[Openswan Users] Re: MacOSX 10.4.2: same problems woth NAT-T

Jacco de Leeuw jacco2 at dds.nl
Wed Jul 13 23:41:40 CEST 2005


Alan Whinery wrote:

> I've been playing with this off and on over the last month. One slight, 
> discouraging revelation was that if you enable the root account and log 
> into the gui as root (if  I remember correctly), then you can import the 
> X.509 certificate with the Apple keyring app, then the CA cert (I am 
> using a local CA), which gets you past the initial "no machine 
> certificate" stuff.

I read a message on one of the Mac forums that confirm this. Looks like
we are making progress!

> The milestone (stumbling block?) I'm currently sitting on on the Mac 
> 10.4.2 side is:
> Jun 14 09:21:56 bender pluto[1744]: "roadwarrior-l2tp"[380] 128.171.6.56 
> #1287: ignoring informational payload, type INVALID_CERTIFICATE
> 
> Wherein the mac appears to be complaining about the server's 
> certificate. None of the many Windows clients complain about that 
> certificate -- Macs are too whiny.

Wait, perhaps I can chip in here:
http://lists.openswan.org/pipermail/users/2005-July/005651.html

Did your certificates contain these special EKUs (properties)?
Apple may actually be right on this one.

> I'm doing a talk on this next week in Vancouver, I'm kind of giving up 
> on getting rid of the word "probably" from the Mac slide...

Perhaps it's worth one final try?

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list