Deleted Mac app v5.2.2 (1) and installed the v5.3.0 (1) Mac app but could not get EAP-GTC to work. It did prompt to install a new helper and that was done.
The VPN gateway has a working configuration for the Mac app v5.2.2 (1) using EAP-MD5. To test Mac app v5.3.0 (1), a single modification was made to the VPN gateway configuration, replacing the line: rightauth=eap-md5 with rightauth=eap-gtc Mac app log file snippet, just after the VPN gateway’s certificate was validated: server requested EAP_IDENTITY (id 0x00), sending ’test' generating IKE_AUTH request 2 [ EAP/RES/ID ] sending packet: from 10.0.1.205[64405] to a.b.c.d[4500] (76 bytes) received packet: from a.b.c.d[4500] to 10.0.1.205[64405] (92 bytes) parsed IKE_AUTH response 2 [ EAP/REQ/GTC ] server requested EAP_GTC authentication (id 0xD6) EAP method not supported, sending EAP_NAK generating IKE_AUTH request 3 [ EAP/RES/NAK ] sending packet: from 10.0.1.205[64405] to a.b.c.d[4500] (76 bytes) received packet: from a.b.c.d[4500] to 10.0.1.205[64405] (76 bytes) parsed IKE_AUTH response 3 [ EAP/FAIL ] received EAP_FAILURE, EAP authentication failed generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ] sending packet: from 10.0.1.205[64405] to a.b.c.d[4500] (76 bytes) Is root cause the line: EAP method not supported, sending EAP_NAK ??? I reverted the gateway configuration to specify eap-md5 and the v5.3.0 mac app created a working connection. > On Mar 24, 2015, at 7:49 AM, Martin Willi <mar...@strongswan.org> wrote: > > Hi Ken, > >> Not sure if keeping the current DNS servers installed is the best >> approach, maybe we should remove the previous servers. But we >> currently just add them to have them as a fallback. > > I've pushed a new build [1] based on 5.3.0-rc1 that instead of appending > the servers to the list, it replaces the default servers and also > restores them. This probably gives a somewhat more predictable behavior, > but of course disables any fallback for DNS queries. > > Unfortunately, that does not seem to resolve all issues. Some > applications (Google Chrome) resolve DNS names just fine over the > configured servers, others (Safari) don't use them. Not sure how we can > trick all applications to use these servers. > > /etc/resolv.conf, by the way, does not seem to get updated at all > anymore. The file has been touched the last time Oct 17th, which exactly > correlates to the time Yosemite has been installed. Most likely all C > library calls rely on System Configuration these days? > >> Out of curiosity, why is the DNS server added to the PrimaryService >> store State:/Network/Service/97E8D482-1E2D-4743-B18D-FCA53A7151A7/DNS >> instead of State:/Network/Global/DNS > > AFAICS, DNS servers get configured on the interface (service), and if > that is active get propagated to the global configuration. > >> where the System Preferences->Network configured servers are stored? > > To me it more looks like you configure DNS servers for each interface. > The servers of the active/primary interface then get used. > > While we install an utun device to forward traffic over libipsec, that > interface does not have a "service" in the sense of System > Configuration. We therefore assign DNS servers to the primary service, > which is for your physical interface. Possible that this doesn't work > that well anymore... > >> Also, is there any way to associate a search domain with the DNS server >> sent by the VPN gateway? > > No. IKEv2 does actually not support negotiating search domains for DNS > servers, and a manual/local configuration is currently not implemented. > >> I would like to use EAP-GTC authentication with the Mac app and would >> be willing to modify the app to add this feature. > > The new build additionally comes with the eap-gtc plugin. > > Regards > Martin > > [1]http://download.strongswan.org/osx/strongswan-5.3.0-1.app.zip > _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users