• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
racoon / keychain problem
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

racoon / keychain problem

  • Subject: racoon / keychain problem
  • From: Athanasios Douitsis <email@hidden>
  • Date: Mon, 23 Jan 2012 18:51:47 +0200
Hi all,

I have setup a tunneled IPSec VPN server that accepts Hybrid RSA with extended authentication (xauth) connections to provide roaming users with access to our campus network.

Although the server certificate is signed by a trusted authority, I keep getting the following error on Mac OS X (multiple systems with SL or Lion) when trying to connect:

racoon[36420]: [36420] ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:[my server's CN]  
racoon[36420]: [36420] WARNING:
racoon[36420]: [36420] ERROR: the peer's certificate is not verified.
racoon[36420]: IKEv1 Phase1 AUTH: failed. (Initiator, Aggressive-Mode Message 2).
racoon[36420]: IKEv1 Phase1 AUTH: failed. (Initiator, Aggressive-Mode Message 2).

(To get these debug messages is was necessary to tinker with /etc/racoon/racoon.conf and syslog.conf)

The first line is a typical OpenSSL message that says that basically the server certificate cannot be validated for that reason.

I have experimented with building a temporary experimental CA and signing the server certificate, but at this point I am using a certificate signed by a real CA that is preinstalled on most popular OSs. Same negative results on both cases. Mind you I tried to install the experimental CA certificate both in the 'login' and the 'system' chain. No effect.

What's really interesting is that iOS 5 clients can connect without problem(!). In the latest attempts it is even unnecessary to install a CA certificate for the device to trust, because the server cert is already signed by an authority that is trusted from the factory, so to speak. So iOS 5 works good, Mac OS X cannot even connect. Likewise, windows clients with the shrewsoft vpn client can also connect ok.

So, here comes the real question. I know that the racoon that comes with Mac OS X is slightly modified to be able to talk to the keychain. Does that include certificate validation? Is there a way to debug further?

Any ideas would be most welcome. If someone from apple should ask that I open a case for that (assuming that I haven't done any trivial mistakes), I would be more than happy to comply.

Best Regards,
--
Athanasios Douitsis


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Prev by Date: help
  • Previous by thread: help
  • Index(es):
    • Date
    • Thread