<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Nevermind…
<div class="">The solution to the problem is to have the subjectAltName in the server certificate (can be added with `—san [ip address]`)<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 6 Jul 2017, at 10:07, Nicolas Fitton <<a href="mailto:NF@post-quantum.com" class="">NF@post-quantum.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<span class=""></span><span class="">Hi all,</span><span class=""><br class="">
I can’t seem to find any Mac app test cases to research with, are there any? (I’ve looked on </span><a href="https://www.strongswan.org/testing/testresults/all.html" class="">https://www.strongswan.org/testing/testresults/all.html</a><span class="">)<br class="">
</span><span class="">My problem is that on the Mac app client I get the error:<br class="">
</span><span class=""><br class="">
</span>
<div class=""><span class="">```<br class="">
</span><span class="">constraint check failed: identity ’[server ip]' required<br class="">
</span><span class="">```<br class="">
</span><span class=""><br class="">
</span><span class="">Server Log from connection attempt:<br class="">
</span><span class="">```<br class="">
</span><span class="">11[NET] received packet: from 46.249.xx.xx[13669] to 172.31.xx.xx[4500] (1124 bytes)<br class="">
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]<br class="">
11[IKE] 46.249.xx.xx is initiating an IKE_SA<br class="">
11[IKE] local host is behind NAT, sending keep alives<br class="">
11[IKE] remote host is behind NAT<br class="">
11[IKE] DH group MODP_2048 inacceptable, requesting MODP_3072<br class="">
11[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]<br class="">
11[NET] sending packet: from 172.31.xx.xx[4500] to 46.249.xx.xx[13669] (58 bytes)<br class="">
12[NET] received packet: from 46.249.xx.xx[13669] to 172.31.xx.xx[4500] (1252 bytes)<br class="">
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]<br class="">
12[IKE] 46.249.xx.xx is initiating an IKE_SA<br class="">
12[IKE] local host is behind NAT, sending keep alives<br class="">
12[IKE] remote host is behind NAT<br class="">
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) V ]<br class="">
12[NET] sending packet: from 172.31.xx.xx[4500] to 46.249.xx.xx[13669] (598 bytes)<br class="">
13[NET] received packet: from 46.249.xx.xx[56433] to 172.31.xx.xx[4500] (400 bytes)<br class="">
13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]<br class="">
13[CFG] looking for peer configs matching 172.31.xx.xx[%any]…46.249.xx.xx[<a href="mailto:nf@post-quantum.com" class="">nf@post-quantum.com</a>]<br class="">
13[CFG] selected peer config 'rw'<br class="">
13[IKE] initiating EAP_MD5 method (id 0xDA)<br class="">
13[IKE] peer supports MOBIKE<br class="">
13[IKE] authentication of 'C=GB, O=Post-Quantum, CN=<a href="http://virtual.postquantum.net/" class="">virtual.postquantum.net</a>' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful<br class="">
13[IKE] sending end entity cert "C=GB, O=Post-Quantum, CN=<a href="http://virtual.postquantum.net/" class="">virtual.postquantum.net</a>"<br class="">
13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MD5 ]<br class="">
13[NET] sending packet: from 172.31.xx.xx[4500] to 46.249.xx.xx[56433] (2048 bytes)<br class="">
14[NET] received packet: from 46.249.xx.xx[56433] to 172.31.xx.xx[4500] (80 bytes)<br class="">
14[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]<br class="">
14[ENC] generating INFORMATIONAL response 2 [ N(AUTH_FAILED) ]<br class="">
14[NET] sending packet: from 172.31.xx.xx[4500] to 46.249.xx.xx[56433] (80 bytes)<br class="">
<br class="">
</span><span class="">```<br class="">
</span><span class=""><br class="">
</span><span class="">And Client log:<br class="">
</span><span class="">```<br class="">
</span><span class="">generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]<br class="">
</span><span class="">sending packet: from 10.3.xx.xx[49421] to 35.177.</span>xx.xx<span class="">[4500] (1124 bytes)<br class="">
</span><span class="">received packet: from 35.177.</span>xx.xx<span class="">[4500] to 10.3.</span>xx.xx<span class="">[49421] (58 bytes)<br class="">
