VPN client-to-site settings for MacOS 15 (Sequoia)

MarkoD
MarkoD Posts: 59  Ally Member
First Answer First Comment Friend Collector Fifth Anniversary
edited October 12 in Security

Hi, I'm currently using these settings for a working VPN connection from Windows native clients:

Gateway:
- SA Lifetime: 86400
- Negotiation mode: Main
- Proposal (enc/auth): 3DES/SHA1
- Key Group: DH2

Connection:
- SA Lifetime: 3600
- Active Protocol: ESP
- Encapsulation: Transport (L2TP/IPSec) or Tunnel (IKEv2)
- Proposal (enc/auth): AES256/SHA1
- PFS: None

These settings have proven stable and widely supported in Windows' native VPN client and work for both L2TP/IPSec and IKEv2. I now have to connect a new Mac with macOS 15 (Sequoia) via VPN and I'm looking for a minimal change to the above settings in order for the native Mac client to successfully connect.

If anyone has the working settings for the newsest MacOS, please share. I cannot find the supported protocols for Sequoia anywhere online.

Thanks!

PS: I'd like to use the native client on the Mac (or a free alternative), not a paid VPN client.

Best Answers

  • MarkoD
    MarkoD Posts: 59  Ally Member
    First Answer First Comment Friend Collector Fifth Anniversary
    Answer ✓

    For anyone interested, the native macOS 15 Sonoma VPN client works with the settings that I have posted. No need to do any adjustements, L2TP/IPSec with pre-shared key worked flawlessly.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,201  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    Answer ✓

    Hi @MarkoD

    Thank you for sharing your experience and the successful VPN settings for macOS 15 (Sonoma)!

    To confirm, the default L2TP VPN setup using the Zyxel VPN wizard can indeed work with the following encryption settings:

    • Phase 1: 3DES/SHA1/DH2
    • Phase 2: 3DES/SHA1/None

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,201  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    Answer ✓

    Hi @MarkoD

    Thank you for sharing this valuable insight!

    We've tested the following configuration for IKEv2 VPN between the USG60 and macOS 15, and it works with the native client:

    • Phase 1: AES256, SHA256, DH19
    • Phase 2: AES256, SHA256, PFS: None

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

All Replies

  • Caroll
    Caroll Posts: 14  Freshman Member
    First Comment Friend Collector First Anniversary

    Hi @MarkoD, which firewall model are you using?

  • MarkoD
    MarkoD Posts: 59  Ally Member
    First Answer First Comment Friend Collector Fifth Anniversary
    Answer ✓

    For anyone interested, the native macOS 15 Sonoma VPN client works with the settings that I have posted. No need to do any adjustements, L2TP/IPSec with pre-shared key worked flawlessly.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,201  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    Answer ✓

    Hi @MarkoD

    Thank you for sharing your experience and the successful VPN settings for macOS 15 (Sonoma)!

    To confirm, the default L2TP VPN setup using the Zyxel VPN wizard can indeed work with the following encryption settings:

    • Phase 1: 3DES/SHA1/DH2
    • Phase 2: 3DES/SHA1/None

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • MarkoD
    MarkoD Posts: 59  Ally Member
    First Answer First Comment Friend Collector Fifth Anniversary
    edited October 24

    Dear @Zyxel_Kay, you can bump up security by using SHA256 instead of 3DES in Phase 2. It works for built-in clients in Windows and also Mac.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,201  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    Answer ✓

    Hi @MarkoD

    Thank you for sharing this valuable insight!

    We've tested the following configuration for IKEv2 VPN between the USG60 and macOS 15, and it works with the native client:

    • Phase 1: AES256, SHA256, DH19
    • Phase 2: AES256, SHA256, PFS: None

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

Security Highlight