Hello, I run a windows 2008 r2 vpn server, which I am able to connect to fine with the android strongswan app and linux install of strongswan. I am trying to get the mac osx native application to connect to it (tested 5.1.0-4 and 5.1.1-1) using strongswan installed via homebrew. OS x version is 10.9 mavericks.
I have the CA certificate and vpn host certificate installed and trusted in the system and user keychain. Connection is almost successful, but fails with identity check of the gateway. Any feedback on what might be wrong or what to try next? Posted below is sanitized content from my daemon.log. As best as I can tell, it is reading the host certificate from the keychain, but I can't tell what else is wrong and can't figure out how to elevate the debug level using the native application. Thanks, Fred Kilbourn Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 00[LIB] created TUN device: utun0 Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 00[CFG] loaded 211 certificates from /System/Library/Keychains/SystemRootCertificates.keychain Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 00[CFG] loaded 5 certificates from /Library/Keychains/System.keychain Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 00[DMN] Starting charon-xpc IKE daemon (strongSwan 5.1.0-4, Darwin 13.0.0, x86_64) Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 00[JOB] spawning 16 worker threads Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 11[KNL] interface utun1 appeared Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 00[LIB] created TUN device: utun1 Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 12[IKE] initiating IKE_SA VPN_CONNECTION_CONFIG[1] to 127.0.0.999 Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 14[KNL] interface utun1 deactivated Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 12[NET] sending packet: from 127.0.0.1[51632] to 127.0.0.999[4500] (884 bytes) Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 15[NET] received packet: from 127.0.0.999[4500] to 127.0.0.1[51632] (38 bytes) Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 15[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 15[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024 Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 15[IKE] initiating IKE_SA VPN_CONNECTION_CONFIG[1] to 127.0.0.999 Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 15[NET] sending packet: from 127.0.0.1[51632] to 127.0.0.999[4500] (756 bytes) Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 16[NET] received packet: from 127.0.0.999[4500] to 127.0.0.1[51632] (316 bytes) Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 16[IKE] faking NAT situation to enforce UDP encapsulation Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 16[IKE] establishing CHILD_SA VPN_CONNECTION_CONFIG Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CP(ADDR DNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ] Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 16[NET] sending packet: from 127.0.0.1[55981] to 127.0.0.999[4500] (412 bytes) Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[NET] received packet: from 127.0.0.999[4500] to 127.0.0.1[51632] (2908 bytes) Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[IKE] received end entity cert "CN=vpn-host.subdomain.domain.com" Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[CFG] using trusted ca certificate "DC=com, DC=domain, DC=subdomain, CN=ca-name" Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[CFG] reached self-signed root ca with a path length of 0 Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[CFG] using trusted certificate "CN=vpn-host.subdomain.domain.com" Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[IKE] authentication of 'CN=vpn-host.subdomain.domain.com' with RSA signature successful Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[IKE] server requested EAP_IDENTITY (id 0x00), sending 'username' Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ] Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 10[NET] sending packet: from 127.0.0.1[55981] to 127.0.0.999[4500] (76 bytes) Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 11[NET] received packet: from 127.0.0.999[4500] to 127.0.0.1[51632] (92 bytes) Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 11[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Oct 31 14:40:12 org.strongswan.charon-xpc[317]: 11[IKE] server requested EAP_MSCHAPV2 authentication (id 0x01) Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 11[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 11[NET] sending packet: from 127.0.0.1[55981] to 127.0.0.999[4500] (132 bytes) Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 11[NET] received packet: from 127.0.0.999[4500] to 127.0.0.1[51632] (116 bytes) Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 11[IKE] EAP-MS-CHAPv2 succeeded: '(null)' Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 11[NET] sending packet: from 127.0.0.1[55981] to 127.0.0.999[4500] (68 bytes) Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 12[NET] received packet: from 127.0.0.999[4500] to 127.0.0.1[51632] (68 bytes) Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 12[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 12[IKE] authentication of 'username' (myself) with EAP Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 