[Openswan Users] OSX and machine certificate for l2tp pointer

Paul Wouters paul at xelerance.com
Thu Jun 4 18:04:36 EDT 2009

Can someone confirm if this works for certs to Openswan? Jacco?



How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
by signal15 on November 20, 2007, 03:14:00 PM

Note that someone messaged me and said that certs were not required and
they had it working with PSK's. But I didn't get any details, and they
haven't responded to me. At this point, you're better off downloading
IPSecuritas and following the instructions in the article I posted
on that.

I finally found some time to sit down and get this thing working. I'll
write up a more detailed Howto eventually, but I wanted to get this out
there for those that want it working now. Also, if anyone figures out
how to create a route based version of this, please PM me. I could not
make the route based configuration work.

There are a couple of requirements:
1. You must use certificates. The Mac VPN client will send its internal
IP as the IKE ID if you use PSK's. This doesn't work well for clients
that get a dynamic address or roaming laptop users.
2. As of now, the VPN must be policy based. I cannot make it work with
a route based config, as the client sends its internal address for the
source network in the proxy-id. The client is not very configurable.

The first thing we need to do is create certificates. You will need a
machine certificate on your mac, and a VPN server certificate on your
firewall. The CA cert will need to be loaded on each device, and you will
have to place it in the System Keychain on the Mac to make it trusted. I
created my own CA using the Certificate Assistant on the Mac.

1. Create the CA - Open Keychain Access, and under the Keychain menu at
the top, go under certificate assistant and choose "Create a certificate
Authority". Follow the prompts to get it created. Once it is created,
drag a copy to the desktop, and then drag the file to your System
keychain. If you drag it directly from one keychain to another, it will
move it, not copy it. Make sure you choose a unique serial number when
you get to that point.

2. Create the Machine certificate - User Certificate Assistant to create a
new cert. Call it "VPN client Cert" or whatever you want. This is a Leaf
certificate, not a self-signed. Select the box that lets you override
options. The email address should be vpn at yourdomain.com, or whatever
you plan on using for an IKE ID on the Juniper. Set a unique serial
number. You should choose 1024-bit/RSA. Uncheck the "Critical" checkbox,
and only check Signature and Key Encipherment. Include Extended Key
Usage, uncheck critical, check SSL Client, SSL Server, PKINIT Client,
and PKINIT Server. Uncheck Basic Contraints in the next screen, and
uncheck Subject Alternate Name in the one after that. Select your System
Keychain to store it.

3. Load the CA Cert on the Juniper. Create a CSR, and make sure the FQDN
or the IP Address is set to *exactly* what the VPN client will point
to. Save the CSR. Start the certificate assistant again and select the
"create a certificate for someone else" option. Drag the CSR onto the area
it tells you to. You must override the options for this one also. You
need to select VPN Server, make sure the "Extended Key Usage" option is
UNCHECKED. Include a Subject alternate name, and fill in either the DNS
name or the IP. The other fields should be blank, only fill in one of
them. Once the cert is created, you will need to load it on the Juniper.

4. You MUST create a CRL. Certificate assistant doesn't have an option
for this. You'll have to use OpenSSL to do it on the command line. I
don't have the instructions in front of me now, but you'll just want to
create a blank CRL. Search google for now, I'll put up instructions when
I get around to it.

(Note that there are bugs with the Keychain on both Leopard and
Tiger. Google can help with some of them. But, on Leopard, I noticed if
you delete *anything* from the keychain, you cannot create certificates
again until you reboot. Also, it is imperative you choose unique serial
numbers for all of your certs. If you do not, you can possibly corrupt
the keychain, just ask me how I know.)

---- Configure the Mac (Leopard instructions) 1. Open Network under
the System Prefs. Add a new interface, choose L2TP over IPSEC. Name it
something. At the drop down menu at the top, you MUST change it from
Default and add a new configuration called something else. If you do
not, it will not take your machine cert... Bug?  2. Put in the hostname
or IP that you used in the Subject Alternative Name section in your
Juniper cert.
3. Put in the desired username.
4. Click on advanced and put in the password.
5. Under the Machine Authentication Section, select certificate, then
select your machine cert. Click OK.
6. Click Apply.

You can either find the checkbox that says "Send all traffic over the
VPN", or you can manually enter routes when you connect: route add -net -interface ppp0

I'm researching DHCP option 121 to see if this can be used in conjunction
with L2TP to push routes down to the client. Let me know if you find

More information about the Users mailing list