[strongSwan] Mac OS X Application Configuration Help
tobias at strongswan.org
Tue Oct 15 22:10:01 CEST 2013
> The server side is configured with leftsendcert=never (took some time to
> confirm that). I think that the server presents the cert, but my Mac
> doesn't trust it, despite having the CA cert in the keychain (and set to
> be universally trusted).
No, with leftsendcert=never the server does *not* send the certificate.
That's exactly the point of that option. As can be seen in the log
below, the gateway only provides its signature in the AUTH payload but
no CERT payload with its certificate.
> parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
Without having the gateway's certificate available, either locally or
sent by the gateway, the client can't verify that signature.
So you really have to either install the certificate on the client (as
you did with the CA cert) or change the leftsendcert option (either
remove it or set it to 'ifasked' or 'always').
More information about the Users