I too have a Mac OSX 10.4.1 client that I am trying to connect using L2TP/IPSec over NAT-T to an ISA 2006 server behind a NAT router. Using certificates.
Works fine for XP clients (after the NAT-T regkey change) so I know the relevant ports and protocols are allowed.
I have a certificate on the Mac client in Keychain, with the Trusted Root CA cert as well. Keychain shows the certificate as valid (which it didn't do before the CA cert was imported into the X.509 Anchors store (i assume this is right I am a windows chap for my sins...). :-)
The Security Log on the ISA shows that indeed the Mac client is tickling the ISA agreeing phase1 SAs. But then that's it.
Did you get anywhere with this? Or can somebody else shed any light?
Just as a follow up, one of our Mac guys who kinda knows what he is doing had a good look into this for me.
The short of it is that he couldn't get it working using certificates, only PSK. The Macs don't like something to do with the EKU and SAN fields in the certificates from our enterprise CA.
Doesn't seem to be an issue functionally, I have set a fat long PSK in ISA, the XP\Vista machines all do machine authentication using the certificates, and the Macs do it using the PSK. Seems to work quite happily up till now.
Hi Dave, Yeah, just write an open letter to the bastards from Happle, and tell them the requirements they impose by default are not required(a must) by *any* RFC. Who knows, maybe they will tell how to disable them. Otherwise, you have to figure it out what certificate ISA chooses for IKE authentication, and then "adapt" it so that the SMacs will accept it. Cheers!