Lonnie,
I need some configuration help. I have my iPhone connecting to the VPN
and it is working. However as noted in the documentation the iPhone is
routing ALL traffic through the VPN, not just traffic to my internal
network. I tried the Push Network(s) setting but it fails.
My internal network is 192.168.1.xx
I set remote IPv4 base to 192.168.2.1 and mask to 255.255.255.0
If I leave the push network(s) blank then everything works, but all traffic
goes through the VPN (traceroute [yes there is an app for that] starts with
the external IP address of the astlinux box).
If I enter 192.168.1.0/24 into the Push Networks(s) field then nothing
routes to any 192.168.1.xx destination. Traceroute timeouts on the first
hop. But traceroute to anywhere else works (without going through the
astlinux box).
Am I doing something wrong with the Push Network(s) setting?
Thanks
David
On Wed, Apr 25, 2012 at 2:05 PM, Lonnie Abelbeck
<[email protected]>wrote:
> Hi Ingmar and David,
>
> Yes, removing the "extendedKeyUsage=serverAuth" definition from the IPsec
> server certificate works for all IPsec clients I have. It seems OS X is
> the only one picky enough for it to make a difference.
>
> I will make that change.
>
> Lonnie
>
>
> On Apr 25, 2012, at 12:20 PM, Lonnie Abelbeck wrote:
>
> > Hi Ingmar,
> >
> > I found the OS X problem, creating the server certificate with
> "extendedKeyUsage=serverAuth" defined makes OS X ignore the certificate, I
> just tested and removing (commenting out)...
> >
> > #extendedKeyUsage=serverAuth
> >
> > Now OS X (Snow Leopard) works perfectly. I have yet to try Lion.
> >
> > The "extendedKeyUsage" was carried over from what OpenVPN needed.
> >
> > I know that OS X also uses "subjectAltName" as a primary test, so I
> don't think CN matters in this case, but if we feel that should match
> "subjectAltName" we could do that.
> >
> > Lonnie
> >
> >
> >
> > On Apr 25, 2012, at 11:43 AM, Ingmar Schraub wrote:
> >
> >> Hi Lonnie,
> >>
> >> I've just tested it and it stops where it tries to validate the server
> certificate. We ran into this when developing the solution for iOS. Here we
> just added the extra field "subjectAltName" and provide the server's FQDN.
> iOS is happy with either the common name or the subjectAltName matching the
> server name.
> >>
> >> Mac OSX is apparently different in this respect. From what I read it
> only checks the common name, which is in our case always 'server', but not
> the FQDN of the system. Lonnie, is there any chance to change this or
> what's the reason we always set this to "server"?
> >>
> >> From Apple docs: "IP Security (IPsec): When certificates are used to
> secure Internet Protocol communications (for example, in establishing a VPN
> connection), the name in the server’s certificate must match its DNS host
> name. The host name check is not performed for client certificates. If an
> extended key usage field is present, it must contain an appropriate value."
> >>
> >> Regards
> >> Ingmar
> >>
> >> Am 25.04.2012 um 17:42 schrieb Lonnie Abelbeck:
> >>
> >>> Hi David,
> >>>
> >>> Well, it *should* but I can't get it to work, and from googling I am
> not alone. It complains about some certificate issue. Though for OS X,
> OpenVPN is my first VPN choice and IPSecuritas
> >>> http://www.lobotomo.com/products/IPSecuritas/
> >>>
> >>> works fine with IPsec + XAuth with certificates on OS X.
> >>>
> >>> Though, it would sure be nice if the built-in OS X IPsec (Cisco) VPN
> client would be interoperable with iOS.
> >>>
> >>> Lonnie
> >>>
> >>>
> >>>
> >>> On Apr 25, 2012, at 10:24 AM, David Kerr wrote:
> >>>
> >>>> Lonnie,
> >>>> Will the iOS VPN configuration also work with the Mac OS X built-in
> VPN client?
