[strongSwan] Mac OS X Application Configuration Help

Dan Diman dan.diman at certifi.net
Tue Oct 15 17:19:20 CEST 2013


Hello-

We have a working IKEv2 EAP-MSCHAPv2 VPN working with Windows 7 and Linux clients, but I am unable to get it working on my Mac (OS X 10.8.5, Intel, 64-bit), latest updates installed.

I have installed the certifying authority certificate in my System keychain, and have configured the VPN, but when I try to connect I get the following output in the log:

initiating IKE_SA Certifi VPC[6] to 54.236.231.10
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.175[63224] to x.x.x.x[4500] (884 bytes)
received packet: from x.x.x.x[4500] to 192.168.1.175[63224] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1024
initiating IKE_SA Certifi VPC[6] to x.x.x.x
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.175[63224] to x.x.x.x[4500] (756 bytes)
received packet: from x.x.x.x[4500] to 192.168.1.175[63224] (312 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
establishing CHILD_SA Certifi VPC
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CP(ADDR DNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.175[65384] to x.x.x.x[4500] (412 bytes)
received packet: from x.x.x.x[4500] to 192.168.1.175[65384] (364 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
no trusted RSA public key found for 'vpn.enrfin.com'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 192.168.1.175[65384] to x.x.x.x[4500] (76 bytes)

And I get a dialog box that says:

"Establishing Connection Certifi Failed:
Server authentication failed."

I'm not clear on whether or not I need to do something with charon-xpc tarball if I simply install the Strongswan.app?  I believe that I need the charon-xpc tarball if I build Strongswan from source, but do I need to do anything with it if I am installing the app?

The CA cert is installed in my System keychain, and is trusted.

Any suggestions or pointers would be greatly appreciated.

Thanks in advance!

-Dan

Dan Diman
dan.diman at certifi.net


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131015/d1c960f6/attachment.html>


More information about the Users mailing list