[Openswan Users] osX and certificates

Bart Smink bartsmink at gmail.com
Fri Jan 25 17:51:57 EST 2013

Hi Bob,

I have openswan working with X509 certificates and L2tp on both IOS and
OSX. If you're using OSX 10.8, you need to replace the configuration files
related to ipsec with the ones of OSX 10.7. Mountain Lion's IPsec support
is a bit flawed.

I think you do need extended key usage for signing the connection, as I
needed them to let the connection work.

I find it quite difficult to answer your question without logs and config,
so if you like you can send them to me and I will take a look at them.


Bart Smink

2013/1/25 Bob Miller <bob at computerisms.ca>

> Greetings all,
> I am seeking to increase my understanding.  I am not sure that I have a
> specific question, but if I do it is what is the magic spell that makes
> certificates work for mac computers connecting to openswan?  Background
> follows:
> I have an openswan server that currently supports windows road warriors
> and a net-to-net tunnel to a satellite office.  Now, there are a handful
> of mac computers that need to work as road warriors too.
> In trying to get a mac to join, I have with reasonable confidence
> narrowed the problem down to the certificates being the problem.  At
> least I can connect when using PSK, and no amount of fiddling with the
> ipsec.conf gets me past the MAIN_R2 stage.  I find no errors, just a
> steady looping up to MAIN_R2 then start over till everything times out.
> Some years ago, maybe 3 or 4, was the last time someone asked me to
> connect a mac to openswan.  At that time I remember failing to get the
> mac to join because of certificate problems, and afterwards deciding it
> was time to get a handle on certificates.  I read all the documentation
> and built myself an ssl.conf that was used to construct my current CA,
> and subsequently I have been using that CA to sign certs for windows
> roadwarriors, linux roadwarriors, net-to-net openswan installations,
> email servers, web applications; where ever I have needed certs, my
> setup has been working.  until I come full circle to putting macs
> together with openswan.
> When I built my ssl system, I took into account the information on
> Jacco's most excellent web pages, in particular regarding certificate
> requirements for mac.
> Specifically:
> -I use subjectAltName extensively for web pages that answer to more than
> one name; the blackberry playbook browser, for example, will not work
> with a certificate that does not have SANs correctly configured.  (Note:
> I have also, according to Jacco's page, made a hosts entry so that I am
> connecting to the host as it is listed in SAN on the firewall
> certificate).  When I read the pem file for this firewall's certificate,
> the SAN is clearly visible.
> -There are no extendedKeyUsage settings in my ssl.conf.  When I search
> the generated pem file, the string extendedKeyUsage is not found.
> -Jacco mentions that macs will not connect to certificates that present
> a certificate containing a DN as its ID.  I do not remember this
> particular requirement from when I set up my ssl, and I am having a
> really hard time finding supporting documentation, but I think this
> means that when I set the rightid in my ipsec.conf, it needs to match
> the SAN and not the DN of the certificate.  If I am correct, that is
> done, else hopefully someone will correct me.
> So if I have addressed all the requirements for certificates to work
> with a mac, why don't they work?  Clearly there is at least one piece of
> information I am still missing to understand the problem.  If the
> solution is embarrassingly simple, please embarrass me; it would be a
> small price to pay for me to finally get my head wrapped around this.
> In the hope that more people will read a smaller mail, I am neglecting
> to include config files, log entries and such.  I will however readily
> make such information available if anyone is willing to look at it.
> If you are still reading: thank you
> if you make comments:
> thankyouthankyouthankyouthankyouthankyouthankyouthankyou:)
> --
> Computerisms
> Bob Miller
> 867-334-7117 / 867-633-3760
> http://computerisms.ca
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

**** DISCLAIMER ****

"This e-mail and any attachment thereto may contain information which is
confidential and/or protected by intellectual property rights and are
intended for the sole use of the recipient(s) named above.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form)
by other persons than the designated recipient(s) is prohibited.
If you have received this e-mail in error, please notify the sender either
by telephone or by e-mail and delete the material from any computer".

Thank you for your cooperation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130125/61403a0a/attachment.html>

More information about the Users mailing list