[Openswan Users] osX and certificates
Bob Miller
bob at computerisms.ca
Fri Jan 25 20:39:14 EST 2013
Bart,
Thank you very much for your reply.
Your comments about using 10.7 files and extended key usage are two
things I have not found in my investigation. I will chase those clues
and see where I get. If that fails, I will come back with logs and
configs.
Thanks again, much appreciated.
--
Computerisms
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca
On Fri, 2013-01-25 at 23:51 +0100, Bart Smink wrote:
> Hi Bob,
>
> I have openswan working with X509 certificates and L2tp on both IOS
> and OSX. If you're using OSX 10.8, you need to replace the
> configuration files related to ipsec with the ones of OSX 10.7.
> Mountain Lion's IPsec support is a bit flawed.
>
> I think you do need extended key usage for signing the connection, as
> I needed them to let the connection work.
>
> I find it quite difficult to answer your question without logs and
> config, so if you like you can send them to me and I will take a look
> at them.
>
> Greetings,
>
> Bart Smink
>
>
>
>
> 2013/1/25 Bob Miller <bob at computerisms.ca>
> Greetings all,
>
> I am seeking to increase my understanding. I am not sure that
> I have a
> specific question, but if I do it is what is the magic spell
> that makes
> certificates work for mac computers connecting to openswan?
> Background
> follows:
>
> I have an openswan server that currently supports windows road
> warriors
> and a net-to-net tunnel to a satellite office. Now, there are
> a handful
> of mac computers that need to work as road warriors too.
>
> In trying to get a mac to join, I have with reasonable
> confidence
> narrowed the problem down to the certificates being the
> problem. At
> least I can connect when using PSK, and no amount of fiddling
> with the
> ipsec.conf gets me past the MAIN_R2 stage. I find no errors,
> just a
> steady looping up to MAIN_R2 then start over till everything
> times out.
>
> Some years ago, maybe 3 or 4, was the last time someone asked
> me to
> connect a mac to openswan. At that time I remember failing to
> get the
> mac to join because of certificate problems, and afterwards
> deciding it
> was time to get a handle on certificates. I read all the
> documentation
> and built myself an ssl.conf that was used to construct my
> current CA,
> and subsequently I have been using that CA to sign certs for
> windows
> roadwarriors, linux roadwarriors, net-to-net openswan
> installations,
> email servers, web applications; where ever I have needed
> certs, my
> setup has been working. until I come full circle to putting
> macs
> together with openswan.
>
> When I built my ssl system, I took into account the
> information on
> Jacco's most excellent web pages, in particular regarding
> certificate
> requirements for mac.
>
> Specifically:
> -I use subjectAltName extensively for web pages that answer to
> more than
> one name; the blackberry playbook browser, for example, will
> not work
> with a certificate that does not have SANs correctly
> configured. (Note:
> I have also, according to Jacco's page, made a hosts entry so
> that I am
> connecting to the host as it is listed in SAN on the firewall
> certificate). When I read the pem file for this firewall's
> certificate,
> the SAN is clearly visible.
>
> -There are no extendedKeyUsage settings in my ssl.conf. When
> I search
> the generated pem file, the string extendedKeyUsage is not
> found.
>
> -Jacco mentions that macs will not connect to certificates
> that present
> a certificate containing a DN as its ID. I do not remember
> this
> particular requirement from when I set up my ssl, and I am
> having a
> really hard time finding supporting documentation, but I think
> this
> means that when I set the rightid in my ipsec.conf, it needs
> to match
> the SAN and not the DN of the certificate. If I am correct,
> that is
> done, else hopefully someone will correct me.
>
> So if I have addressed all the requirements for certificates
> to work
> with a mac, why don't they work? Clearly there is at least
> one piece of
> information I am still missing to understand the problem. If
> the
> solution is embarrassingly simple, please embarrass me; it
> would be a
> small price to pay for me to finally get my head wrapped
> around this.
>
> In the hope that more people will read a smaller mail, I am
> neglecting
> to include config files, log entries and such. I will however
> readily
> make such information available if anyone is willing to look
> at it.
>
> If you are still reading: thank you
> if you make comments:
> thankyouthankyouthankyouthankyouthankyouthankyouthankyou:)
>
>
> --
> Computerisms
> Bob Miller
> 867-334-7117 / 867-633-3760
> http://computerisms.ca
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with
> Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
> --
> **** DISCLAIMER ****
>
> "This e-mail and any attachment thereto may contain information which
> is confidential and/or protected by intellectual property rights and
> are intended for the sole use of the recipient(s) named above.
> Any use of the information contained herein (including, but not
> limited to, total or partial reproduction, communication or
> distribution in any form) by other persons than the designated
> recipient(s) is prohibited.
> If you have received this e-mail in error, please notify the sender
> either by telephone or by e-mail and delete the material from any
> computer".
>
> Thank you for your cooperation.
More information about the Users
mailing list