[strongSwan] OS X strongSwan client

Claude Tompers claude.tompers at restena.lu
Wed Sep 18 14:00:35 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Martin,

I'm running OSX 10.8.5.
I've installed the server certificate itself into keychain and now that
part seems to work.
The connection still fails though, I'll paste the client side log
because I don't know exactly what it means.

EAP method EAP_MSCHAPV2 succeeded, MSK established
authentication of 'ctompers' (myself) with EAP
generating IKE_AUTH request 5 [ AUTH ]
sending packet: from 158.64.1.171[50209] to 158.64.1.53[4500] (92 bytes)
received packet: from 158.64.1.53[4500] to 158.64.1.171[50209] (300 bytes)
parsed IKE_AUTH response 5 [ AUTH CP(ADDR DNS DNS DNS6 U_DEF_DOMAIN
U_BANNER DNS6) SA TSi TSr ]
authentication of 'vpn.restena.lu' with EAP successful
IKE_SA Test[6] established between
158.64.1.171[ctompers]...158.64.1.53[vpn.restena.lu]
scheduling rekeying in 35450s
maximum IKE_SA lifetime 36050s
installing 158.64.1.25 as DNS server
installing 158.64.1.14 as DNS server
handling INTERNAL_IP6_DNS attribute failed
handling UNITY_DEF_DOMAIN attribute failed
handling UNITY_BANNER attribute failed
handling INTERNAL_IP6_DNS attribute failed
installing new virtual IP 158.64.122.140
created TUN device: utun1
virtual IP 158.64.122.140 did not appear on utun1
installing virtual IP 158.64.122.140 failed
no acceptable traffic selectors found
closing IKE_SA due CHILD_SA setup failure
sending DELETE for ESP CHILD_SA with SPI 31576d8e
generating INFORMATIONAL request 6 [ D ]
sending packet: from 158.64.1.171[50209] to 158.64.1.53[4500] (76 bytes)
received packet: from 158.64.1.53[4500] to 158.64.1.171[50209] (76 bytes)
parsed INFORMATIONAL response 6 [ D ]
deleting IKE_SA Test[6] between
158.64.1.171[ctompers]...158.64.1.53[vpn.restena.lu]
sending DELETE for IKE_SA Test[6]
generating INFORMATIONAL request 7 [ D ]
sending packet: from 158.64.1.171[50209] to 158.64.1.53[4500] (76 bytes)
received packet: from 158.64.1.53[4500] to 158.64.1.171[50209] (76 bytes)
parsed INFORMATIONAL response 7 [ ]
IKE_SA deleted

regards,
Claude


On 9/18/13 10:58 AM, Martin Willi wrote:
> Hi Claude,
>
>> I have some keychain problems. I have a CA certificate installed in the
>> system store and marked it as "Always Trust", but I still get a server
>> authentication failure.
>
> Both installing end entity and CA certificates to the Keychain as
> "Always Trust" works here on 10.8. Some notes:
>
>       * Certificates should go to the "System" keychain
>       * CA certificates must have the CA basicConstraint
>
> What version of OS X are you running?
>
> You might also try to tweak your syslogger to get the daemon startup log
> and check if there is something suspicious. To do so, for example add:
>
>  daemon.info          /var/log/daemon.log
>
> to /etc/syslog.conf and restart the syslogger with
>
>  launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
>  launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
>
> During startup or any changes to the Keychain, you should see something
> like:
>
>  loaded 209 certificates from /System/Library/Keychains/...
>  loaded 12 certificates from /Library/Keychains/...
>
> Regards
> Martin
>

- -- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlI5leIACgkQ3yoZ+Bpc/J4LtgCgx2oIxluHnRJr1qDT85IPs9ls
7XsAn2gkfqK7fUSe5HIeFs+uDNgdwr0H
=NgOE
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130918/a6984469/attachment.html>


More information about the Users mailing list