<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">I'm having a problem getting macOS working with strongSwan, and would greatly appreciate assistance.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The exact same Certs work fine when installed on an iOS client, so the Certs aren't obviously broken, and the .conf works fine for iOS as well. The swanctl.conf snippet, Certs, and log snippet from working iOS connection follow.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The error in the system log shows near the very end of authenticating the connection:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Jul 05 12:09:42 pvn charon-systemd[39509]: received fragment #2 of 2, reassembled fragmented IKE message (960 bytes)<o:p></o:p></p>
<p class="MsoNormal">Jul 05 12:09:42 pvn charon-systemd[39509]: parsed IKE_AUTH request 7 [ EAP/RES/TLS ]<o:p></o:p></p>
<p class="MsoNormal">Jul 05 12:09:42 pvn charon-systemd[39509]: received TLS peer certificate 'C=US, O=pvn-strongSwan,
<a href="mailto:CN=len-mac-pvn@myvpn.net">CN=len-mac-pvn@myvpn.net</a>'<o:p></o:p></p>
<p class="MsoNormal">Jul 05 12:09:42 pvn charon-systemd[39509]: received TLS intermediate certificate 'C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA'<o:p></o:p></p>
<p class="MsoNormal">Jul 05 12:09:42 pvn charon-systemd[39509]: no trusted certificate found for 'len-mac-pvn@mypvn.net' to verify TLS peer<o:p></o:p></p>
<p class="MsoNormal">Jul 05 12:09:42 pvn charon-systemd[39509]: sending fatal TLS alert 'certificate unknown'<o:p></o:p></p>
<p class="MsoNormal">Jul 05 12:09:42 pvn charon-systemd[39509]: generating IKE_AUTH response 7 [ EAP/REQ/TLS ]<o:p></o:p></p>
<p class="MsoNormal">Jul 05 12:09:42 pvn charon-systemd[39509]: sending packet: from 192.168.92.5[4500] to ex.te.rn.al[4500] (96 bytes)<o:p></o:p></p>
<p class="MsoNormal">Jul 05 12:09:42 pvn charon-systemd[39509]: received packet: from ex.te.rn.al[4500] to 192.168.92.5[4500] (144 bytes)<o:p></o:p></p>
<p class="MsoNormal">Jul 05 12:09:42 pvn charon-systemd[39509]: parsed IKE_AUTH request 8 [ EAP/RES/TLS ]<o:p></o:p></p>
<p class="MsoNormal">Jul 05 12:09:42 pvn charon-systemd[39509]: EAP method EAP_TLS failed for peer
<a href="mailto:len-mac-pvn@mypvn.net">len-mac-pvn@mypvn.net</a><o:p></o:p></p>
<p class="MsoNormal">Jul 05 12:09:42 pvn charon-systemd[39509]: generating IKE_AUTH response 8 [ EAP/FAIL ]<o:p></o:p></p>
<p class="MsoNormal">Jul 05 12:09:42 pvn charon-systemd[39509]: sending packet: from 192.168.92.5[4500] to ex.te.rn.al[4500] (80 bytes)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I've checked that the .p12 and (self-signed) Root CA Certs are both in the system keychain. Thinking that maybe the Root CA Cert needed to be in the System Roots keychain, tried to put it there, but MacOS said "No, they should be in the
system keychain". The Root CA Cert is marked as trusted for all users, for all usages.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I'd appreciate any definitive answers, good guesses, etc. This has me totally baffled!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">swanctl.conf VPN Configuration Details:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># Configuration written by pistrong makeMyCA V3.1 on Tue 07 Jun 2022 09:51:24 AM PDT<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">conn-defaults {<o:p></o:p></p>
<p class="MsoNormal"> version = 2<o:p></o:p></p>
<p class="MsoNormal"> send_certreq = yes<o:p></o:p></p>
<p class="MsoNormal"> send_cert = always<o:p></o:p></p>
<p class="MsoNormal"> unique = never<o:p></o:p></p>
<p class="MsoNormal"> fragmentation = yes<o:p></o:p></p>
<p class="MsoNormal"> # Force esp encapsulation for restrictive firewalls<o:p></o:p></p>
<p class="MsoNormal"> encap = yes<o:p></o:p></p>
<p class="MsoNormal"> dpd_delay = 120s<o:p></o:p></p>
<p class="MsoNormal"> rekey_time = 0s<o:p></o:p></p>
<p class="MsoNormal"> pools = primary-pool-ipv4<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> local {<o:p></o:p></p>
<p class="MsoNormal"> auth = pubkey<o:p></o:p></p>
