[Openswan Users] MacOS

Alexandre Ghisoli alexandre.ghisoli at ycom.ch
Sat Aug 4 10:28:34 EDT 2007 

Hello there,

I've a OpenSWAN server, working with RoadWarriors clients running on 
Windows and MacOS using X.509 certificates.

It's running OpenSWAN 2.4.9 on a Linux 2.6.19, without any patches.

We have many clients for some years now, but we are getting troubles 
with _new_ MacOS Clients.
Let explain, for Clients who had setup VPN for a while, it's working 
nice with the Apple provided VPN Client.
Now, for new machines, we getting troubles to make it working, getting 
certificates errors.

So it's probably related to a Apple patch arround OpenSSL since arround 
MacOS 1.4.6.

When the Mac tries to mount the IPSec tunnel, I got messages in the VPN 
server :

pluto[15126]: "win-rw"[8] 62.167.44.237 #41: responding to Main Mode 
from unknown peer 62.167.44.237
pluto[15126]: "win-rw"[8] 62.167.44.237 #41: transition from state 
STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[15126]: "win-rw"[8] 62.167.44.237 #41: STATE_MAIN_R1: sent MR1, 
expecting MI2
pluto[15126]: "win-rw"[8] 62.167.44.237 #41: ignoring Vendor ID payload 
[KAME/racoon]
pluto[15126]: "win-rw"[8] 62.167.44.237 #41: NAT-Traversal: Result using 
RFC 3947 (NAT-Traversal): peer is NATed
pluto[15126]: "win-rw"[8] 62.167.44.237 #41: transition from state 
STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[15126]: "win-rw"[8] 62.167.44.237 #41: STATE_MAIN_R2: sent MR2, 
expecting MI3
pluto[15126]: "win-rw"[8] 62.167.44.237 #41: Main mode peer ID is 
ID_DER_ASN1_DN: 'C=CH, ST=Vaud, O=YCOM SA, OU=NOC, CN=xxxycom.ch, 
E=support at ycom.ch'
pluto[15126]: "win-rw"[8] 62.167.44.237 #41: crl update for "C=CH, 
ST=Vaud, L=Yverdon-les-Bains, O=YCOM SA, OU=NOC, CN=ca.ycom.ch, 
E=support at ycom.ch" is overdue since Mar 25 17:46:56 UTC 2007
pluto[15126]: "win-rw"[8] 62.167.44.237 #41: I am sending my cert
pluto[15126]: "win-rw"[8] 62.167.44.237 #41: transition from state 
STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[15126]: "win-rw"[8] 62.167.44.237 #41: STATE_MAIN_R3: sent MR3, 
ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 
prf=oakley_sha group=modp1024}
pluto[15126]: "win-rw"[8] 62.167.44.237 #41: ignoring informational 
payload, type INVALID_CERT_AUTHORITY

As I can understand, the Mac say that my CA is not valid, but I've the 
cert in keychain, X509Anchors and defined to be valid for all usages.

You can see my raw notes here :
http://www.ghisoli.ch/run/node/40

Any help welcomes.

--Alexandre

More information about the Users mailing list