[strongSwan] Strongswan + Mac OSX

Claude Tompers claude.tompers at restena.lu
Mon Sep 3 13:11:37 CEST 2012

Hi Martin,
> Hi Claude,
>> So far I had the VPN working in a hybrid mode where strongswan
>> authenicates itself using its certificate and my Mac authenticates with
>> username/groupname.
>> When trying to authenticate the Mac with a signature, I get the
>> following errors :
> Your configuration indicates that you are using plain public key
> authentication, without XAuth. How did you configure OS X to use plain
> RSA signature authentication? From what I see, OS X only supports:
I just defined the certificate in the Mac interface but did not enter a
username or password.
>       * XAuth with PSK
>       * XAuth with RSA
>       * (and Mountain Lion now seems to properly supports "Hybrid Mode"
>         if the group name contains the string "[hybrid]")
Xauth/PSK and Hybrid work just fine.
>> conn RESTENA
>>     keyexchange=ikev1
>>     rightauth=pubkey
>>     rightsourceip=%ikev1
> If you want to use XAuth with RSA, try to set rightauth=pubkey, and
> rightauth2=xauth.
I've just tried that. Except I used rightauth2=xauth-eap which shouldn't
change anything. The log output is exectly the same.
>> generating ID_PROT response 0 [KE No CERTREQ NAT-D NAT-D ]
>> sending packet: from[500] to[500]
>> received packet: from[500] to[500]
>> decryption failed, invalid length
>> could not decrypt payloads
>> integrity check failed
> Hm, never seen that with certificates. Maybe a PSK is involved in the
> key derivation, yielding to wrong encryption keys?
I've saved the p12 certificate in keychain's system store an set it
globally to 'Always trust'. The key in the p12 package was protected by
a password which I was asked on import, so I think that does not matter

kind regards,
> Regards
> Martin

Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120903/db5c66ff/attachment.pgp>

More information about the Users mailing list