[strongSwan] macos SIerra as Client with IKEv2 and certificates?

Kai Bojens kb at kbojens.de
Tue Jan 17 09:48:26 CET 2017


Johannes Kastl <mail at ojkastl.de> wrote:


> > Everything worked fine until I
> > upgrade to Sierra and now I can't get this back to work. Right now
> > I'm assuming that MacOS Sierra indeed has some serious problems
> > with IKEv2.
>


> I can get IKEv2 with EAP (username and password) working trough the
> GUI just fine. Does that not work for you? Or did you just try
> certificates?
>

I haven't tried the password based authentication with Sierra as I prefer
certificates. But I might think about it if everything else fails.


> As OSX apparently did not understand certificates before Sierra, what
> kind of connection did you have before Sierra?
>

eap-tls – and it worked fine until I upgraded to Sierra. The first problem
was that the upgrade to Sierra discarded our CA certificate without telling
so. That was big fun. But even after trusting the CA again the connection
didn't work. The connection would be established but not traffic appeared
anywhere.

There are other funny problems of course. Another Sierra based Mac can
connect and routes everything fine but loses its connection every 8 minutes
like described here:

https://forum.pfsense.org/index.php?topic=118731.0

Exactly every 8 minutes. And we have no clue why this is happening.
According to the logs on the server and the client they just disconnect
without any errors. Changing the dpd values had no effect.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170117/f29b4369/attachment.html>


More information about the Users mailing list