[英]Has anyone ever successfully connected a MAC to an Azure P2S network gateway? None of the documentation works for me
Starting with an empty directory:从一个空目录开始:
$ openssl genrsa -aes256 -out dcsAzureVPN.key 2048
$ openssl req -x509 -sha256 -new -key dcsAzureVPN.key -out dcsAzureVPN.cer -days 1825 -subj /CN="dcsAzureVPN"`
Successfully copied dcsAzureVPN.cer
to VPN gateway and saved (see attached screenshot)成功将
dcsAzureVPN.cer
复制到 VPN 网关并保存(见附件截图)
Generate Certificate Request (CSR)生成证书请求 (CSR)
$ openssl genrsa -out dcsAzureClientCert.key 2048
$ openssl req -new -out tjaClientCert.req -key dcsAzureClientCert.key -subj /CN="dcsAzureVPN"`
$ openssl x509 -req -sha256 -in tjaClientCert.req -out dcsAzureClientCert.cer -CAkey dcsAzureVPN.key -CA dcsAzureVPN.cer -days 1825 -CAcreateserial -CAserial serial
Signature ok
subject=/CN=dcsAzureVPN
$ openssl pkcs12 -export -out dcsAzureVPNClient.pfx -inkey dcsAzureClientCert.key -in dcsAzureClientCert.cer -certfile dcsAzureVPN.cer
Copy client cert to my Keychain将客户端证书复制到我的钥匙串
Make dcsAzure VPN a trusted cert.使 dcsAzure VPN 成为受信任的证书。
Select dcsAzureVPN as the client certificate for my VPN connection Select dcsAzureVPN 作为我的 VPN 连接的客户端证书
Try to connect.尝试连接。 Connection fails with an error: User Authentication failed
连接失败并出现错误:用户身份验证失败
What am I doing wrong?我究竟做错了什么?
You have to manually configure the native IKEv2 VPN client on every Mac that will connect to Azure.您必须在将连接到 Azure 的每台 Mac 上手动配置本机 IKEv2 VPN 客户端。 You could use these steps to configure the native VPN client on Mac for certificate authentication.
您可以使用这些步骤在 Mac 上配置本机 VPN 客户端以进行证书身份验证。
Moreover, you could refer to this to troubleshoot Point-to-Site VPN connections from Mac OS X VPN clients.此外,您可以参考此内容来解决来自 Mac OS X VPN 客户端的点到站点 VPN 连接问题。
Additionally, no matter what client OS you want to connect from, you must always have a client certificate.此外,无论您想从哪个客户端操作系统进行连接,都必须始终拥有客户端证书。 You can generate a client certificate from either a root certificate that was generated using an Enterprise CA solution or a self-signed root certificate.
您可以从使用企业 CA 解决方案生成的根证书或自签名根证书生成客户端证书。 See the PowerShell , MakeCert , or Linux instructions for steps to generate a client certificate.
有关生成客户端证书的步骤,请参阅PowerShell 、 MakeCert或Linux说明。
Please let me know if this works.请让我知道这是否有效。
I finally found the problem.我终于找到了问题所在。 It turns out the Local ID has to match the client certificate subject, not the name of your client certificate file.
事实证明,本地 ID 必须匹配客户端证书主题,而不是客户端证书文件的名称。
Whoever stumbles up on this solution: It is working if you change the Client certificate's subj from dcsAzureVPN to (for example) dcsAzureVPNSubj and use it in the connection tab for Local ID.谁偶然发现了这个解决方案:如果您将客户端证书的主题从 dcsAzureVPN 更改为(例如)dcsAzureVPNSubj 并在本地 ID 的连接选项卡中使用它,它就可以工作。
So instead of this:所以代替这个:
openssl req -new -out tjaClientCert.req -key dcsAzureClientCert.key -subj /CN="dcsAzureVPN"
Use this:用这个:
openssl req -new -out tjaClientCert.req -key dcsAzureClientCert.key -subj /CN="dcsAzureVPNSubj"
and use the dcsAzureVPNSubj for Local id on the MacOS VPN connection tab.并在 MacOS VPN 连接选项卡上使用 dcsAzureVPNSubj 作为本地 ID。
Worked on the following machine: 20.5.0 Darwin Kernel Version 20.5.0: root:«gibberish»/RELEASE_ARM64_T8101 arm64 Big Sur version: 11.4在以下机器上工作:20.5.0 Darwin Kernel 版本 20.5.0:root:«gibberish»/RELEASE_ARM64_T8101 arm64 Big Sur 版本:11.4
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.