[strongSwan] Strongswan + Mac OSX

Claude Tompers claude.tompers at restena.lu
Mon Sep 17 13:11:53 CEST 2012

On 09/06/2012 03:04 PM, Claude Tompers wrote:
> On 09/06/2012 12:20 PM, Martin Willi wrote:
>> Claude,
>>> The other Mountain Lion had the exact same behaviour as mine (also
>>> 10.8.1),
>> Strange, as my 10.8.1 works just fine.
>>> the one with Lion installed 'only' complained about not being
>>> able to verify the server certificate.
>> Please be aware that Hybrid authentication did not work correctly in
>> Lion, failing with a certificate validation error. You'll have to use a
>> client certificate on Lion.
>>> I also found this topic in an Apple Forum [...] I'm wondering if that
>>> problem is related.
>> Hard to say. One thing to consider with Mountain Lion is that
>> certificates now need a proper ACL on the private key for authentication
>> (set to racoon). This might be the problem with that L2TP/IPsec issue,
>> but not with Hybrid authenticated clients (and your error, the profile
>> installer sets ACLs just fine).
>> You may try to test against our revobox demo setup [1] that uses
>> strongSwan and works fine here. An iOS / OS X profile is available at
>> [2], after installation you should be able to connect with "tester" /
>> "test". If this works, something is wrong with your setup, if not,
>> something with your Mac.
>> Regards
>> Martin
>> [1]http://demo.revosec.ch/
>> [2]https://master.revosec.net/device/mobileconfig/62IUAFQH/62IUAFQH.mobileconfig
> Hi Martin,
> Thanks for the test. My MacBook says it could not validate the server
> certificate.
> At least this shows that my Macbook isn't completely broken.
> If you want to have a look at the logs, my machine's IP address is
> or 2001:a18:1:8:.....
> The connection works on my iPhone.
> The setup on Lion as well as on Mountain Lion uses a client certificate.
> So this time, I'm not in a hybrid environment.
> kind regards,
> Claude

Testwise, I created a new CA with the ipsec pki tool according to your
wiki page (Mac + IKEv1). (My old CA is done with TinyCA).
With those certificates I get the same result as for the revobox setup,
but still no connection on Mountain Lion or Lion.

kind regards,
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120917/85b632af/attachment.pgp>

More information about the Users mailing list