[strongSwan] iOS (iPad) connections without xauth

Fiederling, Daniel daniel.fiederling at warema.de
Tue Mar 5 15:51:51 CET 2013

Hi Martin,

thank you very much for your answer.

As Peter wrote the only way to disable XAuth is using an IPCU profile. I'm discussing that issue with our mdm vendor because currently they don't support setting the XAuthEnabled parameter.
Maybe one should add that parameter to the wiki article about iOS devices.

About my second issue I have a question regarding the crl signing. The crl is produced by our root ca (Microsoft based). I put the certificate of the ca in ipsec.d/cacerts/. Do I need to put that (or another?) certificate for crl verification into another subfolder of ipsec.d/? Or has the ca certificate to be part of the openssl trust chain of the local system?

The key usage of the ca certificate look right:

        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical


Besuchen Sie WAREMA auf der ISH 2013 in Frankfurt.
12.03. - 16.03.2013, Halle 10.3, Stand A79

-----Ursprüngliche Nachricht-----
Von: Martin Willi [mailto:martin at strongswan.org]
Gesendet: Mittwoch, 27. Februar 2013 09:06
An: Fiederling, Daniel
Cc: 'users at lists.strongswan.org'
Betreff: Re: [strongSwan] iOS (iPad) connections without xauth

Hi Daniel,

> if I change the authby to rsasig it seems as if the client still tries
> to enforce xauth:

I'm not sure, but I don't think there is a way to configure the native iOS client to use certificate authentication only. It always wants to do XAuth.

You may try the patch at [1]; it implements a simple XAuth mechanism that does no authentication, but just returns SUCCESS. With the patch applied, configure rightauth2=xauth-noauth.

> 01[CFG] checking certificate status of "***del*** E=daniel.fiederling at warema.de"
> 01[CFG]   fetching crl from 'http://cert.example.org/CertEnroll/myca.crl' ...
> 01[CFG]   using trusted certificate "DC=org, DC=example, CN=myca"
> 01[CFG] crl response verification failed

The daemon is unable to verify the CRL signature, therefore the CRL can't be used to check for revoked certificates. Do you have the CRL signer certificate and the full trust-chain installed on your system?
Does it have the CRLSigner X509 keyusage or the CA basic constraint flag set?

> 01[LIB] LDAP bind to 'ldap:///CN=myca,[...]' failed: Can't contact
> LDAP server

Your LDAP URI does not contain any host information. Unfortunately there is currently no way to configure a static LDAP host for your URIs in strongSwan.



More information about the Users mailing list