12[ENC] generating IKE_AUTH request 5 [ AUTH ] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 12[NET] sending packet: from 127.0.0.1[55981] to 127.0.0.999[4500] (84 bytes) Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[NET] received packet: from 127.0.0.999[4500] to 127.0.0.1[51632] (212 bytes) Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[ENC] parsed IKE_AUTH response 5 [ AUTH N(MOBIKE_SUP) CP(ADDR DNS) SA TSi TSr ] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[IKE] authentication of 'CN=vpn-host.subdomain.domain.com' with EAP successful Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[CFG] constraint check failed: identity 'vpn-host.subdomain.domain.com' required Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[CFG] selected peer config 'VPN_CONNECTION_CONFIG' inacceptable: constraint checking failed Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[CFG] no alternative config found Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[ENC] generating INFORMATIONAL request 6 [ N(AUTH_FAILED) ] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 13[NET] sending packet: from 127.0.0.1[55981] to 127.0.0.999[4500] (68 bytes) Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[DMN] thread 19 received 4 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] dumping 15 stack frame addresses: Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] /usr/lib/system/libsystem_platform.dylib @ 0x7fff8e180000 (_sigtramp+0x1a) [0x7fff8e1835aa] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] -> _sigtramp (in libsystem_platform.dylib) + 26 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] 1 ??? 0x0000000000000000 0x0 + 0 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] /usr/lib/system/libxpc.dylib @ 0x7fff870aa000 (_xpc_connection_last_xref_cancel+0x39) [0x7fff870b522d] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] -> _xpc_connection_last_xref_cancel (in libxpc.dylib) + 57 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] /usr/lib/system/libxpc.dylib @ 0x7fff870aa000 (-[OS_xpc_connection _xref_dispose]+0x11) [0x7fff870b51ce] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] -> -[OS_xpc_connection _xref_dispose] (in libxpc.dylib) + 17 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] /Library/PrivilegedHelperTools/org.strongswan.charon-xpc @ 0x10ecc3000 (start+0xd75) [0x10ed4fcb1] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] -> 0x000000010008ccb1 (in org.strongswan.charon-xpc) + 59 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] /usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000 (_dispatch_call_block_and_release+0xc) [0x7fff8ab4b1d7] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] -> _dispatch_call_block_and_release (in libdispatch.dylib) + 12 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] /usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000 (_dispatch_client_callout+0x8) [0x7fff8ab482ad] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] -> _dispatch_client_callout (in libdispatch.dylib) + 8 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] /usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000 (_dispatch_mach_barrier_invoke+0x50) [0x7fff8ab4ba89] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] -> _dispatch_mach_barrier_invoke (in libdispatch.dylib) + 80 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] /usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000 (_dispatch_client_callout+0x8) [0x7fff8ab482ad] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] -> _dispatch_client_callout (in libdispatch.dylib) + 8 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] /usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000 (_dispatch_queue_drain+0x1c3) [0x7fff8ab4a68f] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] -> _dispatch_queue_drain (in libdispatch.dylib) + 451 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] /usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000 (_dispatch_mach_invoke+0x9a) [0x7fff8ab4b69e] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] -> _dispatch_mach_invoke (in libdispatch.dylib) + 154 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] /usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000 (_dispatch_root_queue_drain+0x4b) [0x7fff8ab49fa3] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] -> _dispatch_root_queue_drain (in libdispatch.dylib) + 75 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] /usr/lib/system/libdispatch.dylib @ 0x7fff8ab47000 (_dispatch_worker_thread2+0x28) [0x7fff8ab4b193] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] -> _dispatch_worker_thread2 (in libdispatch.dylib) + 40 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] /usr/lib/system/libsystem_pthread.dylib @ 0x7fff8afc2000 (_pthread_wqthread+0x13a) [0x7fff8afc4ef8] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] -> _pthread_wqthread (in libsystem_pthread.dylib) + 314 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] /usr/lib/system/libsystem_pthread.dylib @ 0x7fff8afc2000 (start_wqthread+0xd) [0x7fff8afc7fb9] Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[LIB] -> start_wqthread (in libsystem_pthread.dylib) + 13 Oct 31 14:40:17 org.strongswan.charon-xpc[317]: 19[DMN] killing ourself, received critical signal _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
