I'm having a problem getting macOS working with strongSwan, and would greatly appreciate assistance.
The exact same Certs work fine when installed on an iOS client, so the Certs aren't obviously broken, and the .conf works fine for iOS as well. The swanctl.conf snippet, Certs, and log snippet from working iOS connection follow. The error in the system log shows near the very end of authenticating the connection: Jul 05 12:09:42 pvn charon-systemd[39509]: received fragment #2 of 2, reassembled fragmented IKE message (960 bytes) Jul 05 12:09:42 pvn charon-systemd[39509]: parsed IKE_AUTH request 7 [ EAP/RES/TLS ] Jul 05 12:09:42 pvn charon-systemd[39509]: received TLS peer certificate 'C=US, O=pvn-strongSwan, [email protected]<mailto:[email protected]>' Jul 05 12:09:42 pvn charon-systemd[39509]: received TLS intermediate certificate 'C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA' Jul 05 12:09:42 pvn charon-systemd[39509]: no trusted certificate found for '[email protected]' to verify TLS peer Jul 05 12:09:42 pvn charon-systemd[39509]: sending fatal TLS alert 'certificate unknown' Jul 05 12:09:42 pvn charon-systemd[39509]: generating IKE_AUTH response 7 [ EAP/REQ/TLS ] Jul 05 12:09:42 pvn charon-systemd[39509]: sending packet: from 192.168.92.5[4500] to ex.te.rn.al[4500] (96 bytes) Jul 05 12:09:42 pvn charon-systemd[39509]: received packet: from ex.te.rn.al[4500] to 192.168.92.5[4500] (144 bytes) Jul 05 12:09:42 pvn charon-systemd[39509]: parsed IKE_AUTH request 8 [ EAP/RES/TLS ] Jul 05 12:09:42 pvn charon-systemd[39509]: EAP method EAP_TLS failed for peer [email protected]<mailto:[email protected]> Jul 05 12:09:42 pvn charon-systemd[39509]: generating IKE_AUTH response 8 [ EAP/FAIL ] Jul 05 12:09:42 pvn charon-systemd[39509]: sending packet: from 192.168.92.5[4500] to ex.te.rn.al[4500] (80 bytes) I've checked that the .p12 and (self-signed) Root CA Certs are both in the system keychain. Thinking that maybe the Root CA Cert needed to be in the System Roots keychain, tried to put it there, but MacOS said "No, they should be in the system keychain". The Root CA Cert is marked as trusted for all users, for all usages. I'd appreciate any definitive answers, good guesses, etc. This has me totally baffled! Thanks! swanctl.conf VPN Configuration Details: # Configuration written by pistrong makeMyCA V3.1 on Tue 07 Jun 2022 09:51:24 AM PDT conn-defaults { version = 2 send_certreq = yes send_cert = always unique = never fragmentation = yes # Force esp encapsulation for restrictive firewalls encap = yes dpd_delay = 120s rekey_time = 0s pools = primary-pool-ipv4 local { auth = pubkey cacerts = strongSwanCACert.pem } } remote-defaults { remote { id = %any } } child-defaults { net { dpd_action = clear rekey_time = 0s updown = /usr/lib/ipsec/_updown iptables } } connections { conn-ios : conn-defaults, remote-defaults { proposals = aes256-sha256-modp2048, aes256-sha256-modp1024,aes256-sha1-modp1024 local { certs = ios-strongSwanVPNCert.pem id = ios.mydomain.com } remote { auth = eap-tls } children { net : child-defaults { local_ts = 0.0.0.0/0 esp_proposals = aes256-sha256 } } } } pools { primary-pool-ipv4 { addrs = 10.92.10.0/24 dns = 192.168.92.3 } } Formatted CA and VPN Cert: [CA Certificate /etc/swanctl/x509ca/strongSwanCACert.pem] subject: "C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA" issuer: "C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA" validity: not before Jun 06 12:59:04 2022, ok not after Jun 03 12:59:04 2032, ok (expires in 3620 days) serial: 38:94:d1:8e:7f:32:28:90 flags: CA CRLSign self-signed subjkeyId: 04:63:b7:4e:12:5b:6c:b4:3f:fb:5d:e3:f6:9c:43:6e:3f:69:3b:0e pubkey: RSA 4096 bits keyid: de:8c:21:84:30:3c:34:13:84:65:41:60:5f:e0:66:c0:0a:d2:54:0a