• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

L2TP VPN From OSX 10.4 Client!

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> L2TP VPN From OSX 10.4 Client! Page: [1]
Login
Message << Older Topic   Newer Topic >>
L2TP VPN From OSX 10.4 Client! - 15.Feb.2008 1:19:58 AM   
plysaker

 

Posts: 14
Joined: 7.May2006
Status: offline
I've been using certificate based L2TP VPN clients for 6 months now, after corp forced me off PPTP.  The few Macs I had broke. no big deal.

New Pres has Mac.

Went thru hell finding how to pull Machine Certificate
http://forums.macosxhints.com/showthread.php?t=39882&highlight=L2TP

Got that.  But now the client just spins it's wheels and doesnt connect.

I see it hit the isa, Ipsec client.  IKE.  but nothing happens. I found this somewhere on the net:

"windows is only OS supports L2TP/IPSEC with NAT traversal and that there are no clients for mac/linux that also support Kerberos 5."

< Message edited by plysaker -- 15.Feb.2008 1:23:24 AM >
Post #: 1
RE: L2TP VPN From OSX 10.4 Client! - 5.May2008 1:13:33 AM   
plysaker

 

Posts: 14
Joined: 7.May2006
Status: offline
friggin bump.  you mean to tell me NO ONE has tried to L2TP a mac into an ISA?>

(in reply to plysaker)
Post #: 2
RE: L2TP VPN From OSX 10.4 Client! - 29.May2008 11:14:35 PM   
plysaker

 

Posts: 14
Joined: 7.May2006
Status: offline
HELLOOOOOOO  I CAN NOT L2TP with cert to my ISA2004!

why?

(in reply to plysaker)
Post #: 3
RE: L2TP VPN From OSX 10.4 Client! - 7.Jul.2008 12:24:28 PM   
davei0594

 

Posts: 21
Joined: 9.Feb.2008
Status: offline
Hello Plysaker\All,

I too have a Mac OSX 10.4.1 client that I am trying to connect using L2TP/IPSec over NAT-T to an ISA 2006 server behind a NAT router.  Using certificates.

Works fine for XP clients (after the NAT-T regkey change) so I know the relevant ports and protocols are allowed.

I have a certificate on the Mac client in Keychain, with the Trusted Root CA cert as well.  Keychain shows the certificate as valid (which it didn't do before the CA cert was imported into the X.509 Anchors store (i assume this is right I am a windows chap for my sins...).  :-)

The Security Log on the ISA shows that indeed the Mac client is tickling the ISA agreeing phase1 SAs.  But then that's it.

Did you get anywhere with this?  Or can somebody else shed any light?

Many thanks.

Dave





(in reply to plysaker)
Post #: 4
RE: L2TP VPN From OSX 10.4 Client! - 8.Jul.2008 2:09:24 AM   
plysaker

 

Posts: 14
Joined: 7.May2006
Status: offline
bro I fond an obscure post stating kerberos v4 isnt supported.

(in reply to davei0594)
Post #: 5
RE: L2TP VPN From OSX 10.4 Client! - 8.Jul.2008 6:33:06 AM   
davei0594

 

Posts: 21
Joined: 9.Feb.2008
Status: offline
Not quite sure where kerberos comes into it.... but check this out:-

http://www.carbonwind.net/ISA/MacOSXVPNL2TP/MacOSXVPNL2TP1.htm

(in reply to plysaker)
Post #: 6
RE: L2TP VPN From OSX 10.4 Client! - 31.Jul.2008 5:11:28 PM   
davei0594

 

Posts: 21
Joined: 9.Feb.2008
Status: offline
Just as a follow up, one of our Mac guys who kinda knows what he is doing had a good look into this for me.

The short of it is that he couldn't get it working using certificates, only PSK.  The Macs don't like something to do with the EKU and SAN fields in the certificates from our enterprise CA.

Doesn't seem to be an issue functionally, I have set a fat long PSK in ISA, the XP\Vista machines all do machine authentication using the certificates, and the Macs do it using the PSK.  Seems to work quite happily up till now.

If anyone has any more info pls post it here.

Cheers.

(in reply to davei0594)
Post #: 7
RE: L2TP VPN From OSX 10.4 Client! - 1.Aug.2008 10:06:19 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Dave,
Yeah, just write an open letter to the bastards from Happle, and tell them the requirements they impose by default are not required(a must) by *any* RFC. Who knows, maybe they will tell how to disable them.
Otherwise, you have to figure it out what certificate ISA chooses for IKE authentication, and then "adapt" it so that the SMacs will accept it.
Cheers!

(in reply to davei0594)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> L2TP VPN From OSX 10.4 Client! Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts