<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Wolfgang,<div>thanks for the screenshots. I’m starting to think I might have exported my cert the wrong way!</div><div><br></div><div>In your screenshorts the private key is part of the cert, but when I imported my p12 cert, I ended up with the private key separate like this:</div><div><br></div><div><img apple-inline="yes" id="E7C18950-2ADF-4A6B-9C7C-6A52EAA91760" height="42" width="708" apple-width="yes" apple-height="yes" src="cid:B1CF94F7-E107-4B70-82F9-500521F11909"></div><div><br></div><div>I had created my cert this way:</div><div><br></div><div>certutil -S -k rsa -c rootca -n enrico -s "CN=Enrico Brunetta (VPN), O=bitProductions Inc., L=Austin, ST=TX, C=US" -v 120 -t "u,u,u" -8 <a href="http://vpn.bitproductions.com">vpn.bitproductions.com</a> -d /etc/ipsec.d</div><div><br></div><div>and then exported this way:</div><div><br></div><div>pk12util -o enrico.p12 -n enrico -d /etc/ipsec.d</div><div><br></div><div>Maybe I didn’t export it correctly?</div><div><br></div><div><br></div><div><br>On Sep 19, 2014, at 5:09 AM, Wolfgang Nothdurft <<a href="mailto:wolfgang@linogate.de">wolfgang@linogate.de</a>> wrote:<br><br><blockquote type="cite">Am 19.09.2014 11:34, schrieb Enrico Brunetta:<br><blockquote type="cite">Wolfgang,<br><br><br>On the mac I had to import the cert into my system keychain, and then I specifically chose the imported cert when configuring my VPN connection.<br>Don’t really seeany place to change permissions…<br><br></blockquote><br>I don't have a mac here, but as far as I know, you can doubleklick the certificate in the keychain access utility and set access permissions for different programs.<br><br>It should look like this screenshots from our wiki.<br>We have only a german version, sorry.<br><a href="http://www.linogate.de/de/support/categories/ipsec/mac_keychain-01.png">http://www.linogate.de/de/support/categories/ipsec/mac_keychain-01.png</a><br>http://www.linogate.de/de/support/categories/ipsec/mac_keychain-02.png<br><br><blockquote type="cite"><br>Here’s the log on the mac side:<br><br>Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: IPSec connecting to server vpn.bitproductions.com<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: SCNC: start, triggered by (83299) SystemUIServer, type IPSec, status 0, trafficClass 0<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: IPSec Phase1 starting.<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: network changed.<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: accepted connection on vpn control socket.<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IPSec connecting to server 54.84.104.104<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: Connecting.<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IPSec Phase 1 started (Initiated by me).<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: >>>>> phase change status = Phase 1 started by us<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: network changed.<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: >>>>> phase change status = Phase 1 started by peer<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IKE Packet: receive success. (Initiator, Main-Mode message 2).<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: network changed.<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IKE Packet: receive success. (Initiator, Main-Mode message 4).<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: error -25308 errSecInteractionNotAllowed.<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: failed to sign.<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: failed to get sign<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: failed to allocate send buffer<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: IKE Packet: transmit failed. (Initiator, Main-Mode Message 5).<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: failed to process packet.<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local racoon[752]: Phase 1 negotiation failed.<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: IPSec Controller: IKE FAILED. phase 3, assert 0<br>Sep 19 04:24:13 Enricos-MacBook-Pro.local configd[17]: IPSec disconnecting from server 54.84.104.104<br><br></blockquote><br>From https://developer.apple.com/library/ios/documentation/Security/Reference/keychainservices/index.html#//apple_ref/c/econst/errSecInteractionNotAllowed<br><br>Interaction with the Security Server is not allowed.<br>Value<br><br>–25308<br>Description<br><br>Wolfgang<br>_______________________________________________<br>Swan mailing list<br>Swan@lists.libreswan.org<br>https://lists.libreswan.org/mailman/listinfo/swan<br></blockquote><br></div></body></html>