Has anyone ever successfully connected a MAC to an Azure P2S network gateway? None of the documentation works for me

1
votes

Starting with an empty directory:

  1. Generate CAroot private key
$ openssl genrsa -aes256 -out dcsAzureVPN.key 2048
  1. Generate a CARoot certificate
$ openssl req -x509 -sha256 -new -key dcsAzureVPN.key -out dcsAzureVPN.cer -days 1825 -subj /CN="dcsAzureVPN"`

  1. Successfully copied dcsAzureVPN.cer to VPN gateway and saved (see attached screenshot)

  2. Generate Certificate Request (CSR)

$ openssl genrsa -out dcsAzureClientCert.key 2048
$ openssl req -new -out tjaClientCert.req -key dcsAzureClientCert.key -subj /CN="dcsAzureVPN"`
  1. Generate signed Client Certificate from CSR
$ openssl x509 -req -sha256 -in tjaClientCert.req -out dcsAzureClientCert.cer -CAkey dcsAzureVPN.key -CA dcsAzureVPN.cer -days 1825 -CAcreateserial -CAserial serial 
Signature ok
    subject=/CN=dcsAzureVPN
  1. Pack key and certificate in .pfx format
$ openssl pkcs12 -export -out dcsAzureVPNClient.pfx -inkey dcsAzureClientCert.key -in dcsAzureClientCert.cer -certfile dcsAzureVPN.cer

  1. Copy client cert to my Keychain

  2. Make dcsAzure VPN a trusted cert.

  3. Select dcsAzureVPN as the client certificate for my VPN connection

  4. Try to connect. Connection fails with an error: User Authentication failed

What am I doing wrong?

3
macosazureopensslvpn

3 Answers

1
votes

I finally found the problem. It turns out the Local ID has to match the client certificate subject, not the name of your client certificate file.

0
votes

You have to manually configure the native IKEv2 VPN client on every Mac that will connect to Azure. You could use these steps to configure the native VPN client on Mac for certificate authentication.

Moreover, you could refer to this to troubleshoot Point-to-Site VPN connections from Mac OS X VPN clients.

Additionally, no matter what client OS you want to connect from, you must always have a client certificate. You can generate a client certificate from either a root certificate that was generated using an Enterprise CA solution or a self-signed root certificate. See the PowerShell, MakeCert, or Linux instructions for steps to generate a client certificate.

Please let me know if this works.

0
votes

Whoever stumbles up on this solution: It is working if you change the Client certificate's subj from dcsAzureVPN to (for example) dcsAzureVPNSubj and use it in the connection tab for Local ID.

So instead of this:

openssl req -new -out tjaClientCert.req -key dcsAzureClientCert.key -subj /CN="dcsAzureVPN"

Use this:

openssl req -new -out tjaClientCert.req -key dcsAzureClientCert.key -subj /CN="dcsAzureVPNSubj"

and use the dcsAzureVPNSubj for Local id on the MacOS VPN connection tab.

Worked on the following machine: 20.5.0 Darwin Kernel Version 20.5.0: root:«gibberish»/RELEASE_ARM64_T8101 arm64 Big Sur version: 11.4