[Swan] OSX Connectivity debugging
Mr. Jan Walter
hopping_hol at yahoo.com
Tue Jan 22 20:37:32 UTC 2019
Certutil command line:
certutil -S -c "ca.zzz.net" -n "vv.zzz.net" -s "O=VV Server Cert,CN=vv.zzz.net" -k rsa -v 12 -d sql:${HOME}/ca -t ",," -1 -6 -8 "vv.zzz.net" --extSAN ip:11.11.11.11,ip:10.0.0.194
11.11.11.11 is the elastic IP10.x is the vpc ipThe domain vv.zzz.net resolves to 11.11.11.11
No reverse DNS though.
The -8 option should set the SubjectAltName per the certutil man page, yes?
I'll look into the debug profile stuff.
On Tuesday, January 22, 2019, 3:08:51 PM EST, Paul Wouters <paul at nohats.ca> wrote:
On Tue, 22 Jan 2019, Mr. Jan Walter wrote:
> NVM on the roaming clients question, the server cert needs the extended data.
>
> I generated a new vpn server cert with both the dns name, the local, and public ip address in the Alt data.
>
> I removed the esn= line from ipsec.conf, and now it gets this far, but the osx client states "authentication failed":
Does the server cert have a SubjectAltname with vv.zzz.net ?
For OSX, you can also install the IKEv2 debug profile. The run the test
and make it fail, then check the system logs. If installed on a phone,
connect the phone to the laptop, sync and then you should have the
debug logs.
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190122/2fe2f9f1/attachment.html>
More information about the Swan
mailing list