[Swan] default config that works with recent android/win10/win11/macos/ios
Marc
Marc at f1-outsourcing.eu
Thu Feb 29 10:52:23 EET 2024
> > >
> > > Where can I find a working and tested config, that offers vpn
> connectivity
> > > with the os default clients of android, win10, win11, macos and ios?
> (maybe
> > > put this on some wiki/example page)
> > >
> > >
> >
> > How should I even know what goes wrong from this log of mac client? It is
> quite annoying that I have to spend some much time on just realising vpn
> access for some clients. No wonder everyone is using this openvpn.
> >
> > Feb 28 23:20:50 test2 pluto[80]: "vpn-ikev2-eap-crt"[1] 192.168.x.x #1:
> proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen
> from remote proposals
> 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048
> [first-match]
> 2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256
> 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536
> 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
> 5:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
> > Feb 28 23:20:50 test2 pluto[80]: "vpn-ikev2-eap-crt"[1] 192.168.x.x #1:
> sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
> prf=HMAC_SHA2_256 group=MODP2048}
> > Feb 28 23:20:50 test2 pluto[80]: "vpn-ikev2-eap-crt"[1] 192.168.x.x #1:
> processing decrypted IKE_AUTH request:
> SK{IDi,N(INITIAL_CONTACT),IDr,CP,N(ESP_TFC_PADDING_NOT_SUPPORTED),N(NON_FIRS
> T_FRAGMENTS_ALSO),SA,TSi,TSr,N(MOBIKE_SUPPORTED)}
> > Feb 28 23:20:50 test2 pluto[80]: "vpn-ikev2-eap-crt"[1] 192.168.x.x #1:
> reloaded private key matching left certificate 'vpn.example.com'
> > Feb 28 23:20:50 test2 pluto[80]: "vpn-ikev2-eap-crt"[1] 192.168.x.x #1:
> added EAP payload to packet
> > Feb 28 23:20:50 test2 pluto[80]: "vpn-ikev2-eap-crt"[1] 192.168.x.x #1:
> NSS: I/O getpeername
> > Feb 28 23:20:50 test2 pluto[80]: "vpn-ikev2-eap-crt"[1] 192.168.x.x #1:
> sent EAP request
>
> (technically a response containing the EAP request)
>
> EAP isn't exactly a standard config. Is the mac device configured to
> handle that?
With macos you can't configure anything (nor does it seem to log anything). I accidentally came across a posting on some cisco forum where they were discussing how annoying it was that apple did not offer machine certificates.
I think eap is the only thing macos does (I don't have access to newer macos, the most recent vm I have is with catelina)
More information about the Swan
mailing list