[strongSwan] Apple cisco connect issue

Lars Hjersted lars at hjersted.com
Fri Jun 10 00:41:33 CEST 2011

> Lars,
> Error on iphone is "Could not validate the server certificate"
> I have made sure domain name in the server field matches the domain in the server certificate it is connecting.
> So what else I can do. I really don't want to touch the router to upgrade to rc5. It is very stable as it is.
> I tried to compile 4.5 for rc4 no luck there either.
> Thanks,
> Hafeez


I do not think you need to upgrade strongSwan for this to work, however it 
is possible that the strongSwan 4.5.1 packages from RC5 will work on RC4.

On my server certificate I have the domain name as the subjectAltName and 
I also have the "serverAuth" extendedKeyUsage flag set. Here is an example 
using the strongSwan PKI tool:

ipsec pki --pub --in serverKey.pem | ipsec pki --issue -cacert caCert.pem --cakey caKey.pem \
           --dn "C=MY, O=My Organization, CN=server" --san myvpn.mydomain.com --flag serverAuth \
           --outform pem > serverCert.pem

You can verify your server certificate with:

ipsec pki --print -i /etc/ipsec.d/certs/serverCert.pem
altNames:  myvpn.mydomain.com
flags:     serverAuth


More information about the Users mailing list