Hi Ingmar and David, Yes, removing the "extendedKeyUsage=serverAuth" definition from the IPsec server certificate works for all IPsec clients I have. It seems OS X is the only one picky enough for it to make a difference.
I will make that change. Lonnie On Apr 25, 2012, at 12:20 PM, Lonnie Abelbeck wrote: > Hi Ingmar, > > I found the OS X problem, creating the server certificate with > "extendedKeyUsage=serverAuth" defined makes OS X ignore the certificate, I > just tested and removing (commenting out)... > > #extendedKeyUsage=serverAuth > > Now OS X (Snow Leopard) works perfectly. I have yet to try Lion. > > The "extendedKeyUsage" was carried over from what OpenVPN needed. > > I know that OS X also uses "subjectAltName" as a primary test, so I don't > think CN matters in this case, but if we feel that should match > "subjectAltName" we could do that. > > Lonnie > > > > On Apr 25, 2012, at 11:43 AM, Ingmar Schraub wrote: > >> Hi Lonnie, >> >> I've just tested it and it stops where it tries to validate the server >> certificate. We ran into this when developing the solution for iOS. Here we >> just added the extra field "subjectAltName" and provide the server's FQDN. >> iOS is happy with either the common name or the subjectAltName matching the >> server name. >> >> Mac OSX is apparently different in this respect. From what I read it only >> checks the common name, which is in our case always 'server', but not the >> FQDN of the system. Lonnie, is there any chance to change this or what's the >> reason we always set this to "server"? >> >> From Apple docs: "IP Security (IPsec): When certificates are used to secure >> Internet Protocol communications (for example, in establishing a VPN >> connection), the name in the server’s certificate must match its DNS host >> name. The host name check is not performed for client certificates. If an >> extended key usage field is present, it must contain an appropriate value." >> >> Regards >> Ingmar >> >> Am 25.04.2012 um 17:42 schrieb Lonnie Abelbeck: >> >>> Hi David, >>> >>> Well, it *should* but I can't get it to work, and from googling I am not >>> alone. It complains about some certificate issue. Though for OS X, >>> OpenVPN is my first VPN choice and IPSecuritas >>> http://www.lobotomo.com/products/IPSecuritas/ >>> >>> works fine with IPsec + XAuth with certificates on OS X. >>> >>> Though, it would sure be nice if the built-in OS X IPsec (Cisco) VPN client >>> would be interoperable with iOS. >>> >>> Lonnie >>> >>> >>> >>> On Apr 25, 2012, at 10:24 AM, David Kerr wrote: >>> >>>> Lonnie, >>>> Will the iOS VPN configuration also work with the Mac OS X built-in VPN >>>> client? >>>> >>>> Thanks >>>> David >>>> >>>> >>>> On Wed, Apr 25, 2012 at 11:17 AM, Lonnie Abelbeck >>>> <li...@lonnie.abelbeck.com> wrote: >>>> AstLinux Users, >>>> >>>> The AstLinux Team would like to offer a preview to AstLinux 1.0.3. >>>> >>>> Keep in mind this is not a release candidate, some additions/changes may >>>> occur before the final AstLinux 1.0.3 release. The preview changes are >>>> shown here... >>>> >>>> Additions for AstLinux 1.0.3: >>>> http://astlinux.svn.sourceforge.net/viewvc/astlinux/branches/1.0/docs/ChangeLog.txt >>>> >>>> The AstLinux Custom Build Engine is used to generate your custom preview, >>>> the default configurations are already built... >>>> >>>> Build AstLinux SVN Image: >>>> http://build.astlinux.org/admin/build.php?version=svn >>>> >>>> One particularly compelling new feature is support for IPsec + XAuth with >>>> certificates, providing more interoperability to various mobile VPN >>>> clients. In particular for Apple's iOS devices. >>>> >>>> IPsec VPN for Apple iOS >>>> http://doc.astlinux.org/userdoc:tt_ipsec_vpn_apple_ios >>>> >>>> We have tested this extensively with iOS 5.1 clients, but welcome reports >>>> from other mobile devices, Android, etc.. . The above documentation >>>> should apply, in the general sense, to most any mobile device that >>>> supports IPsec + XAuth with certificates. >>>> >>>> All feedback is appreciated. >>>> >>>> AstLinux Team >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Live Security Virtual Conference >>>> Exclusive live event will cover all the ways today's security and >>>> threat landscape has changed and how IT managers can respond. Discussions >>>> will include endpoint security, mobile security and the latest in malware >>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Astlinux-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to >>>> pay...@krisk.org. >>>> >>>> ------------------------------------------------------------------------------ >>>> Live Security Virtual Conference >>>> Exclusive live event will cover all the ways today's security and >>>> threat landscape has changed and how IT managers can respond. Discussions >>>> will include endpoint security, mobile security and the latest in malware >>>> threats. >>>> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________ >>>> Astlinux-users mailing list >>>> Astlinux-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to >>>> pay...@krisk.org. >>> >>> >>> ------------------------------------------------------------------------------ >>> Live Security Virtual Conference >>> Exclusive live event will cover all the ways today's security and >>> threat landscape has changed and how IT managers can respond. Discussions >>> will include endpoint security, mobile security and the latest in malware >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >> >> >> -- >> Bye, Ingmar Schraub e-mail : ingmar.schr...@eseco.de >> eSeCo GmbH & Co. KG Web : http://www.eseco.de >> Darmstädter Straße 123 phone : +49 6251 702988 0 >> D-64625 Bensheim fax : +49 6251 58360 83 >> Germany mobile : +49 173 6711767 >> Registergericht: Darmstadt, HRA 40930 >> Geschäftsführer: Ingmar Schraub >> Hauptsitz: Herrnwaldstr. 6, D-64625 Bensheim >> >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. >> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
