Hi Dan, > What I meant to write was "The server side is *not* configured with > leftsendcert=never"
I see :) > I'm considering this resolved, even with the slight mystery > around it not working with the lack of config. No mystery at all, actually. I now had a look at the code of charon-xpc and the reason for this behavior is quite clear. The option to send certificate requests for installed CA certificates is disabled on the client. So because the default for leftsendcert is ifasked the gateway won't send its certificate. The reason this option is disabled in the app, apparently, is the high number of CA certificates that are installed on Mac OS X. Sending that many certificate requests increases the size of the IKE_AUTH message significantly, which could cause problems with IP fragmentation. I added a note about this on [1]. Regards, Tobias [1] http://wiki.strongswan.org/projects/strongswan/wiki/MacOSX _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