</span><span class="">parsed IKE_SA_INIT response 0 [ N(INVAL_KE) V ]<br class="">
</span><span class="">received strongSwan vendor ID<br class="">
</span><span class="">peer didn't accept DH group MODP_2048, it requested MODP_3072<br class="">
</span><span class="">initiating IKE_SA Road Warrior[7] to 35.177.</span>xx.xx<span class=""><br class="">
</span><span class="">generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]<br class="">
</span><span class="">sending packet: from 10.3.xx.xx[49421] to 35.177.</span>xx.xx<span class="">[4500] (1252 bytes)<br class="">
</span><span class="">received packet: from 35.177.xx.xx[4500] to 10.3.</span>xx.xx<span class="">[49421] (598 bytes)<br class="">
</span><span class="">parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) V ]<br class="">
</span><span class="">local host is behind NAT, sending keep alives<br class="">
</span><span class="">remote host is behind NAT<br class="">
</span><span class="">establishing CHILD_SA Road Warrior<br class="">
</span><span class="">generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]<br class="">
</span><span class="">sending packet: from 10.3.</span>xx.xx<span class="">[49217] to 35.177.</span>xx.xx<span class="">[4500] (400 bytes)<br class="">
</span><span class="">received packet: from 35.177.</span>xx.xx<span class="">[4500] to 10.3.</span>xx.xx<span class="">[49217] (2048 bytes)<br class="">
</span><span class="">parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MD5 ]<br class="">
</span><span class="">received end entity cert "C=GB, O=Post-Quantum, CN=<a href="http://virtual.postquantum.net/" class="">virtual.postquantum.net</a>"<br class="">
</span><span class=""> using trusted ca certificate "C=GB, O=Post-Quantum, CN=Post-Quantum CA"<br class="">
</span><span class=""> reached self-signed root ca with a path length of 0<br class="">
</span><span class=""> using trusted certificate "C=GB, O=Post-Quantum, CN=<a href="http://virtual.postquantum.net/" class="">virtual.postquantum.net</a>"<br class="">
</span><span class="">authentication of 'C=GB, O=Post-Quantum, CN=<a href="http://virtual.postquantum.net/" class="">virtual.postquantum.net</a>' with RSA_EMSA_PKCS1_SHA384 successful<br class="">
</span><span class="">constraint check failed: identity '35.177.</span>xx.xx<span class="">' required <br class="">
</span><span class="">selected peer config 'Road Warrior' inacceptable: constraint checking failed<br class="">
</span><span class="">no alternative config found<br class="">
</span><span class="">generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]<br class="">
</span><span class="">sending packet: from 10.3.</span>xx.xx<span class="">[49217] to 35.177.</span>xx.xx<span class="">[4500] (80 bytes)```</span>
<div class=""><span class=""><br class="">
</span></div>
<div class="">The server is an AWS instance behind an EIP and has version: <span style="font-family: Monaco; font-size: 10px; background-color: rgba(255, 255, 255, 0.85098);" class="">Linux strongSwan U5.5.3</span></div>
<div class=""><span style="font-family: Monaco; font-size: 10px; background-color: rgba(255, 255, 255, 0.85098);" class="">Running: </span><span style="font-family: Monaco; font-size: 10px; background-color: rgba(255, 255, 255, 0.85098);" class="">Linux ip-172-31-xx-xx
4.4.0-1022-aws #31-Ubuntu SMP Tue Jun 27 11:27:55 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux</span></div>
<div class=""><span style="font-family: Monaco; font-size: 10px; background-color: rgba(255, 255, 255, 0.85098);" class=""><br class="">
</span></div>
<div class=""><span style="font-family: Monaco; font-size: 10px; background-color: rgba(255, 255, 255, 0.85098);" class="">Any help is greatly appreciated.</span></div>
<div class=""><font face="Monaco" size="1" class=""><span style="background-color: rgba(255, 255, 255, 0.85098);" class="">Regards</span></font></div>
<div class=""><font face="Monaco" size="1" class=""><span style="background-color: rgba(255, 255, 255, 0.85098);" class="">Nick</span></font></div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>