[strongSwan] Setup help: No private key found with ios8 and eap-mschapv2

Noel Kuntze noel at familie-kuntze.de
Wed Dec 10 21:11:34 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Carl,

Make sure your private key is registered in ipsec.secrets

Use this
 : RSA vpnHostKey.pem

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 10.12.2014 um 16:48 schrieb carl leopold:
> Hi,
>
> I have a problem with "no private key found" for ios 8 and eap-mschapv2. I am using strongswan 5.2.1 on ubuntu 14.04.
>
> I am not sure if eap-mschapv2 works with 5.2.1 but its probably something i am doing wrong. I looked for unit tests and cant find any for IOS with eap-mschapv2.
>
> I have a previous strongswan/freeradius setup on the same localhost and with mysql and it works fine with Ikev1 and ios.
>
> I have been reading these strongswan docs about Ikev2 and the supplied ios mobile config xml sample.
>
> https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile#Authentication-options
> https://wiki.strongswan.org/issues/708
>
> These more detailed docs i found google searching and are not on the main site index.
>
> I also read all the apple developer docs where i found you can also add an additional dict for the client key to go along with the ca cert but the thread talks about not needing it. I am not 100% sure that is now the case.
>
> From what I read in the support thread you can use Ikev2 and eap-mschapv2 together but not with a client key authentication. So it seems the extra embedded xml dict is not needed.
>
> I deployed my xml mobile config and base64 encoded the cacert correctly onto the ipad which installs fine.
>
> When the ios client negotiates I see great its matched to conn win7. I expected next use the eap-mschapv2 to authenticate but instead it says in the server logs:
>
> Dec 10 09:28:19 vpn2 charon: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Dec 10 09:28:19 vpn2 charon: 12[IKE] no private key found for 'strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/>'
>
> Full logs are given below. I am also not sure what the ESP_TFC_PADDING_NOT_SUPPORTED means.
>
> I have tried many combinations with/without this embedded client key dict and it makes no difference.
>
> Also I have a slightly tweaked (maybe more correct ?)  than the win7 sample ipsec.conf setup that works with the example mobile config eap-mschapv2 xml:
>
> leftid=strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/>
> rightid=*@strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/>
> ike=aes128-sha1-modp2048!
> esp=aes128-sha1!
>
> The ike and esp now match to the recommeded xml settings in the sample config. left and rightid now seems to work together better this way.
>
> Please advise me what i am doing wrong as i have been at this for a while.
>
> #rightsendcert=never does not seem to make any difference. I added in leftsendcert=always from the advice given in the notes but makes no difference.
>
> Many Thanks
> Carl
>
> Full setup below:
>
> root at vpn2:/etc/ipsec.d/certs# ipsec version
> Linux strongSwan U5.2.1/K3.13.0-37-generic
>
> $Iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination        
> ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
> ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t
> ACCEPT     esp  --  anywhere             anywhere           
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination        
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> $ipsec statusall
>
> Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.13.0-37-generic, x86_64):
>   uptime: 5 minutes, since Dec 10 09:38:29 2014
>   malloc: sbrk 1486848, mmap 0, used 409872, free 1076976
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>   loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc hmac gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
> Virtual IP pools (size/online/offline):
>   10.10.3.0/24 <http://10.10.3.0/24>: 254/0/0
> Listening IP addresses:
>   178.62.119.121
>   2a03:b0c0:1:d0::215:4001
>   10.131.213.244
> Connections:
>         win7:  %any...%any  IKEv2, dpddelay=300s
>         win7:   local:  [strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/>] uses public key authentication
>         win7:    cert:  "C=CH, O=strongSwan, CN=strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/>"
>         win7:   remote: [*@strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/>] uses EAP_MSCHAPV2 authentication with EAP identity '%any'
>         win7:   child:  0.0.0.0/0 <http://0.0.0.0/0> === dynamic TUNNEL, dpdaction=clear
> Security Associations (0 up, 0 connecting):
>   none
>
> My ipsec.config:
>
> conn %default
>     keyexchange=ikev2
>     ike=aes128-sha1-modp2048!
