[strongSwan] questions on mac os x
ctmoore at cs.ucsd.edu
Fri Sep 19 16:58:44 CEST 2014
Thank you so much, that helps clear up many points.
>> Is there any recommended conn configuration for Apples with ikev2 ?
>The native iOS / OS X clients did not support IKEv2. With iOS 8 I've
>heard this has changed, but I didn't have a chance to look at it. Not
>sure about Yosemite
OK, I realize I got very confused by this part at the top of
"Please note that releases before 5.0.0 don't support IKEv1 because
the old pluto IKEv1 daemon was not ported to Mac OS X."
I wound up thinking it did ikev2 all along somehow. Anyway, moving along:
>> Something generally like (I know it needs tweaking, the mac won't yet
>> accept it):
>No, that's not supported by that the strongSwan.app.
Because of the EAP part, got it. I can't get Mac OS X to accept that
example with its native vpn either, though. Are there more examples
of conn setups for mac clients? I've searched and searched to no
avail besides the conn I quoted, which I still haven't managed to
tweak enough for a mac to accept at all. The test suite examples
aren't organized in terms of what type of machine or devices Carol and
>A rightcert configures a file on disk, usually in /etc/ipsec.d/certs.
>Such an option is never related to the Keychain.
Huh. Does that mean if I manually put .pem files in
/etc/ipsec.d/private and .../certs in the Mac OS X client, the client
would be able to serve the .pem files themselves to the vpn
certificate request? Or am I only able to use the keychain on a mac
>There is a keychain plugin for strongSwan. If enabled, the certificates
>are looked up using IKE identities (leftid/rightid), or using the
>certificate issuer for CA validation. The strongswan.app uses that to
>find trusted certificates. You may use that plugin in your own generic
>strongSwan build, but certificates are referenced by the contained
So, for clients using Mac OS X's native app, how exactly does the
server conn reference the certificate in the keychain -- is the
keychain plugin absolutely required? Does it require compiling from
source (like the xauth-pam plugin) to enable it? If the client uses
the mac os x strongswan app, then the server conn can reference the
certificate the usual way? Are there example conns for these
situations that I can look at?
What exactly is the "contained identity"? Is that the entire "C=xx,
O=xx, CN=X", or "CN=X", or "X" or something else?
Thanks again, this is very helpful.
More information about the Users