Description:
This document describes the configuration steps necessary to set up a IKEv1 VPN connection between a LANCOM router and the Apple VPN client in MacOS X as of version 10.11 El Capitan.

In 2019 the IETF (Internet Engineering Task Force) has designated IKEv1 as deprecated and insecure and therefore it should not be used anymore. LANCOM Systems instead recommends to use the current standard IKEv2.

The IKEv1 functionality in LANCOM devices remains intact and can still be used for scenarios where devices without IKEv2 support are used. However LANCOM Systems will not provide any support regarding the troubleshooting of connection problems with IKEv1 connections. Also there won't be any bug fixes or new features for IKEv1.

In rare cases a disconnect can occur during rekeying. In such a case it can be useful to increase the lifetimes, so that the disconnects occur less often.

The configuration of an IKEv2 connection between the built-in VPN client in macOS and a LANCOM router is described in this Knowledge Base article.



Requirements:



Procedure:
1) Configuration steps on the router
1.1) In the Setup Wizard, select the option Provide remote access (RAS, VPN) and click on Next.
1.2) In the next dialog, select VPN client with user-defined parameters as the option for remote VPN client. Continue the configuration by clicking on Next.
1.3) In the next dialog, enter a name for the VPN connection (e.g. APPLE_VPN).

You will need the name you enter here later when you come to set up the VPN connection in the VPN client (it is used as Account name). It is therefore advisable to note down the name of the VPN connection.

1.4) In the following dialog you have to first select the Preshared Key and Aggressive Mode option.
1.5) Then enter any combination of characters you wish in the Preshared Key field. After entering your character combination, a second window will open for you to repeat the input.

You will need the character combination you enter as the Preshared key here at a later point when you come to set up the VPN connection in the VPN client (it is used as Shared Secret ). It is therefore advisable to note down the character combination of the preshared key.

1.6) In the following dialog, check that IKE group 2 is set. If this is not the case, select the option to edit the default IKE parameters and, in the next dialog, set this to IKE group 2.
1.7) In the following dialog window, select the entry Key ID (group name) for each of the items Local identity type and Remote identity type.
1.8) Enter an identity in each of the fields Local identity and Remote identity (here: apple_vpn).

You will need the names you enter here Local identity and Remote identity later when you come to set up the VPN connection in the VPN client (it is used as Group name). It is therefore advisable to note down the names you use for Local identity and Remote identity.

1.9) In the next dialog window you must deactivate the option Use the PFS algorithm for this connection, as this is not supported by the VPN client. Then click on Next to continue.
1.10) In this dialog, make sure that all of the encryption algorithms are selected.
1.11) In this dialog you keep the default parameters.
1.12) In the subsequent dialog, enter the local IP address that is to be assigned to the VPN client when the VPN connection is established in the IP address field. Click on Next.
1.13) In the next dialog you can choose to restrict access for the VPN client to specific networks. In this example we have allowed the VPN client reach all IP addresses.
1.14) Click on Next and in the final dialog to confirm the end of the Setup Wizard by clicking on the Finish button.
1.15) The settings you made will now be transferred to the router’s configuration.
18) After the settings have been successfully transferred to the router, you must perform a right mouse-click on the router and select the option Configure from the context menu.
1.16) Select VPN → IKE/IPSec → General → Connection list.
1.17) In the connection list, mark the VPN connection with the name APPLE_VPN and click on the Edit... button.
1.18) In the Edit Entry window, change the value of the XAUTH field to the Server option.
1.19) Click on the OK button to accept the changed setting and to close the dialog window.
1.20) Select Communication → Protocols → PPP list.
1.21) Click on the Add option and select from the Remote site option in the dialog that follows the remote site you configured in configuration step 1.3 (here: APPLE_VPN).
1.22) You do not need to enter anything in the User name field.
1.23) Enter a password of your choice in the Password field.

You will need the password you enter here later when you come to set up the VPN connection in the VPN client (it is used as Password). It is therefore advisable to note down this password.

1.24) Click on the OK button to accept the changed setting and to close the dialog window.

1.25) In the configuration dialog, click on the OK button to finish manual configuration and to transfer the changes settings to the router. The configuration of the LANCOM VPN gateway is now complete.



2) Configuring the VPN client in MacOS X as of version 10.11 El Capitan

2.1) In the Network configuration dialog window, click on the + button (marked red in the figure below) and select the option VPN (Cisco IPSec).

2.2) Enter the following in the fields Server Address, Account Name and Password:

  • Server address: Enter the public IP address or the DynDNS address where the LANCOM router can be reached.
  • Account name: Enter the name of the VPN connection that you assigned to the VPN connection in step 1.3 of the LANCOM configuration (in this example it is apple_vpn).
  • Password: Enter the password that you assigned in step 1.24 of the LANCOM configuration.
2.3) Click the Authentication settings... button.
2.4) In the Machine Authentication dialog, select the Shared Secret option and enter the character combination in the input field that you assigned in step 1.5 of the LANCOM configuration.
2.5) In the Group Name field enter the name that you assigned as the Local identity and the Remote identity in step 1.8 of the LANCOM configuration (in this example it is apple_vpn).
2.6) Click on the OK button to accept your settings.
2.7) If you wish, you can click on the option Advanced... in the Network configuration dialog and assign additional DNS servers for the VPN tunnel.
2.8) Click on the OK button to accept the data and return to the Network configuration dialog.
2.9) If you wish to have a better view of the status of the VPN connection you should activate the option Show VPN status in menu bar.
2.10) Click on the Connect button to establish the VPN connection.
2.11) The VPN client has now been successfully configured.