[strongSwan] Strongswan "native application" for OSX

Martin Willi martin at strongswan.org
Mon Dec 22 16:08:29 CET 2014


>      left=<public ip of the strongswan gateway on openwrt>
>      leftsubnet=<subnet behind the gateway>
>      leftfirewall=yes
>      lefthostaccess=yes
>      leftauth=pubkey
>      leftcert=gatewayCert.der

> Now I would like to have OSX connecting to it with the strongswan native 
> application, but I cannot get it to work and I am not sure which 
> certificates I should have in keychain on OSX. On android I only needed 
> the CA certificate.

You may install either the Gateway or the CA certificate, both should
work. Just make sure it is installed in the System keychain, as the
user/login keychain is not used by the IKE daemon.

> "no trusted RSA public key found for 'C=<masked>, O=<masked>, 
> CN=<masked>' where the DN matches my gatewayCertificate.

Usually you configure the hostname of the gateway on the client. The OS
X client uses this name as identity for the gateway, which implies that
the gateway must provide a certificate for this hostname.

So you should include that FQDN as subjectAltName in your gateway
certificate. This allows the client to find that certificate and verify
its peer. To use this name on the gateway as IKE identity, you should
set the leftid option to that hostname. This is the recommended way for
all clients, including those on Windows, Android and OS X.


More information about the Users mailing list