<p class="MsoNormal"> cacerts = strongSwanCACert.pem<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal">}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">remote-defaults {<o:p></o:p></p>
<p class="MsoNormal"> remote {<o:p></o:p></p>
<p class="MsoNormal"> id = %any<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">}<o:p></o:p></p>
<p class="MsoNormal">child-defaults {<o:p></o:p></p>
<p class="MsoNormal"> net {<o:p></o:p></p>
<p class="MsoNormal"> dpd_action = clear<o:p></o:p></p>
<p class="MsoNormal"> rekey_time = 0s<o:p></o:p></p>
<p class="MsoNormal"> updown = /usr/lib/ipsec/_updown iptables<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal">}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">connections {<o:p></o:p></p>
<p class="MsoNormal"> conn-ios : conn-defaults, remote-defaults {<o:p></o:p></p>
<p class="MsoNormal"> proposals = aes256-sha256-modp2048, aes256-sha256-modp1024,aes256-sha1-modp1024<o:p></o:p></p>
<p class="MsoNormal"> local {<o:p></o:p></p>
<p class="MsoNormal"> certs = ios-strongSwanVPNCert.pem<o:p></o:p></p>
<p class="MsoNormal"> id = ios.mydomain.com<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal"> remote {<o:p></o:p></p>
<p class="MsoNormal"> auth = eap-tls<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal"> children {<o:p></o:p></p>
<p class="MsoNormal"> net : child-defaults {<o:p></o:p></p>
<p class="MsoNormal"> local_ts = 0.0.0.0/0<o:p></o:p></p>
<p class="MsoNormal"> esp_proposals = aes256-sha256<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal">}<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">pools {<o:p></o:p></p>
<p class="MsoNormal"> primary-pool-ipv4 {<o:p></o:p></p>
<p class="MsoNormal"> addrs = 10.92.10.0/24<o:p></o:p></p>
<p class="MsoNormal"> dns = 192.168.92.3<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal">}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Formatted CA and VPN Cert:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[CA Certificate /etc/swanctl/x509ca/strongSwanCACert.pem]<o:p></o:p></p>
<p class="MsoNormal"> subject: "C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA"<o:p></o:p></p>
<p class="MsoNormal"> issuer: "C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA"<o:p></o:p></p>
<p class="MsoNormal"> validity: not before Jun 06 12:59:04 2022, ok<o:p></o:p></p>
<p class="MsoNormal"> not after Jun 03 12:59:04 2032, ok (expires in 3620 days)<o:p></o:p></p>
<p class="MsoNormal"> serial: 38:94:d1:8e:7f:32:28:90<o:p></o:p></p>
<p class="MsoNormal"> flags: CA CRLSign self-signed <o:p></o:p></p>
<p class="MsoNormal"> subjkeyId: 04:63:b7:4e:12:5b:6c:b4:3f:fb:5d:e3:f6:9c:43:6e:3f:69:3b:0e<o:p></o:p></p>
<p class="MsoNormal"> pubkey: RSA 4096 bits<o:p></o:p></p>
<p class="MsoNormal"> keyid: de:8c:21:84:30:3c:34:13:84:65:41:60:5f:e0:66:c0:0a:d2:54:0a<o:p></o:p></p>
<p class="MsoNormal"> subjkey: 04:63:b7:4e:12:5b:6c:b4:3f:fb:5d:e3:f6:9c:43:6e:3f:69:3b:0e<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[VPN Host Certificate /etc/swanctl/x509/ios-strongSwanVPNCert.pem]<o:p></o:p></p>
<p class="MsoNormal"> subject: "C=US, O=pvn-strongSwan, CN=pvn.mydomain.com"<o:p></o:p></p>
<p class="MsoNormal"> issuer: "C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA"<o:p></o:p></p>
<p class="MsoNormal"> validity: not before Jun 06 12:59:18 2022, ok<o:p></o:p></p>
<p class="MsoNormal"> not after Jun 03 12:59:18 2032, ok (expires in 3620 days)<o:p></o:p></p>
<p class="MsoNormal"> serial: 10:dc:bf:05:81:c0:e4:06<o:p></o:p></p>
<p class="MsoNormal"> altNames: ios.mydomain.com, pvn.mydomain.com<o:p></o:p></p>
<p class="MsoNormal"> flags: serverAuth ikeIntermediate <o:p></o:p></p>
<p class="MsoNormal"> authkeyId: 04:63:b7:4e:12:5b:6c:b4:3f:fb:5d:e3:f6:9c:43:6e:3f:69:3b:0e<o:p></o:p></p>
<p class="MsoNormal"> subjkeyId: d0:1b:b4:b8:67:df:64:07:ef:14:f1:e7:92:80:c6:8f:7f:e4:1b:94<o:p></o:p></p>
<p class="MsoNormal"> pubkey: RSA 4096 bits<o:p></o:p></p>
<p class="MsoNormal"> keyid: 3f:a6:74:2d:4e:24:6a:78:17:80:7f:29:92:ba:62:29:19:70:69:aa<o:p></o:p></p>
