OPNsense Forum

English Forums => General Discussion => Topic started by: GaardenZwerch on December 19, 2019, 02:35:26 pm

Title: OS X road warrior with RSA Authentication
Post by: GaardenZwerch on December 19, 2019, 02:35:26 pm

Hi,

I would like to setup an OPNsense Box as an IPSec gateway for our staffs mobile devices. Authentication happens based on the machine certificate that the workstations have since they are in our domain. The IPSec server also uses a certificate signed by our domains CA.

Getting this to work with Windows clients is fairly easy. Now we have some OS X clients in the wild too, and I am struggling to get them to connect.

Strongswan's log gives the following:

Code: [Select]

Dec 19 12:49:01 gate charon: 02[IKE] <18> sending cert request for "DC=lux, DC=men, CN=MEN-CA"
Dec 19 12:49:01 gate charon: 02[IKE] <18> sending cert request for "DC=lux, DC=men, CN=men-IANUS-CA"
Dec 19 12:49:01 gate charon: 02[IKE] <18> sending cert request for "DC=lux, DC=men, CN=men-DC1-CA"
Dec 19 12:49:01 gate charon: 02[IKE] <18> sending cert request for "DC=lux, DC=men, CN=men-DC2-CA"
Dec 19 12:49:01 gate charon: 02[ENC] <18> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Dec 19 12:49:01 gate charon: 02[NET] <18> sending packet: from 123.123.123.20[500] to 321.321.321.3[500] (561 bytes)
Dec 19 12:49:01 gate charon: 02[NET] <18> received packet: from 321.321.321.3[4500] to 123.123.123.20[4500] (512 bytes)
Dec 19 12:49:01 gate charon: 02[ENC] <18> unknown attribute type INTERNAL_DNS_DOMAIN
Dec 19 12:49:01 gate charon: 02[ENC] <18> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Dec 19 12:49:01 gate charon: 02[CFG] <18> looking for peer configs matching 123.123.123.20[gate.exampla.com]...321.321.321.3[CGIE]
Dec 19 12:49:01 gate charon: 02[CFG] <18> no matching peer config found
Dec 19 12:49:01 gate charon: 02[IKE] <18> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 19 12:49:01 gate charon: 02[IKE] <18> peer supports MOBIKE
Dec 19 12:49:01 gate charon: 02[ENC] <18> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]


The gateway's FQDN and its IP are in the certificate. The domains CA is known and trusted on the OS X client.

What can I try next?

Thanks,

Frank

Title: Re: OS X road warrior with RSA Authentication
Post by: GaardenZwerch on January 07, 2020, 09:37:37 am

*bump* (Happy New Year, everybody)