[Swan] How to connect a Mac client to Libreswan

Paul Wouters paul at nohats.ca
Tue Apr 20 19:38:01 UTC 2021

On Tue, 20 Apr 2021, Blue Aquan wrote:

> Hi Team Libreswan
> I have a Libreswan 4.3 (netkey) running on CentOS 8 which has a roadwarrior setup with the following configuration. All through I followed this
> guide https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 
> With a Linux client, the setup works flawlessly, but I am unable to replicate the same on a Mac client. I tried following the same step by creating a certificate for the
> Mac client, but the Mac client throws up a lot of errors. I want to know if there's any standard procedure to follow while connecting from a Mac client...?
> On a Linux, the same procedure works perfectly fine
> On VPN Server
> conn COMET
>         left=
>         leftsubnet=
>         leftcert=sun.abc.com
>         leftid=@sun.abc.com

Note that for a Mac to accept this ID, it MUST appear as a
subjectAltName (SAN) of the type DNS: inside the certificate.

The mac also needs to have the CAcert that signed it of course. But it
should have that if you used a PKCS#12 formatted file (.p12).

Note that in the past, I've had issues with a MAC and its configuration
tool when you add a new connection and set it to PSK and fill in the ID,
and then change it to certificate. It somehow still would use the wrong
old ID instead of the cert. You might want to just delete the conn and
start a new one from scratch where you never select PSK or will in the
ID manually.


More information about the Swan mailing list