<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; ">
<div>Hello-</div>
<div><br>
</div>
<div>We have a working IKEv2 EAP-MSCHAPv2 VPN working with Windows 7 and Linux clients, but I am unable to get it working on my Mac (OS X 10.8.5, Intel, 64-bit), latest updates installed.</div>
<div><br>
</div>
<div>I have installed the certifying authority certificate in my System keychain, and have configured the VPN, but when I try to connect I get the following output in the log:</div>
<div><br>
</div>
<div>
<div>initiating IKE_SA Certifi VPC[6] to 54.236.231.10</div>
<div>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</div>
<div>sending packet: from 192.168.1.175[63224] to x.x.x.x[4500] (884 bytes)</div>
<div>received packet: from x.x.x.x[4500] to 192.168.1.175[63224] (38 bytes)</div>
<div>parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]</div>
<div>peer didn't accept DH group MODP_2048, it requested MODP_1024</div>
<div>initiating IKE_SA Certifi VPC[6] to x.x.x.x</div>
<div>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</div>
<div>sending packet: from 192.168.1.175[63224] to x.x.x.x[4500] (756 bytes)</div>
<div>received packet: from x.x.x.x[4500] to 192.168.1.175[63224] (312 bytes)</div>
<div>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]</div>
<div>local host is behind NAT, sending keep alives</div>
<div>remote host is behind NAT</div>
<div>establishing CHILD_SA Certifi VPC</div>
<div>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CP(ADDR DNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]</div>
<div>sending packet: from 192.168.1.175[65384] to x.x.x.x[4500] (412 bytes)</div>
<div>received packet: from x.x.x.x[4500] to 192.168.1.175[65384] (364 bytes)</div>
<div>parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]</div>
<div>no trusted RSA public key found for 'vpn.enrfin.com'</div>
<div>generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]</div>
<div>sending packet: from 192.168.1.175[65384] to x.x.x.x[4500] (76 bytes)</div>
</div>
<div><br>
</div>
<div>And I get a dialog box that says:</div>
<div><br>
</div>
<div>"Establishing Connection Certifi Failed:</div>
<div>Server authentication failed."</div>
<div><br>
</div>
<div>I'm not clear on whether or not I need to do something with charon-xpc tarball if I simply install the Strongswan.app? I believe that I need the charon-xpc tarball if I build Strongswan from source, but do I need to do anything with it if I am installing
the app?</div>
<div><br>
</div>
<div>The CA cert is installed in my System keychain, and is trusted.</div>
<div><br>
</div>
<div>Any suggestions or pointers would be greatly appreciated.</div>
<div><br>
</div>
<div>Thanks in advance!</div>
<div><br>
</div>
<div>-Dan</div>
<div><br>
</div>
<div>Dan Diman</div>
<div>dan.diman@certifi.net</div>
<div><br>
</div>
<div><br>
</div>
</body>
</html>