有没有人成功地将 MAC 连接到 Azure P2S 网络网关? 没有任何文档对我有用
[英]Has anyone ever successfully connected a MAC to an Azure P2S network gateway? None of the documentation works for me
问题描述
Starting with an empty directory:
从一个空目录开始:
- Generate CAroot private key生成 CAroot 私钥
$ openssl genrsa -aes256 -out dcsAzureVPN.key 2048
- Generate a CARoot certificate生成 CARoot 证书
$ openssl req -x509 -sha256 -new -key dcsAzureVPN.key -out dcsAzureVPN.cer -days 1825 -subj /CN="dcsAzureVPN"`
Successfully copied
dcsAzureVPN.certo VPN gateway and saved (see attached screenshot)成功将dcsAzureVPN.cer复制到 VPN 网关并保存(见附件截图)Generate Certificate Request (CSR)
生成证书请求 (CSR)
$ openssl genrsa -out dcsAzureClientCert.key 2048
$ openssl req -new -out tjaClientCert.req -key dcsAzureClientCert.key -subj /CN="dcsAzureVPN"`
- Generate signed Client Certificate from CSR从 CSR 生成签名的客户端证书
$ openssl x509 -req -sha256 -in tjaClientCert.req -out dcsAzureClientCert.cer -CAkey dcsAzureVPN.key -CA dcsAzureVPN.cer -days 1825 -CAcreateserial -CAserial serial
Signature ok
subject=/CN=dcsAzureVPN
- Pack key and certificate in.pfx format将密钥和证书打包成 .pfx 格式
$ openssl pkcs12 -export -out dcsAzureVPNClient.pfx -inkey dcsAzureClientCert.key -in dcsAzureClientCert.cer -certfile dcsAzureVPN.cer
Copy client cert to my Keychain
将客户端证书复制到我的钥匙串Make dcsAzure VPN a trusted cert.
使 dcsAzure VPN 成为受信任的证书。Select dcsAzureVPN as the client certificate for my VPN connection
Select dcsAzureVPN 作为我的 VPN 连接的客户端证书Try to connect.
尝试连接。 Connection fails with an error: User Authentication failed连接失败并出现错误:用户身份验证失败
What am I doing wrong?我究竟做错了什么?
3 个解决方案
解决方案1
0 2019-10-09 06:37:56
You have to manually configure the native IKEv2 VPN client on every Mac that will connect to Azure.您必须在将连接到 Azure 的每台 Mac 上手动配置本机 IKEv2 VPN 客户端。 You could use these steps to configure the native VPN client on Mac for certificate authentication.您可以使用这些步骤在 Mac 上配置本机 VPN 客户端以进行证书身份验证。
Moreover, you could refer to this to troubleshoot Point-to-Site VPN connections from Mac OS X VPN clients.此外,您可以参考此内容来解决来自 Mac OS X VPN 客户端的点到站点 VPN 连接问题。
Additionally, no matter what client OS you want to connect from, you must always have a client certificate.此外,无论您想从哪个客户端操作系统进行连接,都必须始终拥有客户端证书。 You can generate a client certificate from either a root certificate that was generated using an Enterprise CA solution or a self-signed root certificate.您可以从使用企业 CA 解决方案生成的根证书或自签名根证书生成客户端证书。 See the PowerShell , MakeCert , or Linux instructions for steps to generate a client certificate.有关生成客户端证书的步骤,请参阅PowerShell 、 MakeCert或Linux说明。
Please let me know if this works.请让我知道这是否有效。
解决方案2
0 已采纳 2019-10-12 23:20:19
I finally found the problem.我终于找到了问题所在。 It turns out the Local ID has to match the client certificate subject, not the name of your client certificate file.事实证明,本地 ID 必须匹配客户端证书主题,而不是客户端证书文件的名称。
解决方案3
0 2021-07-23 08:24:37
Whoever stumbles up on this solution: It is working if you change the Client certificate's subj from dcsAzureVPN to (for example) dcsAzureVPNSubj and use it in the connection tab for Local ID.谁偶然发现了这个解决方案:如果您将客户端证书的主题从 dcsAzureVPN 更改为(例如)dcsAzureVPNSubj 并在本地 ID 的连接选项卡中使用它,它就可以工作。
So instead of this:所以代替这个:
openssl req -new -out tjaClientCert.req -key dcsAzureClientCert.key -subj /CN="dcsAzureVPN"
Use this:用这个:
openssl req -new -out tjaClientCert.req -key dcsAzureClientCert.key -subj /CN="dcsAzureVPNSubj"
and use the dcsAzureVPNSubj for Local id on the MacOS VPN connection tab.并在 MacOS VPN 连接选项卡上使用 dcsAzureVPNSubj 作为本地 ID。
Worked on the following machine: 20.5.0 Darwin Kernel Version 20.5.0: root:«gibberish»/RELEASE_ARM64_T8101 arm64 Big Sur version: 11.4在以下机器上工作:20.5.0 Darwin Kernel 版本 20.5.0:root:«gibberish»/RELEASE_ARM64_T8101 arm64 Big Sur 版本:11.4
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.