Hello, I am trying to setup IKEv2 roadwarrior based VPN. I've the client functional in Windows 7 using the native client. I am trying to get the same functional on OSX, but facing problems.
The authentication is being done using certificates. I used ikectl to generate, CA, server's certificate as well as a client certificate. Used the ikectl export option to generate the zip file containing ca and client p12 files. I am using Apple Configurator 2, from the appstore to create the profile file. The profile contains the two certificates as well as the ikev2 configuration. Starting the VPN client, I see the following in the server side logs: OSX 10.11.3 Unsuccessful Connection Log entry: sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa sa_state: cannot switch: AUTH_SUCCESS -> VALID config_free_proposals: free 0x71d6d207180 ca_setauth: auth length 256 ca_x509_subjectaltname: FQDN/server.obsd57.com ca_x509_subjectaltname_cmp: FQDN/server.obsd57.com mismatched ca_validate_cert: /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=client-number-1/emailAddress= ad...@obsd57.com invalid subjectAltName extension ikev2_getimsgdata: imsg 23 rspi 0xf9048b97fef10e03 ispi 0xa01ca6865f9c0754 initiator 0 sa valid type 1 data length 256 ikev2_dispatch_cert: AUTH type 1 len 256 sa_stateflags: 0x18 -> 0x1c auth,authvalid,sa (required 0x1f cert,certvalid,auth,authvalid,sa) sa_stateok: VALID flags 0x1c, require 0x1f cert,certvalid,auth,authvalid,sa sa_state: cannot switch: AUTH_SUCCESS -> VALID ikev2_dispatch_cert: peer certificate is invalid sa_stateok: VALID flags 0x1c, require 0x1f cert,certvalid,auth,authvalid,sa sa_state: cannot switch: AUTH_SUCCESS -> VALID Compared to a successful connection in Windows 7: Windows Successful Connection Log entry: sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa sa_state: cannot switch: AUTH_SUCCESS -> VALID config_free_proposals: free 0x71d9dda6e00 ca_getreq: found CA /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=obsd57/emailAddress= ad...@obsd57.com ca_x509_subjectaltname: FQDN/server.obsd57.com ca_getreq: found local certificate /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN= server.obsd57.com/emailAddress=ad...@obsd57.com ca_setauth: auth length 256 ca_validate_cert: /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=client-number-1/emailAddress= ad...@obsd57.com ok ikev2_getimsgdata: imsg 18 rspi 0xd4cd1307801a4461 ispi 0x0e3d4164b4884c93 initiator 0 sa valid type 4 data length 1011 ikev2_dispatch_cert: cert type X509_CERT length 1011, ok sa_stateflags: 0x18 -> 0x19 cert,authvalid,sa (required 0x1f cert,certvalid,auth,authvalid,sa) sa_stateok: VALID flags 0x19, require 0x1f cert,certvalid,auth,authvalid,sa sa_state: cannot switch: AUTH_SUCCESS -> VALID Inside /etc/ssl/x509v3.cnf file, my CERTFQDN has the value server.obsd57.com In Apple Configurator profile, I've the following: Remote Identifier: server.obsd57.com Local Identifier: client-number-1 I've tried populating the following fields, but neither of them helps: Server Certificate Issuer Common Name: obsd57 (Thats the CN for my CA) Server Certificate Common Name: server.obsd57.com (Thats the CN for my server certificate) Not sure where to go from here. Can you help point me to the right direction on what maybe wrong here? Thanks, dot.yet
