<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hello Mathieu,<div><br></div><div>For Mac OS X clients I am pretty sure you have to put something in the SubjectAltName of the client certificate. Apparently it can be anything but your EMail is the easiest.</div><div><br></div><div>I managed to get a connection working to a OSX 10.5 client using certificates made by openssl, and it refused to work until I applied these SubjectAltName rules. I still have problems with my setup (see yesterdays post) but certificate authentication works fine.</div><div><br></div><div>Best of luck</div><div><br></div><div>Anthony</div><div><br></div><div><div><div>On 19 Mar 2010, at 12:44, Mathieu Peresse wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">I'm sorry I just realized my previous wasn't clear at all. Let me reformulate.<div><br><div>I put the FQDN of the server as SubjectAltName in the server certificate. No SubjectAltName in the client certificate but the server's log says the client cert is validated anyway.</div> <div>The problem seems to lie on the client side during server's certificate authentication (when Main Mode message 6 is received by the Initiator/Client).</div><div><br></div><div><br><div class="gmail_quote">On Fri, Mar 19, 2010 at 12:31 PM, Mathieu Peresse <span dir="ltr"><<a href="mailto:thieummm@gmail.com">thieummm@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Yep I did put the FQDN of the server as SubectAltName. The client certificate is validated on the server side, the server certificate seems to be the problem (the 6th main mode message contains the responder certificate according to IKE spec).<div> <br></div><div> Do you get a working L2TP/IPsec session with Mac OS X ?</div><div><br></div><div>Thanks,</div><div><br></div><div>mathieu.</div><div><div><div></div><div class="h5"><br><div class="gmail_quote">On Fri, Mar 19, 2010 at 11:52 AM, Anthony Lester <span dir="ltr"><<a href="mailto:alester@free.fr" target="_blank">alester@free.fr</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Mathieu,<br> <br> If you are are using Mac OS X as a client and you generated your certificates using OpenSSL, did you make sure that you have something for the "Subject Alternative Name" (e.g. your EMail) in the client certificate and that the "Subject Alternative Name" in the certificate for the gateway corresponds to the Server Address.<br> <br> Just an idea<br> <br> Anthony<div><div></div><div><br> <br> On 19 Mar 2010, at 11:02, Mathieu Peresse wrote:<br> <br> </div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div></div><div> Hi all,<br> <br> I've been playing with OpenSwan and xl2tpd recently, and I have a question regarding Mac OS X interoperability:<br> <br> First, did anyone managed to get the racoon logs more verbose ?<br> <br> IKE negociation fails in Main Mode (message 6 says racoon, i guess it's the last one), racoon log only says "Auth Failed"..<br> My guess is that my root certificate installed on Mac OS X (10.6) cannot be found for some reason ?... It is installed and marked as trusted though...<br> <br> Any clue ?<br> <br> -- <br> a+<br> mathieu<br></div></div> _______________________________________________<br> <a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a><br> <a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br> Building and Integrating Virtual Private Networks with Openswan:<br> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br> </blockquote> <br> </blockquote></div><br><br clear="all"><br></div></div>-- <br>a+<br>mathieu<br> </div> </blockquote></div><br><br clear="all"><br>-- <br>a+<br>mathieu<br> </div></div></blockquote></div><br></div></body></html>