<p class="MsoNormal"> subjkey: d0:1b:b4:b8:67:df:64:07:ef:14:f1:e7:92:80:c6:8f:7f:e4:1b:94<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Formatted User Cert:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> subject: "C=US, O=pvn-strongSwan, <a href="mailto:CN=len-mac-pvn@myvpn.net">
CN=len-mac-pvn@myvpn.net</a>"<o:p></o:p></p>
<p class="MsoNormal"> issuer: "C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA"<o:p></o:p></p>
<p class="MsoNormal"> validity: not before Jul 01 10:08:33 2022, ok<o:p></o:p></p>
<p class="MsoNormal"> not after Jun 30 10:08:33 2024, ok (expires in 725 days)<o:p></o:p></p>
<p class="MsoNormal"> serial: 0b:94:f4:e8:50:7b:71:a2<o:p></o:p></p>
<p class="MsoNormal"> altNames: <a href="mailto:len-mac-pvn@myvpn.net">len-mac-pvn@myvpn.net</a><o:p></o:p></p>
<p class="MsoNormal"> flags: <o:p></o:p></p>
<p class="MsoNormal"> authkeyId: 04:63:b7:4e:12:5b:6c:b4:3f:fb:5d:e3:f6:9c:43:6e:3f:69:3b:0e<o:p></o:p></p>
<p class="MsoNormal"> subjkeyId: 2f:a3:94:ed:03:c6:5c:e2:29:c7:42:7e:67:2e:d4:4c:91:a2:a2:fe<o:p></o:p></p>
<p class="MsoNormal"> pubkey: RSA 2048 bits<o:p></o:p></p>
<p class="MsoNormal"> keyid: be:8a:71:45:9c:de:9b:94:83:8e:0f:e7:d1:26:b4:58:a2:01:07:7b<o:p></o:p></p>
<p class="MsoNormal"> subjkey: 2f:a3:94:ed:03:c6:5c:e2:29:c7:42:7e:67:2e:d4:4c:91:a2:a2:fe<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The exact same Certs when connected from an iOS device yield this set of authentication log entries:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: received fragment #2 of 2, reassembled fragmented IKE message (960 bytes)<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: parsed IKE_AUTH request 7 [ EAP/RES/TLS ]<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: received TLS peer certificate 'C=US, O=pvn-strongSwan,
<a href="mailto:CN=len-mac-pvn@myvpn.net">CN=len-mac-pvn@myvpn.net</a>'<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: received TLS intermediate certificate 'C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA'<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: using trusted ca certificate "C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA"<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: checking certificate status of "C=US, O=pvn-strongSwan,
<a href="mailto:CN=len-mac-pvn@myvpn.net">CN=len-mac-pvn@myvpn.net</a>"<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: certificate status is not available<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: reached self-signed root ca with a path length of 0<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: using trusted certificate "C=US, O=pvn-strongSwan,
<a href="mailto:CN=len-mac-pvn@myvpn.net">CN=len-mac-pvn@myvpn.net</a>"<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: generating IKE_AUTH response 7 [ EAP/REQ/TLS ]<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: sending packet: from 192.168.92.5[4500] to ex.te.rn.al[4500] (160 bytes)<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: received packet: from ex.te.rn.al[4500] to 192.168.92.5[4500] (80 bytes)<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: parsed IKE_AUTH request 8 [ EAP/RES/TLS ]<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: EAP method EAP_TLS succeeded, MSK established<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: generating IKE_AUTH response 8 [ EAP/SUCC ]<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: sending packet: from 192.168.92.5[4500] to ex.te.rn.al[4500] (80 bytes)<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: received packet: from ex.te.rn.al[4500] to 192.168.92.5[4500] (112 bytes)<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: parsed IKE_AUTH request 9 [ AUTH ]<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: authentication of 'len-mac-pvn@myvpn.net' with EAP successful<o:p></o:p></p>
<p class="MsoNormal">Jul 05 11:52:30 pvn charon-systemd[39509]: authentication of 'ios.mydomain.com' (myself) with EAP<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>