[strongSwan] Strongswan + Mac OSX

Martin Willi martin at strongswan.org
Mon Sep 3 12:06:14 CEST 2012

Hi Claude,

> So far I had the VPN working in a hybrid mode where strongswan
> authenicates itself using its certificate and my Mac authenticates with
> username/groupname.

> When trying to authenticate the Mac with a signature, I get the
> following errors :

Your configuration indicates that you are using plain public key
authentication, without XAuth. How did you configure OS X to use plain
RSA signature authentication? From what I see, OS X only supports:

      * XAuth with PSK
      * XAuth with RSA
      * (and Mountain Lion now seems to properly supports "Hybrid Mode"
        if the group name contains the string "[hybrid]")

> conn RESTENA
>     keyexchange=ikev1
>     rightauth=pubkey
>     rightsourceip=%ikev1

If you want to use XAuth with RSA, try to set rightauth=pubkey, and

> generating ID_PROT response 0 [KE No CERTREQ NAT-D NAT-D ]
> sending packet: from[500] to[500]
> received packet: from[500] to[500]
> decryption failed, invalid length
> could not decrypt payloads
> integrity check failed

Hm, never seen that with certificates. Maybe a PSK is involved in the
key derivation, yielding to wrong encryption keys?


More information about the Users mailing list