[Swan] libreswan inside local network with NAT (left) - MacOS roadwarrior (right)
Paul Wouters
paul at nohats.ca
Sun Nov 6 15:39:50 EET 2022
On Fri, 4 Nov 2022, Rodrigo Gruppelli wrote:
> I couldn't import the p12 file into MacOS. When importing it, mac's Keychain Access asks for the password of the .p12 file, even though I didn't set any
> password in the certificate generation steps (just pressed <enter>). Or even if I set some password, it still doesn't accept it, saying 'wrong password'.
> Any clues on that? What would be this "proper SAN FQDN setting" ?
I'm not sure why that failed. I usually use a .mobileprofile to import
the configuration and the certificate items. I've attached a
.mobileprofile config (with the private key blob removed :)
Hope that might help you.
Paul
-------------- next part --------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IKEv2</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>ChildSecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>14</integer>
<key>EncryptionAlgorithm</key>
<string>AES-256-GCM</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>DeadPeerDetectionRate</key>
<string>Medium</string>
<key>DisableRedirect</key>
<true/>
<key>EnableCertificateRevocationCheck</key>
<integer>0</integer>
<key>EnablePFS</key>
<integer>1</integer>
<key>IKESecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>14</integer>
<key>EncryptionAlgorithm</key>
<string>AES-256</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-512</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>LocalIdentifier</key>
<string>rodrigo.nohats.ca</string>
<key>PayloadCertificateUUID</key>
<string>1E2E3E4E-5E6E-7E8E-9EAE-BECEDEEEFE0E</string>
<key>RemoteAddress</key>
<string>193.110.157.148</string>
<key>RemoteIdentifier</key>
<string>vpn.nohats.ca</string>
<key>UseConfigurationAttributeInternalIPSubnet</key>
<integer>0</integer>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
<key>PayloadDescription</key>
<string>Configures VPN settings</string>
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.0B0851BB-8131-455C-BF78-EE155C18085C</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>0B0851BB-8131-455C-BF78-EE155C18085C</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>No Hats IKEv2 VPN</string>
<key>VPNType</key>
<string>IKEv2</string>
</dict>
<dict>
<key>Password</key>
<string>yourplaintextpassword</string>
<key>PayloadCertificateFileName</key>
<string>.nohats.ca.p12</string>
<key>PayloadContent</key>
<data>
b'MIIO8AIBAzCCD BLOB'
</data>
<key>PayloadDescription</key>
<string>Adds a PKCS#12-formatted certificate</string>
<key>PayloadDisplayName</key>
<string>rodrigo.nohats.ca</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.pkcs12.1E2E3E4E-5E6E-7E8E-9EAE-BECEDEEEFE0E</string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>1E2E3E4E-5E6E-7E8E-9EAE-BECEDEEEFE0E</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PayloadCertificateFileName</key>
<string>rodrigo.nohats.ca.crt</string>
<key>PayloadContent</key>
<data>
MIID/zCCAuegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCQ0Ex
EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTEcMBoGA1UEChMTTm8g
SGF0cyBDb3Jwb3JhdGlvbjEQMA4GA1UECxMHQ2xpZW50czEgMB4GA1UEAxMXQ2Vy
dGlmaWNhdGUgQWdlbmN5IChDQSkxHTAbBgkqhkiG9w0BCQEWDmluZm9Abm9oYXRz
LmNhMCIYDzIwMTcwMTI2MDU0NzUzWhgPMjAyNzAxMjUwNTQ3NTNaMIGhMQswCQYD
VQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEPMA0GA1UEBxMGT3R0YXdhMRwwGgYD
VQQKExNObyBIYXRzIENvcnBvcmF0aW9uMRAwDgYDVQQLEwdDbGllbnRzMSAwHgYD
VQQDExdDZXJ0aWZpY2F0ZSBBZ2VuY3kgKENBKTEdMBsGCSqGSIb3DQEJARYOaW5m
b0Bub2hhdHMuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOuEI6
iRzFh98b0MVO+T9TyWFS41roki5h+yen3/8y1Zy2E5sllqteAEOlUBbCFlJlYY5t
XvF6KxvkzlGi5yME5ayXqXJu30C0ntjfUQfIQOf/+YigLJAL7EyxKmUmHuWwHqOK
FjBS9JFbnrrM+qSJpZjh+WMrk84l8pFrQQKTxFQxz4C7VWnudhYW8FLJRLq+R1mq
29adTBY3YZny0ZSmcRQP/xKPNfUHOW/IiT9by/1sQKBAxyF3nRz3PU01J7m7r48b
nKAqu7byKjDZnvWc1K3dyjuqLnVZVTO9N+CXyhjT/KkbKz+/Phfw236hu72fcMS5
e1tN+SarqwKUmCglAgMBAAGjPDA6MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgGG
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOC
AQEAvr/wqNd3PqiJv6ScxgwOe/3VXBjn/tbYI5BV/nQPufGKmlvV+euvPn5oPX+D
gPlPMor0QET3+ptIuNtQGsMfQPM/EHsfWvxtT1jt5LaPxO4YyZotA7Z8q+EuBp5K
QIEcEbjn0Qdxin0udfjon/6BVOqGg2poUwS8kSvwRgohFBs/lXe7KOXU9/jnSOxm
orPS5Bl6HZZY3KWnNQDPoFPOX8dDMhDzJX+433V4aAuyMHN4lDn931GClbMfKJI2
1zXrC5e1mVTsLNeXfrBW+8Cu9/Tx8DL7KEt8vkHxwNaOlLq9VWWx9XnlbOpAk2GB
PHd2hJb8F2Q69WOQUtwPCLGQGA==
</data>
<key>PayloadDescription</key>
<string>Adds a CA root certificate</string>
<key>PayloadDisplayName</key>
<string>Certificate Agency (CA)</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.root.F0000001-5A01-1010-1010-111111111111</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadUUID</key>
<string>F0000001-5A01-1010-1010-111111111111</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>No Hats IKEv2 VPN</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.DDDDDDDD-BA2E-473E-B7CF-D3DDDD7EDFDD</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>22222222-2344-1850-93A6-562750E7ACA1</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
More information about the Swan
mailing list