[Openswan Users] MacOS X L2TP/IPsec

Anthony Lester alester at free.fr
Fri Mar 19 08:29:20 EDT 2010 

Hello Mathieu,

For Mac OS X clients I am pretty sure you have to put something in the  
SubjectAltName of the client certificate. Apparently it can be  
anything but your EMail is the easiest.

I managed to get a connection working to a OSX 10.5 client using  
certificates made by openssl, and it refused to work until I applied  
these SubjectAltName rules. I still have problems with my setup (see  
yesterdays post) but certificate authentication works fine.

Best of luck

Anthony

On 19 Mar 2010, at 12:44, Mathieu Peresse wrote:

> I'm sorry I just realized my previous wasn't clear at all. Let me  
> reformulate.
>
> I put the FQDN of the server as SubjectAltName in the server  
> certificate.  No SubjectAltName in the client certificate but the  
> server's log says the client cert is validated anyway.
> The problem seems to lie on the client side during server's  
> certificate authentication (when Main Mode message 6 is received by  
> the Initiator/Client).
>
>
> On Fri, Mar 19, 2010 at 12:31 PM, Mathieu Peresse  
> <thieummm at gmail.com> wrote:
> Yep I did put the FQDN of the server as SubectAltName. The client  
> certificate is validated on the server side, the server certificate  
> seems to be the problem (the 6th main mode message contains the  
> responder certificate according to IKE spec).
>
>  Do you get a working L2TP/IPsec session with Mac OS X ?
>
> Thanks,
>
> mathieu.
>
> On Fri, Mar 19, 2010 at 11:52 AM, Anthony Lester <alester at free.fr>  
> wrote:
> Hello Mathieu,
>
> If you are are using Mac OS X as a client and you generated your  
> certificates using OpenSSL, did you make sure that you have  
> something for the "Subject Alternative Name" (e.g. your EMail) in  
> the client certificate and that the "Subject Alternative Name" in  
> the certificate for the gateway corresponds to the Server Address.
>
> Just an idea
>
> Anthony
>
>
> On 19 Mar 2010, at 11:02, Mathieu Peresse wrote:
>
> Hi all,
>
> I've been playing with OpenSwan and xl2tpd recently, and I have a  
> question regarding Mac OS X interoperability:
>
> First, did anyone managed to get the racoon logs more verbose ?
>
> IKE negociation fails in Main Mode (message 6 says racoon, i guess  
> it's the last one), racoon log only says "Auth Failed"..
> My guess is that my root certificate installed on Mac OS X (10.6)  
> cannot be found for some reason ?... It is installed and marked as  
> trusted though...
>
> Any clue ?
>
> -- 
> a+
> mathieu
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
>
> -- 
> a+
> mathieu
>
>
>
> -- 
> a+
> mathieu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100319/43579a36/attachment.html

More information about the Users mailing list