• Connecting to OSX VPN from Windows XP to 10

    In an environment that is 95% MAC, we leverage OSX server for a lot of things as it is a simple server to deploy and manage. The most useful tool for us is the VPN which allows us to access the file shares and other services on the local network at the office when working remotely. Recently we have been introducing Windows PC’s back into the workflow and connecting natively from these to the OSX VPN posed a number of issues.

    Our OSX server VPN sits behind the router that the office so NAT traversal needs to be taken into consideration. The following are the steps provided by both Apple and Microsoft for editing the registry to allow this.

    Getting the VPN to work with all versions of Windows, the following steps needed to be taken first:

    1. Open Regedit.exe. How you open this varies version to version, long story short, find the regedit.exe or type it into the run dialog box.

    2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

    3. Backup this registry entry – select File -> Export and save the file in case you need it.

    4. Make sure PolicyAgent is still selected, then from the Edit menu, choose New and select DWORD (32-bit) Value.

    5. Edit the name of the value to: AssumeUDPEncapsulationContextOnSendRule

    6. Double click the newly created “AssumeUDPEncapsulationContextOnSendRule” and set the Value data to 2.

    7. Click okay and close registry.

    Now we need to modify the ‘Local Security Policy’. This is done by opening the secpol.msc either directly or via run.

    1. Find and run secpol.msc

    2. Open Local Policies -> Security Options -> Network Security: LAN Manager authentication level

    3. In the drop-down list, select “Send LM & NTLM – use NTMLv2 session security if negotiated”.

    4. In the same section locate “Network security: Minimum session security for NTML SSP based (including secure RPC) clients”.

    5. Uncheck “Require 128-bit encryption”.

    6. Close security policy and restart.

    So now that the above is complete, this is enough for SOME people to be able to connect to the OSX VPN. There are many others though that still cannot connect at this point, as it was for us. The FINAL step we had to do to make this work was on Windows systems prior to version 10, we had to make the following adjustment when setting up the VPN connection properties:

    Without disabling Include Windows Logon Domain, we were not able to authenticate to the VPN.

    In Windows 10, this setting is not present. However there is another registry edit you can perform that will allow the OSX VPN to work with Windows 10.

    1. Open the registry editor again and navigate to -> HKLM\SYSTEM\CurrentControlSet\Control\Lsa.

    2. Locate the LmCompatibilityLevel and set it to 3. This will change the authentication channel as channels 0-2 will not work since they are in the same channel protocol as the encapsulation.


    Leave a reply