[strongSwan] setting up for mac os x clients to connect to strongswan

Cindy Moore ctmoore at cs.ucsd.edu
Tue Sep 16 00:26:10 CEST 2014 

I'm not entirely sure what's going on here.  I think it's a question
of what certs I give out, but I know relatively little about macs,
other than that they want certificates packaged up in pkcs format.

Now, it looks like the connection gets established, but then something
upchucks.  From vpn.example.com's /var/log/syslog:

Sep 15 15:12:39 vpn charon: 12[IKE] IKE_SA roadwarrior[41] state
change: CONNECTING => ESTABLISHED
Sep 15 15:12:39 vpn charon: 12[IKE] scheduling reauthentication in 3306s
Sep 15 15:12:39 vpn charon: 12[IKE] maximum IKE_SA lifetime 3486s
Sep 15 15:12:39 vpn charon: 12[IKE] sending end entity cert "C=CH,
O=strongSwan, CN=c09-44.sysnet.ucsd.edu"
Sep 15 15:12:39 vpn charon: 12[ENC] generating ID_PROT response 0 [ ID
CERT SIG ]
Sep 15 15:12:39 vpn charon: 12[NET] sending packet: from
xxx.xxx.xxx.xxx[500] to <client ipv4>[500] (1516 bytes)
Sep 15 15:12:39 vpn charon: 03[NET] sending packet: from
xxx.xxx.xxx.xxx[500] to <client ipv4>[500]
Sep 15 15:12:39 vpn charon: 12[IKE] destroying duplicate IKE_SA for
peer 'C=CH, O=strongSwan, CN=moi', received INITIAL_CT
Sep 15 15:12:39 vpn charon: 12[IKE] IKE_SA roadwarrior[40] state
change: ESTABLISHED => DESTROYING
Sep 15 15:12:39 vpn charon: 02[NET] received packet: from <client
ipv4>[500] to xxx.xxx.xxx.xxx[500]
Sep 15 15:12:39 vpn charon: 02[NET] waiting for data on sockets
Sep 15 15:12:39 vpn charon: 15[NET] received packet: from <client
ipv4>[500] to xxx.xxx.xxx.xxx[500] (76 bytes)
Sep 15 15:12:39 vpn charon: 15[ENC] invalid HASH_V1 payload length,
decryption failed?
Sep 15 15:12:39 vpn charon: 15[ENC] could not decrypt payloads
Sep 15 15:12:39 vpn charon: 15[IKE] message parsing failed
Sep 15 15:12:39 vpn charon: 15[IKE] ignore malformed INFORMATIONAL request
Sep 15 15:12:39 vpn charon: 15[IKE] INFORMATIONAL_V1 request with
message ID 3345243434 processing failed

Using the same certificates I have now successfully deployed (yay) on
a linux host, I'm trying to get them working on a mac os x host.  I
did the following to package up moi's certifications and also
vpnHost's cert:

openssl pkcs12 -export -inkey private/moiKey.pem \
        -in certs/moiCert.pem -name "moi's VPN Certificate" \
        -certfile cacerts/strongswanCert.pem \
        -caname "strongSwan Root CA" \
        -out moi.p12

and:
openssl pkcs12 -export -in certs/vpnHostCert.pem -inkey
private/vpnHostKey.pem -out vpnHost.p12

I dropped each of these p12 files onto Mac OS X's access keychain, and
each time it asked me for the passphrased i used on them,a nd they
appear to file correctly within the keychain -- all info as expected,
etc.

On the client's system.log file, I see:

IKEv1 Phase1 AUTH: failed
(then some transmit success messages)
IKE Packet: receive failed
IPSec connection failed <IKE error 22 Invalid cert authority>

which seems fair enough... would that be the root cert?  I need to
also install the strongswanCert.pem in addition to vpnCert.pem and the
Cert/Key files of moi?

I'm going to go ahead and try that, but if there's something else I'm
missing, please feel free to speak out.  A lot of the strongswan
documentation on mac os x doesn't seem specific about _which_ files
have to be sent to mac os x clients...

More information about the Users mailing list