<div dir="ltr">Hi,<div><br></div><div>I am trying to make a connection from an iPad using ikev2 and am getting an error "no trusted RSA public key found for '1-ios-test1-ikev2' when strongswan tries to authenticate the cert. I cannot figure why I get this error. The same works with Ikev1. Can someone please help?</div><div><br></div><div>I have followed the instructions here- <a href="https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile">https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile</a> and <a href="https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)#Certificate-requirements-for-iOS-interoperability">https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)#Certificate-requirements-for-iOS-interoperability</a>.</div><div><br></div><div>My connection definition in strongswan is </div><div><div>conn iOSDeviceXauth</div><div>        authby=rsasig</div><div>        left=10.99.102.225</div><div>        leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div>        leftcert=strongswan.crt</div><div>        right=%any</div><div>        rightsourceip=<a href="http://192.168.1.0/24">192.168.1.0/24</a></div><div>        auto=add</div><div>        keyexchange=ikev2<br></div><div>        leftupdown=updown.sh</div><div>        dpddelay=10</div><div>        dpdtimeout=30</div><div>        dpdaction=clear</div><div>        fragmentation=yes</div><div>        leftsendcert=always</div></div><div><br></div><div>The client and server cert are from the same root CA. the root CA is copied to /etc/ipsec.d/cacerts directory, the private key for the server cert is mentioned in the secrets file. The client cert and key are NOT copied to the VPN gateway. But the client cert is signed by the root CA on the VPN gateway.</div><div><br></div><div>The client cert installed on the ipad has the followign subject </div><div>                 Subject: CN=1-ios-test1-ikev2<br></div><div>and Subject Alt name</div><div><div>                  X509v3 Subject Alternative Name: </div><div>                               DirName:/CN=1-ios-test1-ikev2/OU=CF-CAL/O=120</div></div><div><br></div><div><br></div><div>The profile installed on the phone has the following </div><div><div> <span style="white-space:pre"><key>PayloadCertificateUUID</key>
        <string>eba13c23-dc37-4012-b557-be9881c87f93</string>
        <key>RemoteAddress</key>
        <string>10.99.102.225</string>
        <key>LocalIdentifier</key>
        <string>1-ios-test1-ikev2</string>
        <key>RemoteIdentifier</key>
        <string>10.99.102.225</string>
        <key>AuthenticationMethod</key>
        <string>Certificate</string>
        <key>ExtendedAuthEnabled</key>
        <integer>0</integer>
        </dict>
        <key>VPNType</key>
        <string>IKEv2</string>
        <key>PayloadType</key>
        <string>com.apple.vpn.managed</string>
        </dict>
<br></span></div></div><div><br></div><div>What am I missing? Any help will be greatly appreciated.</div><div><br></div><div>regards,</div><div>sk</div></div>