Thank you so much, that helps clear up many points. >> Is there any recommended conn configuration for Apples with ikev2 ?
>The native iOS / OS X clients did not support IKEv2. With iOS 8 I've >heard this has changed, but I didn't have a chance to look at it. Not >sure about Yosemite OK, I realize I got very confused by this part at the top of https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX : "Please note that releases before 5.0.0 don't support IKEv1 because the old pluto IKEv1 daemon was not ported to Mac OS X." I wound up thinking it did ikev2 all along somehow. Anyway, moving along: >> Something generally like (I know it needs tweaking, the mac won't yet >> accept it): >> leftauth=pubkey >> rightauth=pubkey >No, that's not supported by that the strongSwan.app. Because of the EAP part, got it. I can't get Mac OS X to accept that example with its native vpn either, though. Are there more examples of conn setups for mac clients? I've searched and searched to no avail besides the conn I quoted, which I still haven't managed to tweak enough for a mac to accept at all. The test suite examples aren't organized in terms of what type of machine or devices Carol and Bob are. >A rightcert configures a file on disk, usually in /etc/ipsec.d/certs. >Such an option is never related to the Keychain. Huh. Does that mean if I manually put .pem files in /etc/ipsec.d/private and .../certs in the Mac OS X client, the client would be able to serve the .pem files themselves to the vpn certificate request? Or am I only able to use the keychain on a mac client? >There is a keychain plugin for strongSwan. If enabled, the certificates >are looked up using IKE identities (leftid/rightid), or using the >certificate issuer for CA validation. The strongswan.app uses that to >find trusted certificates. You may use that plugin in your own generic >strongSwan build, but certificates are referenced by the contained >identities only. So, for clients using Mac OS X's native app, how exactly does the server conn reference the certificate in the keychain -- is the keychain plugin absolutely required? Does it require compiling from source (like the xauth-pam plugin) to enable it? If the client uses the mac os x strongswan app, then the server conn can reference the certificate the usual way? Are there example conns for these situations that I can look at? What exactly is the "contained identity"? Is that the entire "C=xx, O=xx, CN=X", or "CN=X", or "X" or something else? Thanks again, this is very helpful. Cindy _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
