[strongSwan] questions on mac os x

Cindy Moore ctmoore at cs.ucsd.edu
Fri Sep 19 16:58:44 CEST 2014

Thank you so much, that helps clear up many points.

>> Is there any recommended conn configuration for Apples with ikev2 ?

>The native iOS / OS X clients did not support IKEv2. With iOS 8 I've
>heard this has changed, but I didn't have a chance to look at it. Not
>sure about Yosemite

OK, I realize I got very confused by this part at the top of
https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX  :

"Please note that releases before 5.0.0 don't support IKEv1 because
the old pluto IKEv1 daemon was not ported to Mac OS X."

I wound up thinking it did ikev2 all along somehow.  Anyway, moving along:

>> Something generally like (I know it needs tweaking, the mac won't yet
>> accept it):

>>   leftauth=pubkey
>>   rightauth=pubkey

>No, that's not supported by that the strongSwan.app.

Because of the EAP part, got it.  I can't get Mac OS X to accept that
example with its native vpn either, though.  Are there more examples
of conn setups for mac clients?  I've searched and searched to no
avail besides the conn I quoted, which I still haven't managed to
tweak enough for a mac to accept at all.  The test suite examples
aren't organized in terms of what type of machine or devices Carol and
Bob are.

>A rightcert configures a file on disk, usually in /etc/ipsec.d/certs.
>Such an option is never related to the Keychain.

Huh.  Does that mean if I manually put .pem files in
/etc/ipsec.d/private and .../certs in the Mac OS X client, the client
would be able to serve the .pem files themselves to the vpn
certificate request? Or am I only able to use the keychain on a mac

>There is a keychain plugin for strongSwan. If enabled, the certificates
>are looked up using IKE identities (leftid/rightid), or using the
>certificate issuer for CA validation. The strongswan.app uses that to
>find trusted certificates. You may use that plugin in your own generic
>strongSwan build, but certificates are referenced by the contained
>identities only.

So, for clients using Mac OS X's native app, how exactly does the
server conn reference the certificate in the keychain -- is the
keychain plugin absolutely required?  Does it require compiling from
source (like the xauth-pam plugin) to enable it?  If the client uses
the mac os x strongswan app, then the server conn can reference the
certificate the usual way?  Are there example conns for these
situations that I can look at?

What exactly is the "contained identity"?  Is that the entire "C=xx,
O=xx, CN=X", or "CN=X", or "X"  or something else?

Thanks again, this is very helpful.


More information about the Users mailing list