Fewer things are more of a pain in the ass to get working than IPSec and the built-in Mac client is no exception. As such I decided to jot down some contemporaneous notes so I didn't forget how much of a pain in the ass it was.
First off, in the networking control panel, authentication by Certificate actually means auth = eap-tls
in Strongswan. If you want ordinary pubkey
authentication, you select authentication None, and then put your certificate in there. I know, it makes no sense to call an X.509 certificate "not authentication", but that's where it goes. Also—and this is the part that kept me up until 4am—you need something in the preshared key field (can be foo
, doesn't matter) even if the radio button is set to the certificate. If you don't do this, the Strongswan side will be happy and complete the connection but on the Mac side you will get hours of "unknown error".
Okay, now the certificates themselves: probably the most