[strongSwan] Mac OS X 10.9 Mavericks - StrongSwan Native Application - constraint checking failed

Martin Willi martin at strongswan.org
Fri Nov 1 10:35:53 CET 2013


Hi Fred,

> I am trying to get the mac osx native application to connect to it
> (tested 5.1.0-4 and 5.1.1-1) using strongswan installed via homebrew. 

I assume you are referring to our new OS X App with the GUI? There is no
external dependency; no homebrew packages required for it.

> 13[IKE] authentication of 'CN=vpn-host.subdomain.domain.com' with EAP successful
> 13[CFG] constraint check failed: identity 'vpn-host.subdomain.domain.com' required 

Your server authenticates with the Distinguished Name
'CN=vpn-host.subdomain.domain.com' as IKE identity. That currently does
not work with the OS X App, because the client requires an FQDN identity
of vpn-host.subdomain.domain.com.

I'll prepare a new release of the App that allows identity matching
against certificate subjectAltNames (instead of the strict IDr
matching). That should enable the same behavior as on Android.

In the meantime, you may check if there is a way to configure the server
to send a FQDN instead a DN as IDr. Not sure if/how this can be done
with Windows Server.

> OS x version is 10.9 mavericks.

> 000 (-[OS_xpc_connection_xref_dispose]+0x11) [0x7fff870b51ce]

That Mavericks crasher should have been fixed with 5.1.1-1.

Regards
Martin





More information about the Users mailing list