[strongSwan] v4.4.1 on squeeze w/ ios6: server cert verification fails

Bharath Kumar cbkumar at gmail.com
Wed Jan 2 17:27:40 CET 2013


Our CA cert is pem format.

So, the VPN Gateway (IP or Domain Name) does appear in CN or Subject
Alternate Name of the server certificate, correct? If not, that sure will
cause the iPhone error you described - "Could not validate the server
certificate".

Beyond that, I'm afraid I don't have much to offer.

Thanks,
Bharath Kumar


On Wed, Jan 2, 2013 at 4:55 AM, Jason <strongswan at lakedaemon.net> wrote:

> Bharath,
>
> On Tue, Jan 01, 2013 at 08:13:54PM -0800, Bharath Kumar wrote:
> > On Tue, Jan 1, 2013 at 7:45 PM, Jason <strongswan at lakedaemon.net> wrote:
> > > I just got strongswan installed on my debian squeeze box this evening.
> > > everything seems to be going smoothly (eg I'm behind a nat that
> > > _actually_ forwards esp packets) until I try to connect.  My iphone
> > > gives me "Could not validate the server certificate".
> > >
> > > I'm using the IPSec configuration (no l2tp) with my own CA.
> > >
> > > So, I've tries a bunch of different flavors of "openssl pkcs12 -export
> > > ..." to generate a .p12 of my ca.  No matter what I do, I get "The
> > > container "Identity Certificate" must contain only one certificate and
> > > its private key."
> > >
> > > Is apple really that daft as to require the CA's _private_ key?  No,
> I'm
> > > probably missing something.  Any pointers?  I think I reached the end
> of
> > > both duckduckgo and google...
> > >
> > Not sure if you are using the procedure documented here but it worked
> > flawlessly for us.
> > http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple).
>
> Yes, these are the exact instuctions I followed.
>
> > One thing I was going to ask is to check if you have
> >   (a) installed the client certificate in PKCS #12 format  AND
>
> Did that, including key.
>
> >   (b) Installed your CA certificate ADDITIONALLY
>
> What format was your CA certificate?  pkcs12?  What exact command did
> you use to convert it?
>
> thx,
>
> Jason.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130102/36677fe5/attachment.html>


More information about the Users mailing list