DY - First things first. Can you please post a printout of the certificate in text and PEM format? Clearly the OS X machine doesn't like the subjectAltName, but there may be other issues as well.
--Paul > On Jan 31, 2016, at 1:16 AM, Dot Yet <dot....@gmail.com> wrote: > > Forgot to mention that I know the problem is here: > > ca_x509_subjectaltname: FQDN/server.obsd57.com > ca_x509_subjectaltname_cmp: FQDN/server.obsd57.com mismatched > ca_validate_cert: > /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=client-number-1/emailAddress= > ad...@obsd57.com invalid subjectAltName extension > > Just don't know how to fix this. > > Thanks, > dot.yet > > On Sun, Jan 31, 2016 at 1:12 AM Dot Yet <dot....@gmail.com> wrote: > >> Hello, >> >> I am trying to setup IKEv2 roadwarrior based VPN. I've the client >> functional in Windows 7 using the native client. I am trying to get the >> same functional on OSX, but facing problems. >> >> The authentication is being done using certificates. I used ikectl to >> generate, CA, server's certificate as well as a client certificate. Used >> the ikectl export option to generate the zip file containing ca and client >> p12 files. >> >> I am using Apple Configurator 2, from the appstore to create the profile >> file. The profile contains the two certificates as well as the ikev2 >> configuration. Starting the VPN client, I see the following in the server >> side logs: >> >> OSX 10.11.3 Unsuccessful Connection Log entry: >> sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa >> sa_state: cannot switch: AUTH_SUCCESS -> VALID >> config_free_proposals: free 0x71d6d207180 >> ca_setauth: auth length 256 >> ca_x509_subjectaltname: FQDN/server.obsd57.com >> ca_x509_subjectaltname_cmp: FQDN/server.obsd57.com mismatched >> ca_validate_cert: >> /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=client-number-1/emailAddress= >> ad...@obsd57.com invalid subjectAltName extension >> ikev2_getimsgdata: imsg 23 rspi 0xf9048b97fef10e03 ispi 0xa01ca6865f9c0754 >> initiator 0 sa valid type 1 data length 256 >> ikev2_dispatch_cert: AUTH type 1 len 256 >> sa_stateflags: 0x18 -> 0x1c auth,authvalid,sa (required 0x1f >> cert,certvalid,auth,authvalid,sa) >> sa_stateok: VALID flags 0x1c, require 0x1f cert,certvalid,auth,authvalid,sa >> sa_state: cannot switch: AUTH_SUCCESS -> VALID >> ikev2_dispatch_cert: peer certificate is invalid >> sa_stateok: VALID flags 0x1c, require 0x1f cert,certvalid,auth,authvalid,sa >> sa_state: cannot switch: AUTH_SUCCESS -> VALID >> >> >> Compared to a successful connection in Windows 7: >> >> Windows Successful Connection Log entry: >> sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa >> sa_state: cannot switch: AUTH_SUCCESS -> VALID >> config_free_proposals: free 0x71d9dda6e00 >> ca_getreq: found CA >> /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=obsd57/emailAddress= >> ad...@obsd57.com >> ca_x509_subjectaltname: FQDN/server.obsd57.com >> ca_getreq: found local certificate >> /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN= >> server.obsd57.com/emailAddress=ad...@obsd57.com >> ca_setauth: auth length 256 >> ca_validate_cert: >> /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=client-number-1/emailAddress= >> ad...@obsd57.com ok >> ikev2_getimsgdata: imsg 18 rspi 0xd4cd1307801a4461 ispi 0x0e3d4164b4884c93 >> initiator 0 sa valid type 4 data length 1011 >> ikev2_dispatch_cert: cert type X509_CERT length 1011, ok >> sa_stateflags: 0x18 -> 0x19 cert,authvalid,sa (required 0x1f >> cert,certvalid,auth,authvalid,sa) >> sa_stateok: VALID flags 0x19, require 0x1f cert,certvalid,auth,authvalid,sa >> sa_state: cannot switch: AUTH_SUCCESS -> VALID >> >> Inside /etc/ssl/x509v3.cnf file, my CERTFQDN has the value >> server.obsd57.com >> >> In Apple Configurator profile, I've the following: >> >> Remote Identifier: server.obsd57.com >> Local Identifier: client-number-1 >> >> I've tried populating the following fields, but neither of them helps: >> Server Certificate Issuer Common Name: obsd57 (Thats the CN for my CA) >> Server Certificate Common Name: server.obsd57.com (Thats the CN for my >> server certificate) >> >> Not sure where to go from here. Can you help point me to the right >> direction on what maybe wrong here? >> >> Thanks, >> dot.yet [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
