I'm trying to set up a mac os x client to use a certificate based authentication. I've created root and host (and client, w/private key) certificates with ipsec pki, then created p12 packages and successfully loaded them into the keychain on the mac I'm using. On the server side (ubuntu 14.04) of things I have
root@vpn:/etc# ipsec listcerts List of X.509 End Entity Certificates: altNames: vpn.example.edu subject: "C=US, O=Example, CN=vpn.example.edu" issuer: "C=US, O=Example, CN=strongSwan Root CA" serial: [...] validity: not before Dec 05 14:04:40 2014, ok not after Dec 04 14:04:40 2016, ok pubkey: RSA 2048 bits, has private key keyid: [...] subjkey: [...] authkey: [...] root@vpn:/etc# ipsec listcacerts List of X.509 CA Certificates: subject: "C=US, O=Example, CN=strongSwan Root CA" issuer: "C=US, O=Example, CN=strongSwan Root CA" serial: [...] validity: not before Dec 05 14:02:35 2014, ok not after Dec 02 14:02:35 2024, ok pubkey: RSA 4096 bits keyid: [...] subjkey: [...] authkey: [...] root@vpn:/etc# And then a pub/priv client key based on those. I'd like to test this with just certificate based requests for now (no username/passwords). So I have (there ARE tabs on the settings, but email is borking them; trust me the file format's fine, syslog records the connections jsut fine): conn %default ikelifetime=60m keylife=60m rekeymargin=3m keyingtries=1 #vpn server left=[ipaddr] leftcert=vpnHostCert.pem # certificate based ID leftid="C=CH, O=strongSwan, CN=vpn.example.edu" leftsubnet=0.0.0.0/0 #assign ip addr from this pool rightsourceip=[set of ip addrs] rightdns=[list of dns servers] conn roadwarrior keyexchange=ikev2 leftauth=pubkey right=%any rightid=%any rightauth=pubkey auto=add I've been reading through this https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile and particularly the Certificate section. Assuming I have a 10.10 and above, is this what I need to do to setup a vpn client?? I can't use system preferences/network to create a vpn connection? I'm trying to make things as easy as possible for mac client users but this is making my eyes bleed. I'm not even clear on how I would send these to the client in question. They are loaded in just from connecting via browser to a page with this info in it, or by reading an email (with what mail client) with this in it?? And then there's magical new VPN connection options that show up in AirPort afterwards? Assuming I set up some kind of web page, would this be something I could set up generally enough that I could just point all my mac client users to it to set themselves up assuming I sent them their personal certificates under separate cover? Note that the first link on the strongswan page to the apple configurator actually goes to some kind of business link -- perhaps https://www.apple.com/support/business-education/apple-configurator/ is what was intended? The developer link is interesting, and I assume the relevant info is at the section https://developer.apple.com/library/mac/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW27 Note that I don't actually care if I use ikev1 or 2 -- if that makes a difference in easier setup... I do assume if I have anything other than yosemite on a mac os x client I'm hosed? Surely there must be options for older os x versions? --Cindy (yes, I was trying to set up a vpn server last September, got pulled off that project to work on other things and am returning where I left off :-/ ) _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users