[strongSwan] setting up a mac os x client

Wed Dec 10 00:10:06 CET 2014

I'm trying to set up a mac os x client to use a certificate based
authentication.  I've created root and host (and client, w/private
key) certificates with ipsec pki, then created p12 packages and
successfully loaded them into the keychain on the mac I'm using.  On
the server side (ubuntu 14.04) of things I have

root at vpn:/etc# ipsec listcerts

List of X.509 End Entity Certificates:

  altNames:  vpn.example.edu
  subject:  "C=US, O=Example, CN=vpn.example.edu"
  issuer:   "C=US, O=Example, CN=strongSwan Root CA"
  serial:    [...]
  validity:  not before Dec 05 14:04:40 2014, ok
             not after  Dec 04 14:04:40 2016, ok
  pubkey:    RSA 2048 bits, has private key
  keyid:     [...]
  subjkey:   [...]
  authkey:   [...]
root at vpn:/etc# ipsec listcacerts

List of X.509 CA Certificates:

  subject:  "C=US, O=Example, CN=strongSwan Root CA"
  issuer:   "C=US, O=Example, CN=strongSwan Root CA"
  serial:    [...]
  validity:  not before Dec 05 14:02:35 2014, ok
             not after  Dec 02 14:02:35 2024, ok
  pubkey:    RSA 4096 bits
  keyid:     [...]
  subjkey:    [...]
  authkey:   [...]
root at vpn:/etc#

And then a pub/priv client key based on those.  I'd like to test this
with just certificate based requests for now (no username/passwords).

So I have (there ARE tabs on the settings, but email is borking them;
trust me the file format's fine, syslog records the connections jsut
fine):

conn %default
  ikelifetime=60m
  keylife=60m
  rekeymargin=3m
  keyingtries=1
  #vpn server
  left=[ipaddr]
  leftcert=vpnHostCert.pem
  # certificate based ID
  leftid="C=CH, O=strongSwan, CN=vpn.example.edu"
  leftsubnet=0.0.0.0/0
  #assign ip addr from this pool
  rightsourceip=[set of ip addrs]
  rightdns=[list of dns servers]

conn roadwarrior
  keyexchange=ikev2
  leftauth=pubkey
  right=%any
  rightid=%any
  rightauth=pubkey
  auto=add

I've been reading through this
https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
and particularly the Certificate section.

Assuming I have a 10.10 and above, is this what I need to do to setup
a vpn client??
I can't use system preferences/network to create a vpn connection?
I'm trying to make things as easy as possible for mac client users but
this is making my eyes bleed.

I'm not even clear on how I would send these to the client in
question.  They are loaded in just from connecting via browser to a
page with this info in it, or by reading an email (with what mail
client) with this in it??  And then there's magical new VPN connection
options that show up in AirPort afterwards?

Assuming I set up some kind of web page, would this be something I
could set up generally enough that I could just point all my mac
client users to it to set themselves up assuming I sent them their
personal certificates under separate cover?

Note that the first link on the strongswan page to the apple
configurator actually goes to some kind of business link -- perhaps
https://www.apple.com/support/business-education/apple-configurator/
is what was intended?

The developer link is interesting, and I assume the relevant info is
at the section https://developer.apple.com/library/mac/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW27

Note that I don't actually care if I use ikev1 or 2 -- if that makes a
difference in easier setup... I do assume if I have anything other
than yosemite on a mac os x client I'm hosed?  Surely there must be
options for older os x versions?

--Cindy
(yes, I was trying to set up a vpn server last September, got pulled
off that project to work on other things and am returning where I left
off :-/ )