<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">OK thank you, tried <b class="">leftsendcert=always</b> but same problem. I have not installed the cert on the clients. Is that necessary? I use username/password authentication of the clients and the clients don’t care about the server certificate.<div class=""><br class=""></div><div class=""><br class=""><div class=""><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Mar 16, 2017, at 3:40 PM, Tobias Brunner <<a href="mailto:tobias@strongswan.org" class="">tobias@strongswan.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Hi Klaus,<br class=""><br class=""><blockquote type="cite" class="">What is missing to make it work?<br class=""></blockquote><br class="">As documented on [1], try adding `leftsendcert=always`.  If that doesn't<br class="">work, the CA certificate is probably not installed (or trusted) on the<br class="">clients.<br class=""><br class="">Regards,<br class="">Tobias<br class=""><br class="">[1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients" class="">https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients</a><br class=""><br class=""></div></div></blockquote></div><br class=""></div></div></div></body></html>