<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Dear Community,<div class=""><br class=""></div><div class="">I’m currently having issues configuring a IPsec VPN with IKEv2 support. I used the „Apple Configurator 2“ to create a phone profile which includes the certificates. When I’m trying to connect to the server I get the following error message:</div><div class=""><br class=""></div><div class="">…</div><div class=""><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;"><div class="" style="margin: 0px; line-height: normal;"><span class="" style="font-variant-ligatures: no-common-ligatures;">Jul 11 12:05:51 delogin charon[6353]: 04[CFG] certificate status is not available</span></div><div class="" style="margin: 0px; line-height: normal;"><span class="" style="font-variant-ligatures: no-common-ligatures;">Jul 11 12:05:51 delogin charon[6353]: 04[CFG] certificate "C=DE, O=Marcap, CN=strongSwan Root CA" key: 4096 bit RSA</span></div><div class="" style="margin: 0px; line-height: normal;"><span class="" style="font-variant-ligatures: no-common-ligatures;">Jul 11 12:05:51 delogin charon[6353]: 04[CFG] reached self-signed root ca with a path length of 0</span></div><div class="" style="margin: 0px; line-height: normal;"><span class="" style="font-variant-ligatures: no-common-ligatures;">Jul 11 12:05:51 delogin charon[6353]: 04[CFG] using trusted certificate "C=DE, O=Marcap, CN=<a href="http://home.marcap.de" class="">home.marcap.de</a>"</span></div></span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;"><font color="#ff2600" class="">Jul 11 12:05:51 delogin charon[6353]: 04[IKE] signature validation failed, looking for another key</font></span></div></div><div class="">…</div><div class=""><br class=""></div><div class="">Even though it finds the certificates. I used the following how-to to configure the server: <a href="https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html" class="">https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html</a> with the exception that I’m using a server at home but the router has port forwarding enabled and a static route set. I think that’s not the problem otherwise the communication with the server wouldn’t work at all.</div><div class=""><br class=""></div><div class="">Someone else describes a similar issue here: <a href="https://discussions.apple.com/thread/7890497?start=0&tstart=0" class="">https://discussions.apple.com/thread/7890497?start=0&tstart=0</a> </div><div class=""><br class=""></div><div class="">I used the following commands according to the how-to in order to generate the certificates:</div><div class="">---------------</div><div class=""><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;">#server certs</span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;"><br class=""></span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;">ipsec pki --gen --type rsa --size 4096 --outform der > private/strongswanKey.der</span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;">ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.der --type rsa --dn "C=DE, O=Marcap, CN=strongSwan Root CA" --outform der > cacerts/strongswanCert.der</span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;">ipsec pki --gen --type rsa --size 4096 --outform der > private/vpnHostKey.der</span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255); min-height: 13px;"><span class="" style="font-variant-ligatures: no-common-ligatures;"></span><br class=""></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;">ipsec pki --pub --in private/vpnHostKey.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --dn "C=DE, O=Marcap, CN=<a href="http://home.marcap.de" class="">home.marcap.de</a>" --san <a href="http://home.marcap.de" class="">home.marcap.de</a> --san 192.168.1.22 --san @192.168.1.22 --flag serverAuth --flag ikeIntermediate --outform der > certs/vpnHostCert.der</span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255); min-height: 13px;"><br class=""><span class="" style="font-variant-ligatures: no-common-ligatures;"></span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;">#client certs</span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255); min-height: 13px;"><span class="" style="font-variant-ligatures: no-common-ligatures;"></span><br class=""></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;">ipsec pki --gen --type rsa --size 2048 --outform der > private/markusPhoneKey.der</span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><br class=""></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;">ipsec pki --pub --in private/markusPhoneKey.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --dn "C=DE, O=Marcap, <a href="mailto:CN=markus@marcap.de" class="">CN=markus@marcap.de</a>" --san "<a href="mailto:markus@marcap.de" class="">markus@marcap.de</a>" --san "<a href="mailto:markus@192.168.1.22" class="">markus@192.168.1.22</a>" --outform der > certs/markusPhoneCert.der</span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255); min-height: 13px;"><span class="" style="font-variant-ligatures: no-common-ligatures;"></span><br class=""></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;">#convert and bundle to p12</span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;"><br class=""></span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;">openssl rsa -inform DER -in private/markusPhoneKey.der -out private/markusPhoneKey.pem -outform PEM</span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;">openssl x509 -inform DER -in certs/markusPhoneCert.der -out certs/markusPhoneCert.pem -outform PEM</span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;">openssl x509 -inform DER -in cacerts/strongswanCert.der -out cacerts/strongswanCert.pem -outform PEM</span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;"><br class=""></span></div><div class="" style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);"><span class="" style="font-variant-ligatures: no-common-ligatures;">openssl pkcs12 -export -inkey private/markusPhoneKey.pem -in certs/markusPhoneCert.pem -name "Markus's Phone VPN Certificate" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out p12/markusPhone.p12</span></div></div><div class="">———————</div><div class=""><br class=""></div><div class="">This is what I configured in the VPN profile for the iPhone (screenshots externally hosted). The phone profile includes the above .p12 file and <span class="" style="font-family: Menlo; font-size: 11px; background-color: rgb(255, 255, 255);">cacerts/strongswanCert.der:</span></div><div class=""><br class=""></div><div class=""><a href="http://up.picr.de/29749790jy.png" class="">http://up.picr.de/29749790jy.png</a></div><div class=""><a href="http://up.picr.de/29749788ue.png" class="">http://up.picr.de/29749788ue.png</a> </div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Would love to feed back the solution to the referenced websites because I’m sure other’s struggle with that as well. </div><div class="">Any hints what could go wrong are highly appreciated!</div><div class=""><br class=""></div><div class="">Thanks in advance for helping,</div><div class="">Markus</div></body></html>