Configuring an IKEv2 IPsec connection from macOS to Arista NG Firewall

Overview

You can connect macOS devices to NG Firewall using IPsec VPN. This type of connection can use either L2TP or IKEv2. Both connection types use full tunnel so that all Internet traffic routes through the VPN tunnel.

Prerequisites

Before you can set up IPsec tunnels from macOS, you must properly configure NG Firewall with a fully qualified Internet hostname and matching certificates.

IMPORTANT: See Configuring NG Firewall For IPsec Tunnels for step by step instructions before continuing with the steps below.

Install the certificate in macOS

Note: If you use a signed SSL certificate from a trusted certificate authority, this step is not necessary.

To install the certificate on the macOS device:

1. Open a browser on the macOS device and navigate to http://your_firewall_host/cert
2. The browser downloads the certificate file. Locate this file in your downloads folder.
3. Open the file to add the certificate to your keychain.
   
4. Open the Keychain utility.
5. Search for the new certificate by your server's hostname.
   
6. Double click the certificate and choose Always Trust.
   

Step 2. Configure the VPN connection

1. On the macOS device go to System Preferences > Network.
2. Click the add icon to create a new connection.
3. Choose VPN.
4. Select IKEv2 as the VPN Type and assign a Service Name to your connection.
   
5. Click Create.
6. In the Server and Remote ID, enter the fully qualified hostname of your NG Firewall.
7. The Local ID remains empty.
   
8. Click Authentication Settings..., and choose Username and enter the credentials of a user in the local directory or Directory Connector app.
9. Click Ok, then Apply.