[strongSwan] Apple cisco connect issue
Lars Hjersted
lars at hjersted.com
Fri Jun 10 00:41:33 CEST 2011
> Lars,
>
> Error on iphone is "Could not validate the server certificate"
>
> I have made sure domain name in the server field matches the domain in the server certificate it is connecting.
>
> So what else I can do. I really don't want to touch the router to upgrade to rc5. It is very stable as it is.
>
> I tried to compile 4.5 for rc4 no luck there either.
>
> Thanks,
> Hafeez
>
Hafeez,
I do not think you need to upgrade strongSwan for this to work, however it
is possible that the strongSwan 4.5.1 packages from RC5 will work on RC4.
On my server certificate I have the domain name as the subjectAltName and
I also have the "serverAuth" extendedKeyUsage flag set. Here is an example
using the strongSwan PKI tool:
ipsec pki --pub --in serverKey.pem | ipsec pki --issue -cacert caCert.pem --cakey caKey.pem \
--dn "C=MY, O=My Organization, CN=server" --san myvpn.mydomain.com --flag serverAuth \
--outform pem > serverCert.pem
You can verify your server certificate with:
ipsec pki --print -i /etc/ipsec.d/certs/serverCert.pem
...
altNames: myvpn.mydomain.com
flags: serverAuth
...
-Lars
More information about the Users
mailing list