Inunte-macOS custom vpn configuration

Question

Inunte-macOS custom vpn configuration

tn-57-gs 31

I am trying to create a custom VPN profile for macOS in Intune portal, not using any third-party VPN client and, trying to use the in-built mac VPN app "com.apple.vpn.managed" to connect but it fails not getting any response back neither from the device nor from the Intune portal.

I used a custom VPN profile using IKEv2 Dictionary Keys still not able to establish a connection to our RRAS VPN server.

please assist.

4 answers

Your answer

Answer 1

Lu Dai-MSFT 28,501

@tn-57-gs Thanks for posting in our Q&A.

Based on my research, currently, IKEv2 is only supported iOS/iPadOS and Windows 10 in intune. With the limitation resource, I'm not sure if IKEv2 can establish a connection to our RRAS VPN server via a custom VPN profile on MacOS.

With Q&A limitation, it is better to create an online support ticket to handle this issue more effectively. It is free. Here is the online support link and hope it helpful.
https://learn.microsoft.com/en-us/mem/get-support

Thanks for understanding.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

tn-57-gs 31 Reputation points

2021-09-07T07:15:35.977+00:00

Thanks for your response.

I have already tried contacting MS (Case #:27353492) for this case and unfortunately, still issue not solved.

Accordingly to Apple, IKEv2 (IEAP-TLS, PEAP) are supported and they have provided VPN payloads to configure, now the question is, is there are specific settings that need to be done from RRAS /NPS to allow mac clients to connect, or what is the recommended approach on this.

I have tried both custom device configuration profiles with (device and user channel) and custom VPN profiles for macOS both do not seem to work.

On top of this, conditional access which is the second layer of protection before connecting VPN, I got a confirmation from MS support that only windows 10 devices are supported.
Lu Dai-MSFT 28,501 Reputation points

2021-09-07T08:12:08.203+00:00

@tn-57-gs Thanks for your update.

In fact, I haven't established connection between IKEv2 and RRAS VPN server on MacOS. So. there is no successful experiences I can share with you.

Don't lose heart. Q&A is an open platform. Let's wait for someone who will share some useful information.
Sebastian Cerazy 321 Reputation points

2022-02-04T20:35:18.087+00:00

..... https://social.technet.microsoft.com/Forums/en-US/fa3c8924-314b-492e-b5af-a860d8d072bb/solved-alwayson-vpn-ikev2-access-from-apple-mac-mojave

Answer 2

David Frith 1

Interested to see if you have had any luck with this.

I have the inbuilt macOS VPN client connecting to RRAS using IKEv2 now. It is also using a certificate payload pushed by intune for authentication - so happy with that. but I have to set it up manually on each device. This is not ideal.
For reference, RRAS has radius setup for auth, and only EAP enabled for authentication protocol
The NPS server has a custom network policy to pick up calls from the RRAS server, and has 'Smart card or certificate" setup as the only EAP type
lots of standard cert stuff needed to be done (trusted Root CA on RRAS/NPS and device)
But - if you have got any closer with the Intune payload... that would be awsome
I've had a hack too - and failed
tks

Mason202 1 Reputation point

2021-11-14T14:29:52.223+00:00

@David Frith Would you be able to post some information on what your NPS configuration looks like and how you got your setup working.
Sebastian Cerazy 321 Reputation points

2022-02-04T20:45:10.28+00:00

Nothing to it really
tn-57-gs 31 Reputation points

2022-02-05T13:17:29.313+00:00

I have the same configuration on my NPS server and still not able to connect from my Mac client but it works very well on Windows client.

I get the below error while connecting to my VPN server.

"NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] Certificate evaluation error = kSecTrustResultRecoverableTrustFailure"

I've have added the Internal PKI root certificate & SCEP user certificate in the keychain using Intune device configuration and I can see them as trusted in the key chain. Therefore, in my opinion the Mac client should trust my VPN server (signed using the same CA) while connecting to it, not sure why it's not connecting.

I think the issue is on the Mac client. please assist me with the VPN profile that you have created. FYI (I am using OSX native Mac client). I have also posted about this issue on Apple developer forum and yet no response there "https://developer.apple.com/forums/thread/699743 & https://learn.microsoft.com/en-us/answers/questions/694666/mac-rrasvpn-34negotiation-timed-out34-for-always-o.html" I am sharing this link just in case if you would like to refer.

