT-T also works perfectly with the above configs on server and the clients. You can connect multiple macos clients concurrently to this vpn server using just PSK.

 

 

Try it out and i hope it works for you too

 

 

 

 

 

  

Hi nagrajk1969,

 

thank you so much for your provided solution. I could successfully establish an IKE connection to the RV260.

 

Unfortunately, the connection from the macOS client is not persistent, i.e. if the user logs out of macOS, the tunnel is closed. One important requirement is though that the tunnel remains, even after the user logs out of the client. Do you have any idea, how this could work without the use of certificates?

I know that this can be done with the built-in CiscoIPsec client in macOS, because I have seen this working in another setup. So I cannot use IKEv2.

Do you know for sure, whether the RV34x router supports the built in CiscoIPSec client in macOS?

 

Thanks again for your help. I appreciate it.

 

Regards,

 

Peter

 

nagrajk1969
Enthusiast

Hi

 

The builtin CiscoIPsec Client on MacOS is a native Cisco-EzVPN Ipsec client that uses IKEv1. It will only connect to a Cisco-EzVPN server, and Cisco RV34X routers have support for configuring Cisco-EzVPN server.

 

So yes the built-in CiscoIpsec-Client (using IKEv1 only) on macos/ios will very easily and surely work with RV34X router. I have configurred and used it, and works....but i prefer using C2S-IKEv2 server-Client ipsec tunneling, so that i have a choice of using different ikev2 ipsec clients...

 

Thank you all very much. 

Have a nice weekend. 

Peter