[strongSwan] StrongSwan Mac OS X client

Fred curious_freddy at gmsl.co.uk
Sat Feb 21 09:54:03 CET 2015

Hi all,

I'm having a couple of problems with the Mac OS X app.  Mac OS X 
v10.9.5 (Mavericks).

First problem is that I was having a problem with the DN not matching 
the hostname even
though I have a subjectAltName. I was getting constraint checking 
failed no alternative
config found. I worked around this by setting leftid= but I shouldn't 
need to do this if
I have specified the hostname in --san option to ipsec pki command 
right? I've confirmed
with ipsec pki --print and I can see the correct name in altNames. In 
any case, the
workaround is good for now, I just don't get why I need to do it in the 
first place.

Second problem seems to be one to do with utun1 and default routes. If 
I use the native
Cisco IPSEC configuration tool, my DNS servers and routes are all 
changed to use utun0.
When using the StrongSwan app utun1 is created with the correct virtual 
IP and connects
but DNS doesn't work. My local one is used because the Google DNS 
servers are ADDED to
my current DNS server list and in Mac OS X the order DNS servers are 
used is based on
which one is the most responsive. i.e. the one with the lowest latency. 
So my local one
is being used outside of the tunnel and this isn't working. If I just 
set my DNS servers
manually it seems to work, but netstat -nr still shows most routes 
going via enX rather
than utunX.

Is this just a bug with not settings routes and DNS on the correct 
interface? Possibly
my second issue is this bug report : 

Fred says we shall go to the ball!

More information about the Users mailing list