[strongSwan] questions on mac os x
Cindy Moore
ctmoore at cs.ucsd.edu
Fri Sep 19 07:20:29 CEST 2014
A last question here: on that conn ios (quoted below), there's the
following entry
rightcert=clientCert.pem
But how does it know which certificate in the Mac OS X keychain is the
one matching that file name? I packaged up clientCert.pem and
clientKey.pem into a client.p12 file, which did install correctly
(plus the server cert and the root cert) or at least it shows all the
various info in it. But nothing anywhere in the keychain does it show
the old filenames generated back on the [ubuntu] vpn server for this
client. How does it know to match this up with the entry in the
keychain? Woudln't something like rightid="C=CN, O=StrongSwan,
CN=client-id" be more likely to match info in the keychain?
Thanks
On Thu, Sep 18, 2014 at 8:41 PM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
> Oh, also regarding this page:
> https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
>
> I presume the conn ios example shown here works for Mac OS X as well?
> Is there any recommended conn configuration for Apples
> with ikev2 ?
>
> eg:
>
> conn ios
> keyexchange=ikev1
> authby=xauthrsasig
> xauth=server
> left=%defaultroute
> leftsubnet=0.0.0.0/0
> leftfirewall=yes
> leftcert=serverCert.pem
> right=%any
> rightsubnet=10.0.0.0/24
> rightsourceip=10.0.0.2
> rightcert=clientCert.pem
> pfs=no
> auto=add
>
> On Thu, Sep 18, 2014 at 8:32 PM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
>> Hi, I've been going over
>> https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX
>> which looks pretty recently updated with refs to iOS 8 and all. I
>> have several questions about what it says?
>>
>> "We recently released a native application for Mac OS X 10.7 and
>> newer. It allows easy road-warrior access in a similar fashion as the
>> NetworkManager integration does on Linux."
>>
>> So this is a strongswan vpn client?
>>
>> The most recent release can be found on http://download.strongswan.org/osx."
>>
>> Are there instructions anywhere for installing this? If it seems
>> obvious, please forgive me, I'm a linux person through and through.
>> Plus it looks like there's two different things here, do I need both
>> or one or the other and some are zip files, some are bz2 and there's
>> no helpful thing like "to install, just do sudo apt-get install <some
>> package>" equivalent here.
>>
>> "Currently supported are IKEv2 connections using EAP-MSCHAPv2 or
>> EAP-MD5 client authentication"
>>
>> I'm not clear if I can do RSA cert only connections? Mac OSX's native
>> vpn client allowed me to specify just certificates on both ends.
>> Something generally like (I know it needs tweaking, the mac won't yet
>> accept it):
>>
>> conn roadwarrior
>> keyexchange=ikev2
>> leftauth=pubkey
>> right=%any
>> rightid=%any
>> rightauth=pubkey
>> auto=add
>>
>> (there are more defs in the default conn)
>>
>> More generally, is this page talking only about Mac OS X as a
>> strongswan vpn *server*
>> or as both a client and as a server? Particularly the latter half of
>> the page discusses compiling and installing strongswan, but the
>> remarks at the top half (which I quoted above) where it talks about
>> the netmanager linux plugin, sound like it's talking about Mac OS X as
>> a client to a vpn server.
>>
>> Thanks for any clearing up on these points.
More information about the Users
mailing list