[Openswan Users] osX and certificates

Bob Miller bob at computerisms.ca
Fri Jan 25 20:39:14 EST 2013


Thank you very much for your reply.

Your comments about using 10.7 files and extended key usage are two
things I have not found in my investigation.  I will chase those clues
and see where I get.  If that fails, I will come back with logs and

Thanks again, much appreciated.

Bob Miller      
867-334-7117 / 867-633-3760

On Fri, 2013-01-25 at 23:51 +0100, Bart Smink wrote:
> Hi Bob,
> I have openswan working with X509 certificates and L2tp on both IOS
> and OSX. If you're using OSX 10.8, you need to replace the
> configuration files related to ipsec with the ones of OSX 10.7.
> Mountain Lion's IPsec support is a bit flawed.
> I think you do need extended key usage for signing the connection, as
> I needed them to let the connection work.
> I find it quite difficult to answer your question without logs and
> config, so if you like you can send them to me and I will take a look
> at them.
> Greetings,
> Bart Smink
> 2013/1/25 Bob Miller <bob at computerisms.ca>
>         Greetings all,
>         I am seeking to increase my understanding.  I am not sure that
>         I have a
>         specific question, but if I do it is what is the magic spell
>         that makes
>         certificates work for mac computers connecting to openswan?
>          Background
>         follows:
>         I have an openswan server that currently supports windows road
>         warriors
>         and a net-to-net tunnel to a satellite office.  Now, there are
>         a handful
>         of mac computers that need to work as road warriors too.
>         In trying to get a mac to join, I have with reasonable
>         confidence
>         narrowed the problem down to the certificates being the
>         problem.  At
>         least I can connect when using PSK, and no amount of fiddling
>         with the
>         ipsec.conf gets me past the MAIN_R2 stage.  I find no errors,
>         just a
>         steady looping up to MAIN_R2 then start over till everything
>         times out.
>         Some years ago, maybe 3 or 4, was the last time someone asked
>         me to
>         connect a mac to openswan.  At that time I remember failing to
>         get the
>         mac to join because of certificate problems, and afterwards
>         deciding it
>         was time to get a handle on certificates.  I read all the
>         documentation
>         and built myself an ssl.conf that was used to construct my
>         current CA,
>         and subsequently I have been using that CA to sign certs for
>         windows
>         roadwarriors, linux roadwarriors, net-to-net openswan
>         installations,
>         email servers, web applications; where ever I have needed
>         certs, my
>         setup has been working.  until I come full circle to putting
>         macs
>         together with openswan.
>         When I built my ssl system, I took into account the
>         information on
>         Jacco's most excellent web pages, in particular regarding
>         certificate
>         requirements for mac.
>         Specifically:
>         -I use subjectAltName extensively for web pages that answer to
>         more than
>         one name; the blackberry playbook browser, for example, will
>         not work
>         with a certificate that does not have SANs correctly
>         configured.  (Note:
>         I have also, according to Jacco's page, made a hosts entry so
>         that I am
>         connecting to the host as it is listed in SAN on the firewall
>         certificate).  When I read the pem file for this firewall's
>         certificate,
>         the SAN is clearly visible.
>         -There are no extendedKeyUsage settings in my ssl.conf.  When
>         I search
>         the generated pem file, the string extendedKeyUsage is not
>         found.
>         -Jacco mentions that macs will not connect to certificates
>         that present
>         a certificate containing a DN as its ID.  I do not remember
>         this
>         particular requirement from when I set up my ssl, and I am
>         having a
>         really hard time finding supporting documentation, but I think
>         this
>         means that when I set the rightid in my ipsec.conf, it needs
>         to match
>         the SAN and not the DN of the certificate.  If I am correct,
>         that is
>         done, else hopefully someone will correct me.
>         So if I have addressed all the requirements for certificates
>         to work
>         with a mac, why don't they work?  Clearly there is at least
>         one piece of
>         information I am still missing to understand the problem.  If
>         the
>         solution is embarrassingly simple, please embarrass me; it
>         would be a
>         small price to pay for me to finally get my head wrapped
>         around this.
>         In the hope that more people will read a smaller mail, I am
>         neglecting
>         to include config files, log entries and such.  I will however
>         readily
>         make such information available if anyone is willing to look
>         at it.
>         If you are still reading: thank you
>         if you make comments:
>         thankyouthankyouthankyouthankyouthankyouthankyouthankyou:)
>         --
>         Computerisms
>         Bob Miller
>         867-334-7117 / 867-633-3760
>         http://computerisms.ca
>         _______________________________________________
>         Users at lists.openswan.org
>         https://lists.openswan.org/mailman/listinfo/users
>         Micropayments:
>         https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>         Building and Integrating Virtual Private Networks with
>         Openswan:
>         http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> -- 
> **** DISCLAIMER ****
> "This e-mail and any attachment thereto may contain information which
> is confidential and/or protected by intellectual property rights and
> are intended for the sole use of the recipient(s) named above. 
> Any use of the information contained herein (including, but not
> limited to, total or partial reproduction, communication or
> distribution in any form) by other persons than the designated
> recipient(s) is prohibited. 
> If you have received this e-mail in error, please notify the sender
> either by telephone or by e-mail and delete the material from any
> computer".
> Thank you for your cooperation.

More information about the Users mailing list