[Swan] OSX - SAN not recognized on firewall cert
Computerisms Corporation
bob at computerisms.ca
Fri Mar 27 05:51:44 UTC 2020
Hi Gurus,
I have been spinning my wheels on all day, maybe by sending this to the
list I will get an epiphany, or if not hopefully someone has some input.
have a firewall running v3.29, windows clients are connecting fine,
generated mobileconfigs are installing on the OSX clients and appear to
have all the correct details. But when I connect with OSX (tested on
multiple machines using multiple mobileconfigs), the logs tell me the
cert has no matching SAN:
Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
#720: No matching subjectAltName found for 'firewall.ctfn.ca'
Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
#720: certificate does not contain subjectAltName=firewall.ctfn.ca
Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
#720: Peer public key SubjectAltName does not match peer ID for this
connection
Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
#720: IKEv2 mode peer ID is ID_FQDN: '@firewall.ctfn.ca'
Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
#720: Signature check (on @firewall.ctfn.ca) failed (wrong key?); tried
*AwEAAbtUh
Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
#720: RSA authentication of I2 Auth Payload failed
Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
#720: responding to IKE_AUTH message (ID 1) from 205.234.49.246:4500
with encrypted notification AUTHENTICATION_FAILED
Mar 26 21:25:50 doorlian pluto[16012]: "rw-ikev2"[6] 205.234.49.246
#720: deleting state (STATE_PARENT_R1) aged 0.171s and NOT sending
notification
I am not really clear which cert it is talking about, I would expect it
to be logging info about the cert on OSX, but the cert name is
appropriate for the firewall, and it does have a matching SAN:
certutil -L -n firewall.ctfn.ca -d sql:/etc/ipsec.d
<snip>
Name: Certificate Subject Alt Name
DNS name: "firewall.ctfn.ca"
Name: Certificate Key Usage
Usages: Digital Signature
Non-Repudiation
Key Encipherment
Name: Extended Key Usage
TLS Web Server Authentication Certificate
</snip>
and I am reasonably certain I am using the correct settings in the conn:
<snip>
left=firewall.ctfn.ca
leftsubnet=0.0.0.0/0
leftcert=firewall.ctfn.ca
leftid=@firewall.ctfn.ca
leftrsasigkey=%cert
leftsendcert=always
right=%any
rightca=%same
rightrsasigkey=%cert
rightid=%fromcert
</snip>
On another firewall also running 3.29, I have OSX and windows clients
connecting fine; I have carefully compared all the configs and
certificates and the details seem to be consistent. Clearly I have
overlooked something, wondering if anyone has an idea what it is?
--
Bob Miller
Cell: 867-334-7117
Office: 867-633-3760
Office: 867-322-0362
www.computerisms.ca
More information about the Swan
mailing list