>     esp=aes128-sha1!
>     dpdaction=clear
>     dpddelay=300s
>     rekey=no
>
> conn win7
>     left=%any
>     leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>     leftauth=pubkey
>     leftcert=vpnHostCert.pem
>     leftid=strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/>
>     leftsendcert=always
>     right=%any
>     rightid=*@strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/>
>     rightsourceip=10.10.3.0/24 <http://10.10.3.0/24>
>     rightauth=eap-mschapv2
>     eap_identity=%any
>     #rightsendcert=never
>     auto=add
> Logs:
>
> Dec 10 09:28:09 vpn2 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.13.0-37-generic, x86_64)
> Dec 10 09:28:09 vpn2 charon: 00[DMN] agent plugin requires CAP_DAC_OVERRIDE capability
> Dec 10 09:28:09 vpn2 charon: 00[LIB] plugin 'agent': failed to load - agent_plugin_create returned NULL
> Dec 10 09:28:09 vpn2 charon: 00[DMN] xauth-pam plugin requires CAP_AUDIT_WRITE capability
> Dec 10 09:28:09 vpn2 charon: 00[LIB] plugin 'xauth-pam': failed to load - xauth_pam_plugin_create returned NULL
> Dec 10 09:28:09 vpn2 charon: 00[CFG] HA config misses local/remote address
> Dec 10 09:28:09 vpn2 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
> Dec 10 09:28:09 vpn2 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Dec 10 09:28:09 vpn2 charon: 00[CFG]   loaded ca certificate "C=CH, O=strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
> Dec 10 09:28:09 vpn2 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Dec 10 09:28:09 vpn2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Dec 10 09:28:09 vpn2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Dec 10 09:28:09 vpn2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Dec 10 09:28:09 vpn2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Dec 10 09:28:09 vpn2 charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
> Dec 10 09:28:09 vpn2 charon: 00[CFG] loaded 1 RADIUS server configuration
> Dec 10 09:28:09 vpn2 charon: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc hmac gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
> Dec 10 09:28:09 vpn2 charon: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
> Dec 10 09:28:09 vpn2 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
> Dec 10 09:28:09 vpn2 charon: 00[JOB] spawning 16 worker threads
> Dec 10 09:28:09 vpn2 charon: 08[NET] waiting for data on sockets
> Dec 10 09:28:09 vpn2 charon: 05[CFG] received stroke: add connection 'win7'
> Dec 10 09:28:09 vpn2 charon: 05[CFG] conn win7
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   left=%any
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   leftauth=pubkey
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   leftid=strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/>
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   leftcert=vpnHostCert.pem
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   right=%any
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   rightsourceip=10.10.3.0/24 <http://10.10.3.0/24>
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   rightauth=eap-mschapv2
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   rightid=*@strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/>
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   eap_identity=%any
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   ike=aes128-sha1-modp2048!
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   esp=aes128-sha1!
