[strongSwan] Mac OS X Application Configuration Help

Dan Diman dan.diman at certifi.net
Tue Oct 15 23:08:09 CEST 2013


Wow - what a difference one word makes.  I need to proofread.  (And
apologize)

What I meant to write was "The server side is *not* configured with
leftsendcert=never" - in fact, when I was trying it before, it did not
have configuration for leftsendcert at all, and the default seems to be
isasked if I'm reading the doc right?

In any event, when we included leftsendcert=always on the server side, we
were able to connect successfully from my Mac, but we were not able to
connect with no configuration for leftsendcert, and also not able to
connect with leftsendcert=ifasked.

Thanks again for all your help, and especially for the very prompt
responses; I'm considering this resolved, even with the slight mystery
around it not working with the lack of config.

-Dan
dan.diman at certifi.net



On 10/15/13 3:10 PM, "Tobias Brunner" <tobias at strongswan.org> wrote:

>Hi Dan,
>
>> The server side is configured with leftsendcert=never (took some time to
>> confirm that).  I think that the server presents the cert, but my Mac
>> doesn't trust it, despite having the CA cert in the keychain (and set to
>> be universally trusted).
>
>No, with leftsendcert=never the server does *not* send the certificate.
> That's exactly the point of that option.  As can be seen in the log
>below, the gateway only provides its signature in the AUTH payload but
>no CERT payload with its certificate.
>
>> parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
>
>Without having the gateway's certificate available, either locally or
>sent by the gateway, the client can't verify that signature.
>
>So you really have to either install the certificate on the client (as
>you did with the CA cert) or change the leftsendcert option (either
>remove it or set it to 'ifasked' or 'always').
>
>Regards,
>Tobias





More information about the Users mailing list