<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
Lars,<br>
<br>
I went ahead and recreated the certificates based on your recommendations, altNames and flags are set correctly. Still same error.<br><br>Then I upgraded to 4.5.1. It starts up fine on rc4 but exact same issue.<br><br>Any other advice?<br><br>Thanks for all the help.<br><br>Hafeez<br><br><br>> Date: Thu, 9 Jun 2011 18:41:33 -0400<br>> From: lars@hjersted.com<br>> To: hafeezr@hotmail.com<br>> CC: users@lists.strongswan.org<br>> Subject: RE: [strongSwan] Apple cisco connect issue<br>> <br>> <br>> > Lars,<br>> > <br>> > Error on iphone is "Could not validate the server certificate"<br>> > <br>> > I have made sure domain name in the server field matches the domain in the server certificate it is connecting.<br>> > <br>> > So what else I can do. I really don't want to touch the router to upgrade to rc5. It is very stable as it is.<br>> > <br>> > I tried to compile 4.5 for rc4 no luck there either.<br>> > <br>> > Thanks,<br>> > Hafeez<br>> > <br>> <br>> Hafeez,<br>> <br>> I do not think you need to upgrade strongSwan for this to work, however it <br>> is possible that the strongSwan 4.5.1 packages from RC5 will work on RC4.<br>> <br>> On my server certificate I have the domain name as the subjectAltName and <br>> I also have the "serverAuth" extendedKeyUsage flag set. Here is an example <br>> using the strongSwan PKI tool:<br>> <br>> ipsec pki --pub --in serverKey.pem | ipsec pki --issue -cacert caCert.pem --cakey caKey.pem \<br>> --dn "C=MY, O=My Organization, CN=server" --san myvpn.mydomain.com --flag serverAuth \<br>> --outform pem > serverCert.pem<br>> <br>> You can verify your server certificate with:<br>> <br>> ipsec pki --print -i /etc/ipsec.d/certs/serverCert.pem<br>> ...<br>> altNames: myvpn.mydomain.com<br>> flags: serverAuth<br>> ...<br>> <br>> <br>> -Lars<br> </body>
</html>