[Swan] How to connect a Mac client to Libreswan

Blue Aquan blueaquan at zuwissen.com
Sat May 1 11:13:24 UTC 2021 


Dear Paul	The reason, I couldn't respond to your earlier message
was due to certain limitations in finding a Mac OS for this testbed
purpose.  I finally have one to conduct these tests and here are the
logs on the Server when the Mac tries to connect.
Please note, with the same configuration on the Server, Linux clients
are able to connect.
May  1 13:52:38.347004: "MOBILE"[1] 1.2.3.4: local IKE proposals (IKE
SA responder matching remote proposals): May  1 13:52:38.347034:
"MOBILE"[1] 1.2.3.4:   1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-
NONE-
MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519M
ay  1 13:52:38.347039: "MOBILE"[1] 1.2.3.4:   2:IKE=AES_GCM_C_128-
HMAC_SHA2_512+HMAC_SHA2_256-NONE-
MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519M
ay  1 13:52:38.347043: "MOBILE"[1] 1.2.3.4:   3:IKE=AES_CBC_256-
HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-
MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519M
ay  1 13:52:38.347046: "MOBILE"[1] 1.2.3.4:   4:IKE=AES_CBC_128-
HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-
MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519M
ay  1 13:52:38.347072: "MOBILE"[1] 1.2.3.4 #10: proposal
1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from
remote proposals
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MOD
P2048[first-match]
2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP
_256
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MOD
P1536
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024May  1
13:52:38.348823: "MOBILE"[1] 1.2.3.4 #10: sent IKE_SA_INIT reply
{auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP2048}May  1 13:52:38.412735: "MOBILE"[1]
1.2.3.4 #10: dropping unexpected IKE_AUTH message containing
INITIAL_CONTACT... notification; message payloads: SK; encrypted
payloads: SA,IDi,IDr,N,TSi,TSr,CP; missing payloads: AUTHMay  1
13:52:38.412766: "MOBILE"[1] 1.2.3.4 #10: responding to IKE_AUTH
message (ID 1) from 1.2.3.4:500 with encrypted notification
INVALID_SYNTAXMay  1 13:52:38.412849: "MOBILE"[1] 1.2.3.4 #10:
encountered fatal error in state STATE_PARENT_R1May  1 13:52:38.412920:
"MOBILE"[1] 1.2.3.4 #10: deleting state (STATE_PARENT_R1) aged
0.065925s and NOT sending notificationMay  1 13:52:38.412954:
"MOBILE"[1] 1.2.3.4: deleting connection instance with peer 1.2.3.4
{isakmp=#0/ipsec=#0}


Thanks, Best
BA

On Tue, 2021-04-20 at 15:38 -0400, Paul Wouters wrote:
> On Tue, 20 Apr 2021, Blue Aquan wrote:
> > Hi Team LibreswanI have a Libreswan 4.3 (netkey) running on CentOS
> > 8 which has a roadwarrior setup with the following configuration.
> > All through I followed thisguide 
> > https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
> >  With a Linux client, the setup works flawlessly, but I am unable
> > to replicate the same on a Mac client. I tried following the same
> > step by creating a certificate for theMac client, but the Mac
> > client throws up a lot of errors. I want to know if there's any
> > standard procedure to follow while connecting from a Mac client...?
> > On a Linux, the same procedure works perfectly fine
> > On VPN Server
> > conn
> > COMET        left=1.2.3.4        leftsubnet=192.168.1.0/24        l
> > eftcert=sun.abc.com        leftid=@sun.abc.com
> 
> Note that for a Mac to accept this ID, it MUST appear as
> asubjectAltName (SAN) of the type DNS: inside the certificate.
> The mac also needs to have the CAcert that signed it of course. But
> itshould have that if you used a PKCS#12 formatted file (.p12).
> Note that in the past, I've had issues with a MAC and its
> configurationtool when you add a new connection and set it to PSK and
> fill in the ID,and then change it to certificate. It somehow still
> would use the wrongold ID instead of the cert. You might want to just
> delete the conn andstart a new one from scratch where you never
> select PSK or will in theID manually.
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210501/68cb2d79/attachment.html>

More information about the Swan mailing list