[strongSwan] questions on mac os x

Fri Sep 19 10:24:42 CEST 2014

Cindy,

> "We recently released a native application for Mac OS X 10.7 and
> newer. It allows easy road-warrior access in a similar fashion as the
> NetworkManager integration does on Linux."
> 
> So this is a strongswan vpn client?

Yes.

> Are there instructions anywhere for installing this? If it seems
> obvious, please forgive me, I'm a linux person through and through.
> Plus it looks like there's two different things here, do I need both
> or one or the other and some are zip files

You'll need the .app.zip, the tar.bz2 files are the corresponding
sources.

Installation is rather trivial, so I don't think a lot of instructions
are required; depending on your browser, the .zip gets extracted
automatically. Otherwise just double-click it to get the .app. Then
launch it. After configuring and initiating connections using the system
bar icon, you'll be prompted to install the privileged helper. This is
the embedded IKE daemon that needs additional privileges to install
IPsec SAs and policies.

> I'm not clear if I can do RSA cert only connections? Mac OSX's native
> vpn client allowed me to specify just certificates on both ends.

The strongSwan.app can authenticate the server using RSA certificates,
but it currently authenticates the client with these EAP methods only.
So this requires a client username/password for authentication.

> Something generally like (I know it needs tweaking, the mac won't yet
> accept it):

>   leftauth=pubkey
>   rightauth=pubkey

No, that's not supported by that the strongSwan.app.

> More generally, is this page talking only about Mac OS X as a
> strongswan vpn *server* or as both a client and as a server? 

The "Native application" section talks about the self-contained
strongswan.app with a GUI that can be used as a simple IKEv2 client
using EAP client authentication.

The rest of the page has instructions to install a generic strongSwan
build using different mechanisms. Such a build can be configured for any
purpose, including client and server mode. But there is no GUI.

> Is there any recommended conn configuration for Apples with ikev2 ?

The native iOS / OS X clients did not support IKEv2. With iOS 8 I've
heard this has changed, but I didn't have a chance to look at it. Not
sure about Yosemite.

> on that conn ios (quoted below), there's the following entry  
>   rightcert=clientCert.pem
> 
> But how does it know which certificate in the Mac OS X keychain is the
> one matching that file name?  

A rightcert configures a file on disk, usually in /etc/ipsec.d/certs.
Such an option is never related to the Keychain.

There is a keychain plugin for strongSwan. If enabled, the certificates
are looked up using IKE identities (leftid/rightid), or using the
certificate issuer for CA validation. The strongswan.app uses that to
find trusted certificates. You may use that plugin in your own generic
strongSwan build, but certificates are referenced by the contained
identities only.

Regards
Martin