[Swan] How to connect a Mac client to Libreswan

Paul Wouters paul at nohats.ca
Sat May 1 15:44:54 UTC 2021

On May 1, 2021, at 10:39, Blue Aquan <blueaquan at zuwissen.com> wrote:
> Hi Paul
> I read a few documentation about similar problem with MacOS and tried a suggestion you have mentioned in them. I didn't import a profile, but in the VPN configuration of Mac, under "Authentication Settings", I choose "None". When I select "None", it throws up two options below "Shared Secret" and "Certificate"... I choose "Certificate" and selected the corresponding client certificate and applied the change.
> When I did this, it still does not connect, but there's a change in the message from the previous one

I haven’t tried lately without using mobileconfig configuration files. The method you describe used to work.

> May  1 19:55:55.592575: "MOBILE"[1] #8: processing decrypted IKE_AUTH request: SK{IDi,N,N,IDr,AUTH,CERT,CP,N,N,SA,TSi,TSr}

> May  1 19:55:55.596196: "MOBILE"[2] #8: authenticated using RSA with SHA1

So this is better. Now you are authenticated so it’s no longer trying to do EAP.

> May  1 19:55:55.611645: "MOBILE"[2] #9: responding to IKE_AUTH message (ID 1) from with encrypted notification TS_UNACCEPTABLE

It looks like the client wasn’t sending 0/0 to 0/0 to allow the server to narrow it to a single IP  ?

Note on this older one

>> May  1 13:52:38.412735: "MOBILE"[1] #10: dropping unexpected IKE_AUTH message containing INITIAL_CONTACT... notification; message payloads: SK; encrypted payloads: SA,IDi,IDr,N,TSi,TSr,CP; missing payloads: AUTH

Missing AUTH is a sign of the client trying EAP. That is currently not supported with libreswan.

>>>> conn COMET
>>>>         left=
>>>>         leftsubnet=
>>>>         leftcert=sun.abc.com
Assuming you have rightaddrrsspool, it seems your Mac client doesn’t have 192168.1.0/24 (or configured but something else ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210501/92de9365/attachment.html>

More information about the Swan mailing list