DY -

First things first. Can you please post a printout of the certificate in text
and PEM format? Clearly the OS X machine doesn't like the subjectAltName, but
there may be other issues as well.


--Paul



> On Jan 31, 2016, at 1:16 AM, Dot Yet <dot....@gmail.com> wrote:
>
> Forgot to mention that I know the problem is here:
>
> ca_x509_subjectaltname: FQDN/server.obsd57.com
> ca_x509_subjectaltname_cmp: FQDN/server.obsd57.com mismatched
> ca_validate_cert:
>
/C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=client-number-1/emailAddress=
> ad...@obsd57.com invalid subjectAltName extension
>
> Just don't know how to fix this.
>
> Thanks,
> dot.yet
>
> On Sun, Jan 31, 2016 at 1:12 AM Dot Yet <dot....@gmail.com> wrote:
>
>> Hello,
>>
>> I am trying to setup IKEv2 roadwarrior based VPN. I've the client
>> functional in Windows 7 using the native client. I am trying to get the
>> same functional on OSX, but facing problems.
>>
>> The authentication is being done using certificates. I used ikectl to
>> generate, CA, server's certificate as well as a client certificate. Used
>> the ikectl export option to generate the zip file containing ca and client
>> p12 files.
>>
>> I am using Apple Configurator 2, from the appstore to create the profile
>> file. The profile contains the two certificates as well as the ikev2
>> configuration. Starting the VPN client, I see the following in the server
>> side logs:
>>
>> OSX 10.11.3 Unsuccessful Connection Log entry:
>> sa_stateok: VALID flags 0x18, require 0x1f
cert,certvalid,auth,authvalid,sa
>> sa_state: cannot switch: AUTH_SUCCESS -> VALID
>> config_free_proposals: free 0x71d6d207180
>> ca_setauth: auth length 256
>> ca_x509_subjectaltname: FQDN/server.obsd57.com
>> ca_x509_subjectaltname_cmp: FQDN/server.obsd57.com mismatched
>> ca_validate_cert:
>>
/C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=client-number-1/emailAddress=
>> ad...@obsd57.com invalid subjectAltName extension
>> ikev2_getimsgdata: imsg 23 rspi 0xf9048b97fef10e03 ispi 0xa01ca6865f9c0754
>> initiator 0 sa valid type 1 data length 256
>> ikev2_dispatch_cert: AUTH type 1 len 256
>> sa_stateflags: 0x18 -> 0x1c auth,authvalid,sa (required 0x1f
>> cert,certvalid,auth,authvalid,sa)
>> sa_stateok: VALID flags 0x1c, require 0x1f
cert,certvalid,auth,authvalid,sa
>> sa_state: cannot switch: AUTH_SUCCESS -> VALID
>> ikev2_dispatch_cert: peer certificate is invalid
>> sa_stateok: VALID flags 0x1c, require 0x1f
cert,certvalid,auth,authvalid,sa
>> sa_state: cannot switch: AUTH_SUCCESS -> VALID
>>
>>
>> Compared to a successful connection in Windows 7:
>>
>> Windows Successful Connection Log entry:
>> sa_stateok: VALID flags 0x18, require 0x1f
cert,certvalid,auth,authvalid,sa
>> sa_state: cannot switch: AUTH_SUCCESS -> VALID
>> config_free_proposals: free 0x71d9dda6e00
>> ca_getreq: found CA
>> /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=obsd57/emailAddress=
>> ad...@obsd57.com
>> ca_x509_subjectaltname: FQDN/server.obsd57.com
>> ca_getreq: found local certificate
>> /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=
>> server.obsd57.com/emailAddress=ad...@obsd57.com
>> ca_setauth: auth length 256
>> ca_validate_cert:
>>
/C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=client-number-1/emailAddress=
>> ad...@obsd57.com ok
>> ikev2_getimsgdata: imsg 18 rspi 0xd4cd1307801a4461 ispi 0x0e3d4164b4884c93
>> initiator 0 sa valid type 4 data length 1011
>> ikev2_dispatch_cert: cert type X509_CERT length 1011, ok
>> sa_stateflags: 0x18 -> 0x19 cert,authvalid,sa (required 0x1f
>> cert,certvalid,auth,authvalid,sa)
>> sa_stateok: VALID flags 0x19, require 0x1f
cert,certvalid,auth,authvalid,sa
>> sa_state: cannot switch: AUTH_SUCCESS -> VALID
>>
>> Inside /etc/ssl/x509v3.cnf file, my CERTFQDN has the value
>> server.obsd57.com
>>
>> In Apple Configurator profile, I've the following:
>>
>> Remote Identifier: server.obsd57.com
>> Local Identifier: client-number-1
>>
>> I've tried populating the following fields, but neither of them helps:
>> Server Certificate Issuer Common Name: obsd57 (Thats the CN for my CA)
>> Server Certificate Common Name: server.obsd57.com (Thats the CN for my
>> server certificate)
>>
>> Not sure where to go from here. Can you help point me to the right
>> direction on what maybe wrong here?
>>
>> Thanks,
>> dot.yet

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Reply via email to