[strongSwan] StrongSwan Mac OS X client

Mon Feb 23 21:53:24 CET 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Fred,

You need to set the ID, if your clients send one that isn't exactly the same as the configured one (even implicitely).
I think this is a problem with how the strongSwan application on Mac OS interacts with the dns settings of the
operating system. I think if you add your weight to that issue, it might get some priority.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 21.02.2015 um 09:54 schrieb Fred:
> Hi all,
>
> I'm having a couple of problems with the Mac OS X app.  Mac OS X v10.9.5 (Mavericks).
>
> First problem is that I was having a problem with the DN not matching the hostname even
> though I have a subjectAltName. I was getting constraint checking failed no alternative
> config found. I worked around this by setting leftid= but I shouldn't need to do this if
> I have specified the hostname in --san option to ipsec pki command right? I've confirmed
> with ipsec pki --print and I can see the correct name in altNames. In any case, the
> workaround is good for now, I just don't get why I need to do it in the first place.
>
> Second problem seems to be one to do with utun1 and default routes. If I use the native
> Cisco IPSEC configuration tool, my DNS servers and routes are all changed to use utun0.
> When using the StrongSwan app utun1 is created with the correct virtual IP and connects
> but DNS doesn't work. My local one is used because the Google DNS servers are ADDED to
> my current DNS server list and in Mac OS X the order DNS servers are used is based on
> which one is the most responsive. i.e. the one with the lowest latency. So my local one
> is being used outside of the tunnel and this isn't working. If I just set my DNS servers
> manually it seems to work, but netstat -nr still shows most routes going via enX rather
> than utunX.
>
> Is this just a bug with not settings routes and DNS on the correct interface? Possibly
> my second issue is this bug report : https://wiki.strongswan.org/issues/522
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU65NDAAoJEDg5KY9j7GZY6oEP/1MoC0aCoNUKrXrT6VgLxswo
dzrRdi26Rhu+Xdif70tfZULio5Ii7Y4G+9m+Ku0U9Ou0fAoVYntrfSp5b4pJe8y2
Z/8ntZHb4+0H+aqFSEXKL87vv4DxCaZLmwSgIy9eFywyRl6afsR8Jh1tPluqugSV
pH6AMnm8j6zsahkaaqFM7IogtFLCBA/rbFrfz0Me1M7VCNyLBWKiBDRtY2+2HE9L
MMiMgfuNkerz0OdJBT9tdMzIv1oxVyisZkqZLtECw10SD2Gg5x4GaCf2BOmpTQR8
LQTUTFRHpEIdw/a7C/AVwQwfjHOzqYVt2DE4UBh2C/eSRxlcQh4L3/ySuIMZraLu
BttEVh+RZI2tb7dV5f3IStTl+HEaTQZ1IhFQCSFGp+f1Z4foyCRZI1Sr6mWY/Htf
OQ5zERH6IQJ6B1DBFrSTc9p3lSoXnql2McPysKa4QgUcQwOVTl8Goj1WTaYv5Ydc
oY2yZ/P9mclhZ9NIG1ggDcQJ7xlnUrYSsN8pBHqWEyJ6dqwRkufVACh3qiod7uOm
Pa+RyLI0qF6zRzKqu+GRQb9iCMXsYFTBjh9Y99Ux42j1rtfwFR2uhzrKsK0vzM7L
Te3/rLt2PLEVsj7e+G9bPh/8nUhPsdyGdlzF+JV70mC6MIqj5BXXEP+O9zKSr1SM
7pNHdMAaHlf9Kyc7LDWL
=s7B3
-----END PGP SIGNATURE-----