<div dir="ltr">Hi Tobias,<div><br></div><div>I am sorry for cross posting in dev group.</div><div>I found that it was a problem with version 5.1.3 of strongswan, The same setup worked with 5.3.0 of strognswan. I have verified this twice, moving up and down in strongswan versions. I have the LocalIdentifier in the CN part of the SAN. The iOS device still sends the ID as FQDN.</div><div><br></div><div>Since we use strongswan 5.1.3 (with patches), i have to figure the changes that allow version 5.3.0 to work and bring them into 5.1.3 if possible.</div><div><br></div><div>regards,</div><div>sk</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 18, 2015 at 2:23 AM, Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
Could you please not cross-post your emails to the users and dev mailing<br>
lists. This is clearly a configuration issue that has nothing to do<br>
with strongSwan's development.<br>
<span class=""><br>
> The client cert installed on the ipad has the followign subject<br>
> Subject: CN=1-ios-test1-ikev2<br>
> and Subject Alt name<br>
> X509v3 Subject Alternative Name:<br>
> DirName:/CN=1-ios-test1-ikev2/OU=CF-CAL/O=120<br>
<br>
</span>You have to add a SAN of DNS:1-ios-test1-ikev2 to your client<br>
certificate as the client configured with<br>
<span class=""><br>
> <key>LocalIdentifier</key><br>
> <string>1-ios-test1-ikev2</string><br>
<br>
</span>will send an identity of type FQDN with the value `1-ios-test1-ikev2`.<br>
AFAIK it's still not possible to configure a DN in the client profile so<br>
you have to add this as SAN to your certificate.<br>
<br>
Regards,<br>
Tobias<br>
<br>
</blockquote></div><br></div>