On May 1, 2021, at 10:39, Blue Aquan <[email protected]> wrote:
>
>
>
> Hi Paul
> I read a few documentation about similar problem with MacOS and tried a
> suggestion you have mentioned in them. I didn't import a profile, but in the
> VPN configuration of Mac, under "Authentication Settings", I choose "None".
> When I select "None", it throws up two options below "Shared Secret" and
> "Certificate"... I choose "Certificate" and selected the corresponding client
> certificate and applied the change.
>
> When I did this, it still does not connect, but there's a change in the
> message from the previous one
I haven’t tried lately without using mobileconfig configuration files. The
method you describe used to work.
>
> May 1 19:55:55.592575: "MOBILE"[1] 1.2.3.4 #8: processing decrypted IKE_AUTH
> request: SK{IDi,N,N,IDr,AUTH,CERT,CP,N,N,SA,TSi,TSr}
> May 1 19:55:55.596196: "MOBILE"[2] 1.2.3.4 #8: authenticated using RSA with
> SHA1
So this is better. Now you are authenticated so it’s no longer trying to do EAP.
> May 1 19:55:55.611645: "MOBILE"[2] 1.2.3.4 #9: responding to IKE_AUTH
> message (ID 1) from 1.2.3.4:4500 with encrypted notification TS_UNACCEPTABLE
It looks like the client wasn’t sending 0/0 to 0/0 to allow the server to
narrow it to a single IP ?
Note on this older one
>> May 1 13:52:38.412735: "MOBILE"[1] 1.2.3.4 #10: dropping unexpected
>> IKE_AUTH message containing INITIAL_CONTACT... notification; message
>> payloads: SK; encrypted payloads: SA,IDi,IDr,N,TSi,TSr,CP; missing payloads:
>> AUTH
Missing AUTH is a sign of the client trying EAP. That is currently not
supported with libreswan.
>>>> conn COMET
>>>> left=1.2.3.4
>>>> leftsubnet=192.168.1.0/24
>>>> leftcert=sun.abc.com
>>>>
Assuming you have rightaddrrsspool, it seems your Mac client doesn’t have
192168.1.0/24 (or 0.0.0.0/0) configured but something else ?
Paul_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
