Forgot to mention that I know the problem is here: ca_x509_subjectaltname: FQDN/server.obsd57.com ca_x509_subjectaltname_cmp: FQDN/server.obsd57.com mismatched ca_validate_cert: /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=client-number-1/emailAddress= [email protected] invalid subjectAltName extension
Just don't know how to fix this. Thanks, dot.yet On Sun, Jan 31, 2016 at 1:12 AM Dot Yet <[email protected]> wrote: > Hello, > > I am trying to setup IKEv2 roadwarrior based VPN. I've the client > functional in Windows 7 using the native client. I am trying to get the > same functional on OSX, but facing problems. > > The authentication is being done using certificates. I used ikectl to > generate, CA, server's certificate as well as a client certificate. Used > the ikectl export option to generate the zip file containing ca and client > p12 files. > > I am using Apple Configurator 2, from the appstore to create the profile > file. The profile contains the two certificates as well as the ikev2 > configuration. Starting the VPN client, I see the following in the server > side logs: > > OSX 10.11.3 Unsuccessful Connection Log entry: > sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa > sa_state: cannot switch: AUTH_SUCCESS -> VALID > config_free_proposals: free 0x71d6d207180 > ca_setauth: auth length 256 > ca_x509_subjectaltname: FQDN/server.obsd57.com > ca_x509_subjectaltname_cmp: FQDN/server.obsd57.com mismatched > ca_validate_cert: > /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=client-number-1/emailAddress= > [email protected] invalid subjectAltName extension > ikev2_getimsgdata: imsg 23 rspi 0xf9048b97fef10e03 ispi 0xa01ca6865f9c0754 > initiator 0 sa valid type 1 data length 256 > ikev2_dispatch_cert: AUTH type 1 len 256 > sa_stateflags: 0x18 -> 0x1c auth,authvalid,sa (required 0x1f > cert,certvalid,auth,authvalid,sa) > sa_stateok: VALID flags 0x1c, require 0x1f cert,certvalid,auth,authvalid,sa > sa_state: cannot switch: AUTH_SUCCESS -> VALID > ikev2_dispatch_cert: peer certificate is invalid > sa_stateok: VALID flags 0x1c, require 0x1f cert,certvalid,auth,authvalid,sa > sa_state: cannot switch: AUTH_SUCCESS -> VALID > > > Compared to a successful connection in Windows 7: > > Windows Successful Connection Log entry: > sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa > sa_state: cannot switch: AUTH_SUCCESS -> VALID > config_free_proposals: free 0x71d9dda6e00 > ca_getreq: found CA > /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=obsd57/emailAddress= > [email protected] > ca_x509_subjectaltname: FQDN/server.obsd57.com > ca_getreq: found local certificate > /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN= > server.obsd57.com/[email protected] > ca_setauth: auth length 256 > ca_validate_cert: > /C=CA/ST=Ontario/L=Toronto/O=stark/OU=ITOPS/CN=client-number-1/emailAddress= > [email protected] ok > ikev2_getimsgdata: imsg 18 rspi 0xd4cd1307801a4461 ispi 0x0e3d4164b4884c93 > initiator 0 sa valid type 4 data length 1011 > ikev2_dispatch_cert: cert type X509_CERT length 1011, ok > sa_stateflags: 0x18 -> 0x19 cert,authvalid,sa (required 0x1f > cert,certvalid,auth,authvalid,sa) > sa_stateok: VALID flags 0x19, require 0x1f cert,certvalid,auth,authvalid,sa > sa_state: cannot switch: AUTH_SUCCESS -> VALID > > Inside /etc/ssl/x509v3.cnf file, my CERTFQDN has the value > server.obsd57.com > > In Apple Configurator profile, I've the following: > > Remote Identifier: server.obsd57.com > Local Identifier: client-number-1 > > I've tried populating the following fields, but neither of them helps: > Server Certificate Issuer Common Name: obsd57 (Thats the CN for my CA) > Server Certificate Common Name: server.obsd57.com (Thats the CN for my > server certificate) > > Not sure where to go from here. Can you help point me to the right > direction on what maybe wrong here? > > Thanks, > dot.yet
