[strongSwan] Mac OS X Application Configuration Help

Tobias Brunner tobias at strongswan.org
Wed Oct 16 10:52:40 CEST 2013

Hi Dan,

> What I meant to write was "The server side is *not* configured with
> leftsendcert=never"

I see :)

> I'm considering this resolved, even with the slight mystery
> around it not working with the lack of config.

No mystery at all, actually.  I now had a look at the code of charon-xpc
and the reason for this behavior is quite clear.  The option to send
certificate requests for installed CA certificates is disabled on the
client.  So because the default for leftsendcert is ifasked the gateway
won't send its certificate.

The reason this option is disabled in the app, apparently, is the high
number of CA certificates that are installed on Mac OS X.  Sending that
many certificate requests increases the size of the IKE_AUTH message
significantly, which could cause problems with IP fragmentation.

I added a note about this on [1].


[1] http://wiki.strongswan.org/projects/strongswan/wiki/MacOSX

More information about the Users mailing list