[teilo]

What boggles me about the VPN implementation on Mac is the massive amount of functionality that is not accessible unless you are using Apple Configurator to create a profile. Then you have to install the profile, and for any configuration change, you have to repeat the process.

For example, even though you can create a basic IKEv2 config, most of the parameters that are needed to actually make it work with a given router are not accessible except in Configurator. You cannot configure the encryption or hash algos, DH Group, group identifiers, etc.

And there is no access at all to other VPN types, such as a number of vendor-specific options, custom SSL, etc., even though they are supported.

Why can't there be advanced options for this stuff? It makes no sense.

[derefr]

You're supposed to be managing the deployment/delivery of Apple Configurator profiles through Server.app's MDM features. If that is in play, then the workflow looks like:

1. You navigate your device to the MDM web portal served from the Mac running Server.app;

2. the MDM portal recognizes your MAC address as a new device, and allows you to register it;

3. an MDM profile is auto-generated for you, which you download and install;

4. the MDM profile transparently manages/updates a real (Apple Configurator) profile, which has been customized by the MDM for any settings keyed specifically to your computer's MAC address.

Using Apple Configurator without MDM, just using Configurator .profile files, would be like using Windows Group Policy without Active Directory, just using GPO .cab files. It's possible, but just kinda silly.

[mirimir]

> Using Apple Configurator without MDM, just using Configurator .profile files, would be like using Windows Group Policy without Active Directory, just using GPO .cab files. It's possible, but just kinda silly.

I totally agree. But let's say that I setup an IKEv2 server in pfSense on some VPS. And now I want to connect to that with my macOS VM. There's no Mac server anywhere involved. And Apple Configurator is in fact the only way to configure the macOS client.

[teilo]

You are assuming that every use of VPN is captured in your scenario. It's not.

And I understand MDM perfectly well. I am the CIO of a company with 350 Macs managed through JAMF. Also, nobody in enterprise who knows what they are doing uses Mac Server. It's been a toy and a joke ever since Mavericks.

But what if I need a VPN connection for somewhere else? What if I'm a consultant with a Mac and trying to connect to a Windows shop?

[auslander]

> It's possible, but just kinda silly.

Why silly? In one .mobileconfig file, I created complex VPN config for my provider, with my own preferences, and loaded it without any MDM, to all my macs and iPhones.

[derefr]

Because, what happens when you want to update that config? Even if you're just doing it for your personal stuff, MDM means centralized push-based management.

[auslander]

I'm not centralized, I will just update my config myself. Simply clicking on new myvpn.mobileconfig file :)

[derefr]

I guess I just don't like the idea of forgetting to update a device that I rarely touch (e.g. my iPad) and then being unable to VPN home with it later when I do go to use it, from a café on vacation or something.

Much easier to just leave Server.app running on my iMac. (It's basically what Server.app is built for; it's certainly not targeted at enterprises!)

[cynix]

I've been trying to deploy configuration profiles containing IKEv2 VPN configs to macOS devices through MDM (Meraki SM) without success, even though the exact same profile works fine for iOS devices. There's very little logging on the device to help me diagnose the issue and it's been very frustrating.

[auslander]

log show --predicate 'subsystem == "com.apple.networkextension"' --info --last 50m

[pvg]

An opaque profile file that you double click and your VPN connectivity works makes as much, if not more sense for end users than endless screens of incomprehensible parameters.

[teilo]

No. There are plenty of setting an end user shouldn't normally poke around in, that are still accessible under something like an Advanced button, or are an Option-click away. This should be no different.

What if I'm a consultant, with a Mac, and I need to access a client's VPN? They aren't going to change their router just for me, and they aren't going to provide me an MDM profile.

[tptacek]

Why wouldn't they provide you an MDM profile? Lots of companies have committed in writing to ensuring that anyone with access to prod is using an endpoint registered with MDM; that comes up on self-assessment questionnaires.

The fact that opaque configuration makes it harder for randos to get temporary access to VPNs does not seem like a hardship from my vantage point of managing security teams.

[Mister_Snuggles]

> For example, even though you can create a basic IKEv2 config, most of the parameters that are needed to actually make it work with a given router are not accessible except in Configurator. You cannot configure the encryption or hash algos, DH Group, group identifiers, etc.

It seems like some of these, such as encryption, hash algorithm, and DH group, should be configured on the server side, not the client side. I know that in the IPSec world the peers are roughly equal, but in this scenario the Mac is definitely playing the role of client. Likewise, there is no ability to configure the traffic selectors, and I'd argue that there probably shouldn't be.

I agree that there should be more configuration exposed in the UI though.

EDIT: I spent about a half hour trying, unsuccessfully, to configure an IKEv2 connection on MacOS to a StrongSwan server. I suspect a configuration problem on the StrongSwan side, but the MacOS side is so opaque that it makes it hard to match up the configs properly.

EDIT2: I remember why I stopped trying to get IKEv2 working - the fact that Split-DNS is not in the protocol yet, but with IKEv1 I can use the Cisco Unity extensions to do it.

[rmwaite]

There is no such thing as a client in IPsec - only peers. Both peers must agree to the encryption and authentication parameters before the security association can form. Because of this it is crucial that you are able to adjust to match. Also, while modifying the encryption domain is probably not super likely, I don’t see a reason it shouldn’t be editable.

[Mister_Snuggles]

This is correct, and I basically said as much.

However, with a Mac you are most likely using the VPN in a roadwarrior scenario. In this case, I'd argue that one of the peers should decide on what encryption, authentication, etc should be used and the other peer (the roadwarrior Mac, in this case) should accept it.

In server-to-server or network-to-network scenarios, configuring both peers to match makes sense.

[auslander]

> other peer (the roadwarrior Mac, in this case) should accept it

The goal of proposals in not matching - it is finding minimum security both sides agree on. I would not accept it, if previously strong settings were suddenly downgraded. I, roadwarrior, have same rights and requirements as any server :)

[rmwaite]

I don’t disagree and this is why things like Wireguard are so attractive to people. But IPsec works the way it does mostly due to legacy and mostly because once you figure out the magic words it does work pretty well.

[mirimir]

Yes, indeed, and this is what I was expecting to see in the article. Sadly not so.

I can't imagine why they've done this. I suppose that it makes sense for enterprises that setup employees' devices. But if I'm using some third-party VPN service, it's a pain. And it's a special pain if I'm not using the latest macOS release, because then there's no way to install Apple Configurator!

[brazzledazzle]

Another thing to consider is Apple’s convergence of macOS and iOS. For better or worse this probably makes things much easier for them in terms of code sharing and hiding advanced features from users.

[auslander]

You can do all that in Apple Configurator profile. For IKEv2, all crypto parameters, DH, for child SA too, perfect forward secrecy, connect on demand, EAP auth. Works for me, I use same profile for Mac and iOS.

[izacus]

Umm, did you miss the point of the post you're answering to?

[auslander]

Yes. He wants a GUI for all possible options. I say no need, VPN providers can just provide mobileconfig file, or you can always make your own.

Or an app. But it works fine without installing 3p app, more secure.

[rmwaite]

But Configurator .. is a GUI.

[auslander]

But... he didn't like Configurator... "...unless you are using Apple Configurator to create a profile". Ok, I give up :)

[tinus_hn]

It’s just a text file so you can type it in TextEdit. Is that GUI enough?