subjkey: 04:63:b7:4e:12:5b:6c:b4:3f:fb:5d:e3:f6:9c:43:6e:3f:69:3b:0e [VPN Host Certificate /etc/swanctl/x509/ios-strongSwanVPNCert.pem] subject: "C=US, O=pvn-strongSwan, CN=pvn.mydomain.com" issuer: "C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA" validity: not before Jun 06 12:59:18 2022, ok not after Jun 03 12:59:18 2032, ok (expires in 3620 days) serial: 10:dc:bf:05:81:c0:e4:06 altNames: ios.mydomain.com, pvn.mydomain.com flags: serverAuth ikeIntermediate authkeyId: 04:63:b7:4e:12:5b:6c:b4:3f:fb:5d:e3:f6:9c:43:6e:3f:69:3b:0e subjkeyId: d0:1b:b4:b8:67:df:64:07:ef:14:f1:e7:92:80:c6:8f:7f:e4:1b:94 pubkey: RSA 4096 bits keyid: 3f:a6:74:2d:4e:24:6a:78:17:80:7f:29:92:ba:62:29:19:70:69:aa subjkey: d0:1b:b4:b8:67:df:64:07:ef:14:f1:e7:92:80:c6:8f:7f:e4:1b:94 Formatted User Cert: subject: "C=US, O=pvn-strongSwan, [email protected]<mailto:[email protected]>" issuer: "C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA" validity: not before Jul 01 10:08:33 2022, ok not after Jun 30 10:08:33 2024, ok (expires in 725 days) serial: 0b:94:f4:e8:50:7b:71:a2 altNames: [email protected]<mailto:[email protected]> flags: authkeyId: 04:63:b7:4e:12:5b:6c:b4:3f:fb:5d:e3:f6:9c:43:6e:3f:69:3b:0e subjkeyId: 2f:a3:94:ed:03:c6:5c:e2:29:c7:42:7e:67:2e:d4:4c:91:a2:a2:fe pubkey: RSA 2048 bits keyid: be:8a:71:45:9c:de:9b:94:83:8e:0f:e7:d1:26:b4:58:a2:01:07:7b subjkey: 2f:a3:94:ed:03:c6:5c:e2:29:c7:42:7e:67:2e:d4:4c:91:a2:a2:fe The exact same Certs when connected from an iOS device yield this set of authentication log entries: Jul 05 11:52:30 pvn charon-systemd[39509]: received fragment #2 of 2, reassembled fragmented IKE message (960 bytes) Jul 05 11:52:30 pvn charon-systemd[39509]: parsed IKE_AUTH request 7 [ EAP/RES/TLS ] Jul 05 11:52:30 pvn charon-systemd[39509]: received TLS peer certificate 'C=US, O=pvn-strongSwan, [email protected]<mailto:[email protected]>' Jul 05 11:52:30 pvn charon-systemd[39509]: received TLS intermediate certificate 'C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA' Jul 05 11:52:30 pvn charon-systemd[39509]: using trusted ca certificate "C=US, O=pvn-strongSwan, CN=strongSwan pvn Root CA" Jul 05 11:52:30 pvn charon-systemd[39509]: checking certificate status of "C=US, O=pvn-strongSwan, [email protected]<mailto:[email protected]>" Jul 05 11:52:30 pvn charon-systemd[39509]: certificate status is not available Jul 05 11:52:30 pvn charon-systemd[39509]: reached self-signed root ca with a path length of 0 Jul 05 11:52:30 pvn charon-systemd[39509]: using trusted certificate "C=US, O=pvn-strongSwan, [email protected]<mailto:[email protected]>" Jul 05 11:52:30 pvn charon-systemd[39509]: generating IKE_AUTH response 7 [ EAP/REQ/TLS ] Jul 05 11:52:30 pvn charon-systemd[39509]: sending packet: from 192.168.92.5[4500] to ex.te.rn.al[4500] (160 bytes) Jul 05 11:52:30 pvn charon-systemd[39509]: received packet: from ex.te.rn.al[4500] to 192.168.92.5[4500] (80 bytes) Jul 05 11:52:30 pvn charon-systemd[39509]: parsed IKE_AUTH request 8 [ EAP/RES/TLS ] Jul 05 11:52:30 pvn charon-systemd[39509]: EAP method EAP_TLS succeeded, MSK established Jul 05 11:52:30 pvn charon-systemd[39509]: generating IKE_AUTH response 8 [ EAP/SUCC ] Jul 05 11:52:30 pvn charon-systemd[39509]: sending packet: from 192.168.92.5[4500] to ex.te.rn.al[4500] (80 bytes) Jul 05 11:52:30 pvn charon-systemd[39509]: received packet: from ex.te.rn.al[4500] to 192.168.92.5[4500] (112 bytes) Jul 05 11:52:30 pvn charon-systemd[39509]: parsed IKE_AUTH request 9 [ AUTH ] Jul 05 11:52:30 pvn charon-systemd[39509]: authentication of '[email protected]' with EAP successful Jul 05 11:52:30 pvn charon-systemd[39509]: authentication of 'ios.mydomain.com' (myself) with EAP