Regards
Sujith
Sebastian Cerazy 321 Reputation points

2022-02-05T20:44:44.73+00:00

I done it by "hand" on Mac]

Created profile in Apple Configurator 2 & installed it

I already had Root CA & Enterprise CA certificates imported & trusted

So the profile only had user certificate (pfx issued by Enterprise CA) and VPN server certificate (also issued by Enterprise CA)

As explained already in linked above:

https://social.technet.microsoft.com/Forums/en-US/fa3c8924-314b-492e-b5af-a860d8d072bb/solved-alwayson-vpn-ikev2-access-from-apple-mac-mojave
tn-57-gs 31 Reputation points

2022-02-06T17:22:04.28+00:00

Thanks for your reply.

As suggested by you, I followed the procedure mentioned in this link "https://social.technet.microsoft.com/Forums/en-US/fa3c8924-314b-492e-b5af-a860d8d072bb/solved-alwayson-vpn-ikev2-access-from-apple-mac-mojave" to create payload using apple configurator 2 and when I attempt to add it, it gives me an error "certificate could not be verified (authentication error)" meaning mac does not allow this profile to be added.

please see the payload created in the attached and share your suggestion OR if possible, please send me your working profile after sensitive information so that I can try with that.

171731-sharewithms.txt

the below attached one is the working VPN profile (meaning it adds the profile correctly and you will see be able to see the profile under system preference and it does initial a handshake successfully with the VPN server and fails during IKE Auth phase - reason: certificates aren't included in this payload) which is why your statement comes into the picture of combining the certificates within the same VPN profile.

Initially I thought of using Intune to push SCEP User certificate & Trusted CA using device configuration policy, but this way is a road blocker and got to use your way still didn't get through. I would appreciate it if you could share your profile so that I can try out.

Regards
Sujith
tn-57-gs 31 Reputation points

2022-02-06T22:26:20.05+00:00

From my previous reply, I have mentioned that payload with certificates (VPN & Client user cert with private key) are not getting added to mac client, somehow, I figured out to solve that issue to add the profile to the mac client but still the actual problem connecting to the VPN server exists.

As you can see in the screenshot attached, I have added VPN server certificate + User Certificate under certificate section in Apple configurator and chosen the user cert under VPN--> EAP certificate drop down. added the profile and tried to connect to VPN server but it fails again with the following error

I can see two problems here attached to this reply. Please check that out and let me know if you have faced the same issue.

171674-error-mac.txt
Sebastian Cerazy 321 Reputation points

2022-02-07T21:52:31.917+00:00

And what do you get on NPS server?
tn-57-gs 31 Reputation points

2022-02-08T00:14:05.367+00:00

Unfortunately, it does not get to the NPS server itself. I can see the incoming packet on VPN server (IKE_INIT) (Req/Res) and VPN server responds back to client asking to prove its identity (IKE_Auth) and that's when the flow gets dropped.

I have already created an MS Support case and they strongly believe that failure occurs on the mac client after several hours of troubleshooting back and forth.

Regards
Sujith

Answer 3

@David Frith , I tried my best to get the IKE to work on windows devices and my colleague found a workaround which is, creating PORT Forwarding rule (due to NAT-Traversal) on the client's local DSL router but the same tried for mac no luck. it would be much appreciated if you can let me know how are you connecting your mac devices to RRAS IKE. (accordingly to MS premium support, most of the routers are IPSEC Passthrough supported but in my opinion you can't expect end-users to have such routers especially during these times most of the people are working from home and its really a pain to ask the end-users to set up this port forwarding rule to make IKE to work)

some of my suggestion to bring it to your notice on how we can deploy VPN profiles to mac remotely, I used SCEP user certificate for authentication and that is deployed using device configuration profile in Intune and there is no special payload is required. please see the screenshot below FYI

and the same goes to trusted certificate, you can do it using Intune itself but to make use of built-in mac VPN app we need a payload and having it can be easily deployed using custom configuration profile. you can create the payload using either profile manager "https://github.com/ProfileCreator/ProfileCreator" or apple configurator. please see the screenshot for your reference.

I would really appreciate if you can share your method connecting Mac clients to RRAS IKE because I am still not able to connect.

Answer 4

Finally it worked for me. there are two things did the trick for me, 1) missing SAN name in the VPN certificate 2) I used EAP-TLS instead of PEAP-TLS because mac VPN native client does not support PEAP-TLS (whereas from Apple's official website says it is supported).

The main reason why the request from mac did not reach NPS was because mac did not trust the VPN certificate due to a missing extension in the certificate "DNS entry (Subject Alternative Name Extension)".

Ref: https://support.apple.com/en-us/HT210176

I tested a couple of times and it works like charm now and in order to push VPN profile remotely to mac devices via Intune Ref to the payload I used- https://github.com/sujith-cy/Intune-macOS-Custom-VPN-Profile/commit/b25f2b8aa395c9c32341c055234589db26eb1a92. it can be created easily with the Apple configurator.

Share via

Inunte-macOS custom vpn configuration

4 answers

Your answer