[Openswan Users] Leopard IPsec initial test - failed

Alan Whinery whinery at hawaii.edu
Tue Oct 30 19:09:12 EDT 2007

Here's what worked for my guy -- note the use of MacMail "First Aid" --
this made the cert work again for S/MIME too...

1. download .p12 file to Downloads
2. open terminal window and type in: sudo
/Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access

3. Click on the System icon, then unlock the system keychain
4. Go to File, Import Items... and find the .p12 in the downloads folder
(note that you'll need to go to your user folder and look there)
5. Make your destination keychain "system".
6. click on Open
7. Enter the password you choose when requesting the certificate
7. Click on Always Trust when prompted

8. Go to Key Chain Access menu, then select Key Chain First Aid
9. Enter your username and password, click on Repair and then Start.
10. Click on it again to make sure there were no problems.
11. Quit Keychain

Pepijn Oomen wrote:
> Paul Wouters wrote:
>> Teh good news is that certifiacte imports are much much better, and actually work.
>> No more messing with Keychain. The bad news is, the IPsec is broken:
> Not sure what you did different from me, but I just succeeded 
> establishing an IPsec connection from a fresh Leopard install :)
> I did have some problems getting the certificate to be selectable, but 
> it seems there are two ways to get it working:
> 1. drag & drop .p12 file onto System keychain, you will be asked for 
> Administrator access
> 2. use sudo on Keychain Access.app
> After the CA, private key and certificate are available in the system 
> keychain, you *must* create a new configuration (and not just modify the 
> default) to actually get it to select the certificate. I started out 
> modifying the default, and while I could select the certificate, it 
> never stuck.
> After this, I just pressed 'Connect' and off it went.
> But the connection is still not properly taken down. And it does not 
> look like DPD is enabled out-of-the-box:
> Oct 30 23:51:11 pandora pluto[16527]: "l2tp"[21] #84: 
> NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
> [...]
> Oct 30 23:51:13 pandora pluto[16527]: "l2tp"[22] #85: 
> STATE_QUICK_R2: IPsec SA established {ESP=>0x04d6b7bc <0x13df2b08 
> xfrm=AES_128-HMAC_SHA1 NATD= DPD=none}

More information about the Users mailing list