VPN connection for macOS users can be established using Kerio Control IPSec VPN server. VPN authentication can be configured by importing an SSL certificate or by using a Preshared Key (PSK).
This article provides details on how to connect to your company network through IPsec VPN and authenticate with an SSL certificate or Preshared Key.
Configuring Kerio Control
- Make sure to enable the IPSec VPN server in Kerio Control Webadmin > Interfaces > double-click VPN server.
- For SSL certificate authentication: Enable Use certificate for clients, choose valid SSL certificate from the dropdown.
- For PSK authentication: specify the PSK in Use preshared key. This password needs to be shared with Kerio Control users.
Note: enabling MS-CHAP v2 authentication is also recommended.
- Make sure to enable "User can connect using VPN" in
Configuration > Users > Template.
- For SSL certificate authentication, export the certificate in the PKCS#12 format from
Configuration > SSL Certificates > right-click on certificate and Export.
In the Export Certificate in PKCS#12 Format dialog, use a password without national characters.
Check Include all certificates in the certification path if possible. The certificate should be distributed across Kerio Control Mac users.
Configuring built-in VPN on Mac
- Go to System Preferences > Network.
- In the Network dialog, click the + icon and add VPN.
- Select the VPN interface and L2TP over IPsec type. Click Create.
- Specify Kerio Control server address (IP or FQDN) together with the Account Name (Kerio Control username).
- Click Authentication Settings and specify Kerio Control user's password and PSK (Shared Secret) or select the imported certificate. Click OK to close the window.
SSL certificate auth
- Click Apply.
- Click Connect. The VPN is now connected.
Important: this is a valid workaround for the latest M1-based Macbooks.
Importing the certificate
- Double-click the distributed Certificate.p12.
- Enter the certificate password.
- In Keychain Access, double-click on the certificate. In the Trust section, choose the Always Trust option.
- The certificate is marked as Trusted.