Some time ago I wrote a post on how to get a Cisco IP-Sec VPN working with client certificates on OS-X Lion. Now I upgraded to Mavericks and of course this broke my VPN connection again. Fortunately a friend already had the same problem on Mountain Lion and his fix also worked on Mavericks. To get my connections working on Mavericks I followed the instructions from my previous post: . After that I had to “allow all applications to access this item” on the certificate in Keychain.
Also see the last comment in https://discussions.apple.com/thread/4158642?start=15&tstart=0 saying to allow all access to the cert in Keychain.
I had already set the cert to be always “Trusted” but you have to expand the cert to get to the private key and always “Allow” access to it. It’s a different setting.
See the screenshot below.
Last week I tried to connect to a Windows 2012 server with the Microsoft Remote Desktop Client (2.1.1). This failed with an error: “You were disconnected from the Widows-based computer because of problems during the licensing protocol.”
I’ve searched online and some people suggest installing a beta version of the Microsoft RDP Client (version 2.1.2 or 2.12). This is not yet release by Microsoft but available from several sites. Before you try this, make sure the md5sum is consistent with known good versions.
I did try this version, but it did not make any difference. I tried switching to Cord, as this was working for some people. For me, again, it was not. This might be due to the version of Windows I was connecting to, which is Windows 2012 Server with the Licensing server enabled to allow multiple simultaneous logins.
It seems like Windows 2012 is configured by default to use NLA (Network Level Authentication). The only way I could connect from my Mac to this server is by disabling NLA in the group policy on the 2012 server:
Disable the Require user authentication for remote connections by using Network Level Authentication Group Policy setting.
This Group Policy setting is located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that the Group Policy setting will take precedence over the setting configured in Remote Desktop Session Host Configuration or on the Remote tab.
other reference: http://frankdenneman.nl/2013/02/13/using-remote-desktop-connection-on-a-mac-switch-to-cord/
Since the Cisco VPN client does not work under OSX Lion anymore there was no easy way to connect with certificate authentication. It took some time but I managed to get it working under Lion with the build in VPN Client. Find the steps below to get the certificates imported and working with the VPN Client.
- Create key: openssl genrsa -des3 -out vpn-cert2.key 1024
- Create CSR (make sure that the CN is a simple name, no spaces or special characters): openssl req -new -key vpn-cert2.key -out vpn-cert2.csr
- Request certificate with your CA
- Create a p12 file from the key and the certificate: openssl pkcs12 -export -inkey vpn-cert2.key -in certnew-3.cer -out vpn.p12
- Import the p12 file (containing the key and certificate) in the system keychain (not the login keychain, that doesn’t work): sudo security import vpn.p12 -k /Library/Keychains/System.keychain
- If needed you can import the CA in your keychain and trust the imported certificate: sudo security add-trusted-cert -k /Library/Keychains/System.keychain root.ca.pem
Note:Make sure that if you import your own CA, that you do it this way. Otherwise the VPN server certificate will not be verified correctly.
To use the certificate for VPN authentication do the following:
- Open System Preferences
- Go to Network
- Click + to add network interface, Select Interface: VPN, VPN Type: Cisco IPSec
- Click Create
- In the Server Address type the hostname of the firewall. This is really important. The firewall has a certificate configured on the FQDN. Make sure the server address is the name of the certificate in the firewall. This FQDN can be found in the trustpoint configuration (see below)
- Enter the username
- Click Authentication Settings
- Select Certificate and Click Select
- Select the correct certificate that you just imported
- Click OK
- Click Apply
When you are not able to select the certificate you created the problem is that the CN is not supported. Make sure the CN that you used to create the CSR does not contain spaces or special characters.
Firewall trustpoint config:
crypto ca trustpoint CA1
subject-name CN=fw.xxxx.com,OU=IT,O=XXX Limited,C=NL,St=NH,L=Amsterdam
I use a MacBook Pro for daily use and have a Mac Mini as my media center. While iTunes has a lot of great functions (I love Genius), it does not have a simple way to have to standalone iTunes libraries and sync songs between the two. Sure you can share the music while you’re on the same LAN, or over the Internet (eg. http://www.simplifymedia.com/index.html), it does not have a simple function to synchronize a library between two computers. The following article describes how to use rsync to keep two libraries exactly the same.
I found a second way to synchronize the songs that were missing on the iTunes library on my MacMini from the iTunes library on my MacBook. I used the following steps:
- Share the iTunes folder on the source (/Users/username/Music/iTunes)
- Mount the iTunes folder on the destination
- Open iTunes and select the ‘Add to Library’ option
- Select the mounted iTunes folder
iTunes now automatically selects the missing songs and add them locally to the library. This may take some time.