Not a Mac person at all so I need some help here. From what my Mac using colleagues told me, the Macs come with a build-in VPN client. The company has recently reviewed the security standards and IPsec VPN connections using AggressiveMode are not longer permitted. I have checked the RA VPNs and only the Macs use AG.
So, is there a (preferably free) VPN client that can be set up to use MM?
VPN gateway is a Cisco ASA. My boss refuses to pay the license fees for the AnyConnect client so we are still using the IPsec client.
First, they’re likely using aggressive mode because your ASA is configured to allow it. Change the ASA config and your problem may be solved.
Other than that, though, look into the “Apple Configurator” app, which lets you generate highly-configurable VPN profiles, which you can distribute to your users. With this approach, you’ll have access to set all the IPSec parameters you’d expect, including Main/Aggressive mode.
We have been (and are) using various ASA models with classic IPSec VPN for Macs as well as AnyConnect in the more recent years. Never used Aggressive Mode though.
That would be expected, unless the VPN clients had some built-in logic to cycle through modes if the connection fails. Common sense dictates that change to main mode on the VPN server needs to be tied to switching the VPN client configs to do main mode as well.
Can you configure the Mac to not use AM? If yes, how?
Unfortunately I don’t have a Mac to play around with so I need to figure out how it works bevore I shove one of our Mac users away from their computer to change the VPN settings…
You build a VPN configuration profile using the aforementioned Apple Configurator, and then deploy that to the user’s machine. Apple exposes precious few configuration parameters through the GUI, so you need to do it by building a plist file with your desired configuration.
That’s unfortunate. Then the obvious choices are either to stay on aggresive mode, or switch to a client that can do main, but I clearly don’t need to tell you that.
