Configuring IPsec VPN client on Apple OS X
There are three steps to connect Apple OS X computer to your company network through IPsecInternet Protocol security - A network protocol used to encrypt and secure data sent over a network. VPNVirtual private network - A network that enables users connect securely to a private network over the Internet. and authenticate with an SSL certificateSSL certificates are used to authenticate an identity on a server.:
- Configure IPsec VPN serverKerio Control includes a VPN server which provides users to connect to the Kerio Control network from the Internet securely. in Kerio Control.
- Create SSLSecure Sockets Layer - A protocol that ensures integral and secure communication between networks. certificate and import the certificate to Keychain Access.
- Configure VPN client as L2TPLayer 2 Tunneling Protocol - A tunneling protocol used with IPsec. over IPsec.
Step 1: Configuring Kerio Control
To configure Kerio Control Server:
- Setup IPsec VPN server to use certificates issued by a Local Certification Authority. For more information refer to Configuring IPsec VPN Server.
- Go to Definitions > SSL Certificates.
- Click Add > New Certificate and create a new certificate for VPN clients.
IMPORTANT
Do not use IP addressAn identifier assigned to devices connected to a TCP/IP network. instead of the Kerio Control hostname.
- Click Apply in the SSL Certificates section.
- Export this certificate in the PKCS#12 format.
SSL certificates section
- In the Export Certificate in PKCS#12 Format dialog, use password without national characters.
- Check Include all certificates in the certification path if possible and Kerio Control exports all higher certificates including the certification authority.
- Click OK.
Step 2: Importing the certificate
To import the SSL certificate to the Keychain Access utility in your Apple OS X:
- Go to Applications > Utilities > Keychain Access.
- Switch view to System keychain and unlock the keychain.
IMPORTANT
Do not confuse keychains. Default Login keychain is unwanted in this case.
- Drag the PKCS#12 file, drop it to the System keychain. There are at least two Kerio Control certificates — one or more certificates (blue certificate icon) and Certification Authority (gold certificate icon) in the Keychain Access.
- Locate the imported Certification Autohority (CA) in the System keychain.
- Set the CA trust properties to Always trusted.
- Locate the imported certificate and ensure the certificate is trusted.
Procedure for Mac OS X 7 and newer:
Keychain access configuration
- In the System keychain, go to My Certificates.
- Find your certificate and click the small arrow and a private key appears.
- Double-click the private key and go to Access Control.
- Click the
+icon and add the following executable to the list:/usr/sbin/racoon
NOTE
If you don't see the /usr folder when browsing for the executable, use the Show hidden files.
The shortcut is cmd-shift-. (cmd-shift-dot).
- Click Open.
Keychain Access uses your SSL certificate.
Step 3: Creating VPN client on Apple OS X computer
You must create a VPN connection based on L2TP over IPsec:
- Go to System Preferences > Network.
- In the Network dialog, click the + icon and add VPN.
- Select the L2TP over IPsec mode.
Creating VPN client
- Type a hostname of Kerio Control to Server Address and your Control's username to Account Name.
IMPORTANT
Do not use IP address instead of the Kerio Control hostname.
Selecting authentication settings
- Click Authentication Settings.
- Set user authentication by password and type your Kerio Control's password. MS-CHAPv2 might be needed.
Selecting the certificate for authentication
- Set Machine Authentication by a certificate, click Select and select the certificate from the previous step.