[Swan] OSX Connectivity debugging

Mr. Jan Walter hopping_hol at yahoo.com
Tue Jan 22 20:37:32 UTC 2019

 Certutil command line:
certutil -S -c "ca.zzz.net" -n "vv.zzz.net" -s "O=VV Server Cert,CN=vv.zzz.net" -k rsa -v 12 -d sql:${HOME}/ca -t ",," -1 -6 -8 "vv.zzz.net" --extSAN ip:,ip: is the elastic IP10.x is the vpc ipThe domain vv.zzz.net resolves to 
No reverse DNS though.
The -8 option should set the SubjectAltName per the certutil man page, yes?
I'll look into the debug profile stuff.
    On Tuesday, January 22, 2019, 3:08:51 PM EST, Paul Wouters <paul at nohats.ca> wrote:  
 On Tue, 22 Jan 2019, Mr. Jan Walter wrote:

> NVM on the roaming clients question, the server cert needs the extended data.
> I generated a new vpn server cert with both the dns name, the local, and public ip address in the Alt data.
> I removed the esn= line from ipsec.conf, and now it gets this far, but the osx client states "authentication failed":

Does the server cert have a SubjectAltname with vv.zzz.net ?

For OSX, you can also install the IKEv2 debug profile. The run the test
and make it fail, then check the system logs. If installed on a phone,
connect the phone to the laptop, sync and then you should have the
debug logs.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190122/2fe2f9f1/attachment.html>

More information about the Swan mailing list