[strongSwan] StrongSwan Mac OS X client
noel at familie-kuntze.de
Mon Feb 23 21:53:24 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
You need to set the ID, if your clients send one that isn't exactly the same as the configured one (even implicitely).
I think this is a problem with how the strongSwan application on Mac OS interacts with the dns settings of the
operating system. I think if you add your weight to that issue, it might get some priority.
Mit freundlichen Grüßen/Regards,
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 21.02.2015 um 09:54 schrieb Fred:
> Hi all,
> I'm having a couple of problems with the Mac OS X app. Mac OS X v10.9.5 (Mavericks).
> First problem is that I was having a problem with the DN not matching the hostname even
> though I have a subjectAltName. I was getting constraint checking failed no alternative
> config found. I worked around this by setting leftid= but I shouldn't need to do this if
> I have specified the hostname in --san option to ipsec pki command right? I've confirmed
> with ipsec pki --print and I can see the correct name in altNames. In any case, the
> workaround is good for now, I just don't get why I need to do it in the first place.
> Second problem seems to be one to do with utun1 and default routes. If I use the native
> Cisco IPSEC configuration tool, my DNS servers and routes are all changed to use utun0.
> When using the StrongSwan app utun1 is created with the correct virtual IP and connects
> but DNS doesn't work. My local one is used because the Google DNS servers are ADDED to
> my current DNS server list and in Mac OS X the order DNS servers are used is based on
> which one is the most responsive. i.e. the one with the lowest latency. So my local one
> is being used outside of the tunnel and this isn't working. If I just set my DNS servers
> manually it seems to work, but netstat -nr still shows most routes going via enX rather
> than utunX.
> Is this just a bug with not settings routes and DNS on the correct interface? Possibly
> my second issue is this bug report : https://wiki.strongswan.org/issues/522
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Users