IKEv2 with certificate in OSX VPN client
Created a new cert on the FLEX200 (RSA-SHA512 | 2048 bit | domain name is the DDNS domain), exported, imported and trusted in OSX keychain.
But then when I want to select it for my connection I get an error that there are no certs on my system that I could use. Tried both the login and system keychains.
Does anyone know what might be the problem? Does OSX expect a certain key type or such?
Accepted Solution
-
Hi @StefanZ
“But then when I want to select it for my connection I get an error that there are no certs on my system that I could use. Tried both the login and system keychains.”
Can you share screenshots with us?
Besides, may I know whether IKEv2 with username/password is working for you?
You could use the wizard to create an IKEv2 VPN connection on your USG Flex 200 and then download config script file to your mac device to establish IKEv2 VPN connection, please refer to the below steps:
Firstly, use the wizard to create an “IKEv2 IPSec Client (Zyxel SecuExtender, non-SecuExtender)” profile and click "Non SecuExtender VPN Clients", as below:
Download Mac OS config script file.
Install the config script file.
Open Network Settings.
Choose the wizard VPN settings and modify User Authentication to "Username" then type username and password.
Establish the IKEv2 VPN connection successfully.
Thanks.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
0
All Replies
-
Hi @StefanZ
“But then when I want to select it for my connection I get an error that there are no certs on my system that I could use. Tried both the login and system keychains.”
Can you share screenshots with us?
Besides, may I know whether IKEv2 with username/password is working for you?
You could use the wizard to create an IKEv2 VPN connection on your USG Flex 200 and then download config script file to your mac device to establish IKEv2 VPN connection, please refer to the below steps:
Firstly, use the wizard to create an “IKEv2 IPSec Client (Zyxel SecuExtender, non-SecuExtender)” profile and click "Non SecuExtender VPN Clients", as below:
Download Mac OS config script file.
Install the config script file.
Open Network Settings.
Choose the wizard VPN settings and modify User Authentication to "Username" then type username and password.
Establish the IKEv2 VPN connection successfully.
Thanks.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
0 -
Can you share screenshots with us?
This is the error I get when choosing a cert in the IKEv2 VPN settings. Basically it says "no matching certs in your keychain, ask your admin."
Besides, may I know whether IKEv2 with username/password is working for you?
Yes, it is working fine. Also Remote-/Local-ID work fine for distinguishing between different VPNs on my FLEX200.
You could use the wizard to create an IKEv2 VPN connection on your USG Flex 200 and then download config script file to your mac device to establish IKEv2 VPN connection, please refer to the below steps:
Hmm yeah I kinda wanted to avoid this and do it manually, since the Wizard tends to drop config changes left & right and I already got stuff configured (which I understand so far – still learning).
But I saw that option for downloading the profile the other day – and was wondering if it's only availible in the Wizard section? Or is there a way to obtain the profile for an already configured connection?
0 -
OK, so I kinda got it to work, but it's still iffy…
#1 - The profile installs and correctly registers the cert in my keychain.
#2 - The cert still isn't avaliable in the VPN settings, I still get the same error – it's successfull used for the connection tho.
#3 - I still have to manually enter user/pass information. Since the whole idea of a profile is to provide a working/fixed set of configuration, it is kinda half-baked in my oppinion. And yes, the Apple VPN dialog is also super misleading in that it requires you to use multiple, seemingly (the way the menu presents them) mutually exclusive options…
#4 - Having to run through the Wizard to get the profile is annoying to say the least, especially since the Wizard configures stuff that then has to be cleaned up manually, or even leads to weird effects. for example I now have a user group called "RemoteAccess_Wiz_USER_GRP" that claims to have 2 references – which do neither show in the "References" dialog, nor in my active config file. Same goes for the "RemoteAccess_Wiz_LOCAL_Auth" auth method I cannot delete.
0 -
For anyone looking at the same problem:
You can edit the .mobileconfig file created by the Wizard to fit your needs. It's in XML format and stuff like username/password can be added manually.
Editing "UserDefinedName" and "PayloadDisplayName" also allows you to set less convoluted names for both the profile and VPN object.
Apple documentation for possiblr options and VPN setting files in general:
https://developer.apple.com/documentation/devicemanagement/vpn/ikev2
0 -
Hi @StefanZ
Thanks for your valuable feedback for us.
“But I saw that option for downloading the profile the other day – and was wondering if it's only availible in the Wizard section? Or is there a way to obtain the profile for an already configured connection?”
Currently, the config script file only can be downloaded on the Wizard section. Thanks.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.6K Security
- 240 USG FLEX H Series
- 268 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 247 Service & License
- 386 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 72 Security Highlight