[strongSwan] setting up for mac os x clients to connect to strongswan

Noel Kuntze noel at familie-kuntze.de
Thu Sep 18 19:16:10 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello CIndy,

You need to supply the whole certificate chain from root to the machines.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 16.09.2014 um 00:26 schrieb Cindy Moore:
> I'm not entirely sure what's going on here.  I think it's a question
> of what certs I give out, but I know relatively little about macs,
> other than that they want certificates packaged up in pkcs format.
>
> Now, it looks like the connection gets established, but then something
> upchucks.  From vpn.example.com's /var/log/syslog:
>
> Sep 15 15:12:39 vpn charon: 12[IKE] IKE_SA roadwarrior[41] state
> change: CONNECTING => ESTABLISHED
> Sep 15 15:12:39 vpn charon: 12[IKE] scheduling reauthentication in 3306s
> Sep 15 15:12:39 vpn charon: 12[IKE] maximum IKE_SA lifetime 3486s
> Sep 15 15:12:39 vpn charon: 12[IKE] sending end entity cert "C=CH,
> O=strongSwan, CN=c09-44.sysnet.ucsd.edu"
> Sep 15 15:12:39 vpn charon: 12[ENC] generating ID_PROT response 0 [ ID
> CERT SIG ]
> Sep 15 15:12:39 vpn charon: 12[NET] sending packet: from
> xxx.xxx.xxx.xxx[500] to <client ipv4>[500] (1516 bytes)
> Sep 15 15:12:39 vpn charon: 03[NET] sending packet: from
> xxx.xxx.xxx.xxx[500] to <client ipv4>[500]
> Sep 15 15:12:39 vpn charon: 12[IKE] destroying duplicate IKE_SA for
> peer 'C=CH, O=strongSwan, CN=moi', received INITIAL_CT
> Sep 15 15:12:39 vpn charon: 12[IKE] IKE_SA roadwarrior[40] state
> change: ESTABLISHED => DESTROYING
> Sep 15 15:12:39 vpn charon: 02[NET] received packet: from <client
> ipv4>[500] to xxx.xxx.xxx.xxx[500]
> Sep 15 15:12:39 vpn charon: 02[NET] waiting for data on sockets
> Sep 15 15:12:39 vpn charon: 15[NET] received packet: from <client
> ipv4>[500] to xxx.xxx.xxx.xxx[500] (76 bytes)
> Sep 15 15:12:39 vpn charon: 15[ENC] invalid HASH_V1 payload length,
> decryption failed?
> Sep 15 15:12:39 vpn charon: 15[ENC] could not decrypt payloads
> Sep 15 15:12:39 vpn charon: 15[IKE] message parsing failed
> Sep 15 15:12:39 vpn charon: 15[IKE] ignore malformed INFORMATIONAL request
> Sep 15 15:12:39 vpn charon: 15[IKE] INFORMATIONAL_V1 request with
> message ID 3345243434 processing failed
>
> Using the same certificates I have now successfully deployed (yay) on
> a linux host, I'm trying to get them working on a mac os x host.  I
> did the following to package up moi's certifications and also
> vpnHost's cert:
>
> openssl pkcs12 -export -inkey private/moiKey.pem \
>         -in certs/moiCert.pem -name "moi's VPN Certificate" \
>         -certfile cacerts/strongswanCert.pem \
>         -caname "strongSwan Root CA" \
>         -out moi.p12
>
> and:
> openssl pkcs12 -export -in certs/vpnHostCert.pem -inkey
> private/vpnHostKey.pem -out vpnHost.p12
>
> I dropped each of these p12 files onto Mac OS X's access keychain, and
> each time it asked me for the passphrased i used on them,a nd they
> appear to file correctly within the keychain -- all info as expected,
> etc.
>
> On the client's system.log file, I see:
>
> IKEv1 Phase1 AUTH: failed
> (then some transmit success messages)
> IKE Packet: receive failed
> IPSec connection failed <IKE error 22 Invalid cert authority>
>
> which seems fair enough... would that be the root cert?  I need to
> also install the strongswanCert.pem in addition to vpnCert.pem and the
> Cert/Key files of moi?
>
> I'm going to go ahead and try that, but if there's something else I'm
> missing, please feel free to speak out.  A lot of the strongswan
> documentation on mac os x doesn't seem specific about _which_ files
> have to be sent to mac os x clients...
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUGxNaAAoJEDg5KY9j7GZYyhIQAIiqlHixYXM1mlVTKc7P8C+V
IsvmbEUxFLOTIihjHbcO2XhsEIolHG3PrROp6vUI6Z9t4drbl4z/5XECWTg+Belv
QUxXU1dqC2ytpCrqNhYTOio157h8I0KkmJmtUKhBmaI24CC7Xo3omqTMzTxLdijH
JJ5UfrU5UvtdnpF24Wgspt+CtqrxkfG6xe7aIwzAQkGax0tGVwGoJ7EE/63WIBuF
Alm16cI4CI3ONff0vsJ+okQRxflpi4V02U+Fzk1S1URxXPw89B7DKAMPHfHIT6pE
3XIhWfEPOuf6X7i51AyOk2kf6yaRT+YPOA7dDhI7j8Noh6yFOupy+flsbr9lx4Bl
NzeannN8bcSSMgyBeT6DmAxGIspVcPz12cXU+J2IUEXxdRBkIC2r7Vz3VNKFZvsC
D466JRNRCac58YWWDX0Uojk4nQkZo1KCoK/6VHhgXjg/khQxsq+Kq+CKzfdIIVlU
7ItBrS2RFgCzGToHJxb8INT5UjiSF81BqyxixxWV8szPt41Kh8zvIBV4V6lJKNw3
ekiMASY8Auaqpt9l5Ww+SpKDg8em3BLUuDv1pYq25Li1lyvB84e5p9HSkIVFphaa
trZqQ1SBoVi9TB6sNyVsznwkDABBWseB+ibZZcPkfTgIksmo/PEmUuZIQOgTeHrs
QJn8cea+hyJszuxoBJZb
=oyWv
-----END PGP SIGNATURE-----

More information about the Users mailing list