Overview 

VPN connection for macOS users can be established using Kerio Control IPSec VPN server. VPN authentication can be configured by importing an SSL certificate or by using a Preshared Key (PSK).

This article provides details on how to connect to your company network through IPsec VPN and authenticate with an SSL certificate or Preshared Key.

Solution

Configuring Kerio Control

1. Make sure to enable the IPSec VPN server in Kerio Control Webadmin > Interfaces > double-click VPN server.
   • For SSL certificate authentication: Enable Use certificate for clients, choose valid SSL certificate from the dropdown.
   • For PSK authentication: specify the PSK in Use preshared key. This password needs to be shared with Kerio Control users.
     
     

     Note: enabling MS-CHAP v2 authentication is also recommended.

2. Make sure to enable "User can connect using VPN" in Configuration > Users > Template.
   
3. For SSL certificate authentication, export the certificate in the PKCS#12 format from Configuration > SSL Certificates > right-click on certificate and Export.
   
   In the Export Certificate in PKCS#12 Format dialog, use a password without national characters.
   
   Check Include all certificates in the certification path if possible. The certificate should be distributed across Kerio Control Mac users.

Configuring built-in VPN on Mac

1. Go to System Preferences > Network.
2. In the Network dialog, click the + icon and add VPN.
3. Select the VPN interface and  L2TP over IPsec type. Click Create.
   
4. Specify Kerio Control server address (IP or FQDN) together with the Account Name (Kerio Control username).
   
5. Click Authentication Settings and specify Kerio Control user's password and PSK (Shared Secret) or select the imported certificate. Click OK to close the window.
   PSK Auth
   
   SSL certificate auth
   
6. Click Apply.
7. Click Connect. The VPN is now connected.
   

Important: this is a valid workaround for the latest M1-based Macbooks.

Importing the certificate