> >>>>
> >>>> Thanks
> >>>> David
> >>>>
> >>>>
> >>>> On Wed, Apr 25, 2012 at 11:17 AM, Lonnie Abelbeck <
> [email protected]> wrote:
> >>>> AstLinux Users,
> >>>>
> >>>> The AstLinux Team would like to offer a preview to AstLinux 1.0.3.
> >>>>
> >>>> Keep in mind this is not a release candidate, some additions/changes
> may occur before the final AstLinux 1.0.3 release. The preview changes are
> shown here...
> >>>>
> >>>> Additions for AstLinux 1.0.3:
> >>>>
> http://astlinux.svn.sourceforge.net/viewvc/astlinux/branches/1.0/docs/ChangeLog.txt
> >>>>
> >>>> The AstLinux Custom Build Engine is used to generate your custom
> preview, the default configurations are already built...
> >>>>
> >>>> Build AstLinux SVN Image:
> >>>> http://build.astlinux.org/admin/build.php?version=svn
> >>>>
> >>>> One particularly compelling new feature is support for IPsec + XAuth
> with certificates, providing more interoperability to various mobile VPN
> clients. In particular for Apple's iOS devices.
> >>>>
> >>>> IPsec VPN for Apple iOS
> >>>> http://doc.astlinux.org/userdoc:tt_ipsec_vpn_apple_ios
> >>>>
> >>>> We have tested this extensively with iOS 5.1 clients, but welcome
> reports from other mobile devices, Android, etc.. . The above
> documentation should apply, in the general sense, to most any mobile device
> that supports IPsec + XAuth with certificates.
> >>>>
> >>>> All feedback is appreciated.
> >>>>
> >>>> AstLinux Team
> >>>>
> >>>>
> >>>>
> ------------------------------------------------------------------------------
> >>>> Live Security Virtual Conference
> >>>> Exclusive live event will cover all the ways today's security and
> >>>> threat landscape has changed and how IT managers can respond.
> Discussions
> >>>> will include endpoint security, mobile security and the latest in
> malware
> >>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >>>> _______________________________________________
> >>>> Astlinux-users mailing list
> >>>> [email protected]
> >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >>>>
> >>>> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
> >>>>
> >>>>
> ------------------------------------------------------------------------------
> >>>> Live Security Virtual Conference
> >>>> Exclusive live event will cover all the ways today's security and
> >>>> threat landscape has changed and how IT managers can respond.
> Discussions
> >>>> will include endpoint security, mobile security and the latest in
> malware
> >>>> threats.
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> >>>> Astlinux-users mailing list
> >>>> [email protected]
> >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >>>>
> >>>> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> Live Security Virtual Conference
> >>> Exclusive live event will cover all the ways today's security and
> >>> threat landscape has changed and how IT managers can respond.
> Discussions
> >>> will include endpoint security, mobile security and the latest in
> malware
> >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >>> _______________________________________________
> >>> Astlinux-users mailing list
> >>> [email protected]
> >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >>>
> >>> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
> >>
> >>
> >> --
> >> Bye, Ingmar Schraub e-mail : [email protected]
> >> eSeCo GmbH & Co. KG Web : http://www.eseco.de
> >> Darmstädter Straße 123 phone : +49 6251 702988 0
> >> D-64625 Bensheim fax : +49 6251 58360 83
> >> Germany mobile : +49 173 6711767
> >> Registergericht: Darmstadt, HRA 40930
> >> Geschäftsführer: Ingmar Schraub
> >> Hauptsitz: Herrnwaldstr. 6, D-64625 Bensheim
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Live Security Virtual Conference
> >> Exclusive live event will cover all the ways today's security and
> >> threat landscape has changed and how IT managers can respond.
> Discussions
> >> will include endpoint security, mobile security and the latest in
> malware
> >> threats.
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> >> Astlinux-users mailing list
> >> [email protected]
> >> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >>
> >> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
> >
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Astlinux-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
> >
> >
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