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   dpddelay=300
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   dpdtimeout=150
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   dpdaction=1
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   mediation=no
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   keyexchange=ikev2
> Dec 10 09:28:09 vpn2 charon: 05[CFG] left nor right host is our side, assuming left=local
> Dec 10 09:28:09 vpn2 charon: 05[CFG] adding virtual IP address pool 10.10.3.0/24 <http://10.10.3.0/24>
> Dec 10 09:28:09 vpn2 charon: 05[CFG]   loaded certificate "C=CH, O=strongSwan, CN=strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/>" from 'vpnHostCert.pem'
> Dec 10 09:28:09 vpn2 charon: 05[CFG] added configuration 'win7'
> Dec 10 09:28:18 vpn2 charon: 08[NET] received packet: from 195.102.55.203[500] to 178.62.119.121[500]
> Dec 10 09:28:18 vpn2 charon: 08[NET] waiting for data on sockets
> Dec 10 09:28:18 vpn2 charon: 11[NET] received packet: from 195.102.55.203[500] to 178.62.119.121[500] (416 bytes)
> Dec 10 09:28:18 vpn2 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Dec 10 09:28:18 vpn2 charon: 11[CFG] looking for an ike config for 178.62.119.121...195.102.55.203
> Dec 10 09:28:18 vpn2 charon: 11[CFG]   candidate: %any...%any, prio 28
> Dec 10 09:28:18 vpn2 charon: 11[CFG] found matching ike config: %any...%any with prio 28
> Dec 10 09:28:18 vpn2 charon: 11[IKE] 195.102.55.203 is initiating an IKE_SA
> Dec 10 09:28:18 vpn2 charon: 11[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> Dec 10 09:28:18 vpn2 charon: 11[CFG] selecting proposal:
> Dec 10 09:28:18 vpn2 charon: 11[CFG]   proposal matches
> Dec 10 09:28:18 vpn2 charon: 11[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> Dec 10 09:28:18 vpn2 charon: 11[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> Dec 10 09:28:18 vpn2 charon: 11[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> Dec 10 09:28:18 vpn2 charon: 11[IKE] remote host is behind NAT
> Dec 10 09:28:18 vpn2 charon: 11[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
> Dec 10 09:28:18 vpn2 charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Dec 10 09:28:18 vpn2 charon: 11[NET] sending packet: from 178.62.119.121[500] to 195.102.55.203[500] (465 bytes)
> Dec 10 09:28:18 vpn2 charon: 09[NET] sending packet: from 178.62.119.121[500] to 195.102.55.203[500]
> Dec 10 09:28:19 vpn2 charon: 08[NET] received packet: from 195.102.55.203[4500] to 178.62.119.121[4500]
> Dec 10 09:28:19 vpn2 charon: 08[NET] waiting for data on sockets
> Dec 10 09:28:19 vpn2 charon: 12[NET] received packet: from 195.102.55.203[4500] to 178.62.119.121[4500] (364 bytes)
> Dec 10 09:28:19 vpn2 charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Dec 10 09:28:19 vpn2 charon: 12[CFG] looking for peer configs matching 178.62.119.121[strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/>]...195.102.55.203[client at strongholdvpn2.ddns.net <mailto:client at strongholdvpn2.ddns.net>]
> Dec 10 09:28:19 vpn2 charon: 12[CFG]   candidate "win7", match: 20/19/28 (me/other/ike)
> Dec 10 09:28:19 vpn2 charon: 12[CFG] selected peer config 'win7'
> Dec 10 09:28:19 vpn2 charon: 12[IKE] initiating EAP_IDENTITY method (id 0x00)
> Dec 10 09:28:19 vpn2 charon: 12[IKE] processing INTERNAL_IP4_ADDRESS attribute
> Dec 10 09:28:19 vpn2 charon: 12[IKE] processing INTERNAL_IP4_DHCP attribute
> Dec 10 09:28:19 vpn2 charon: 12[IKE] processing INTERNAL_IP4_DNS attribute
> Dec 10 09:28:19 vpn2 charon: 12[IKE] processing INTERNAL_IP4_NETMASK attribute
> Dec 10 09:28:19 vpn2 charon: 12[IKE] processing INTERNAL_IP6_ADDRESS attribute
> Dec 10 09:28:19 vpn2 charon: 12[IKE] processing INTERNAL_IP6_DHCP attribute
> Dec 10 09:28:19 vpn2 charon: 12[IKE] processing INTERNAL_IP6_DNS attribute
> Dec 10 09:28:19 vpn2 charon: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Dec 10 09:28:19 vpn2 charon: 12[IKE] no private key found for 'strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/>'
> Dec 10 09:28:19 vpn2 charon: 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Dec 10 09:28:19 vpn2 charon: 12[NET] sending packet: from 178.62.119.121[4500] to 195.102.55.203[4500] (76 bytes)
> Dec 10 09:28:19 vpn2 charon: 09[NET] sending packet: from 178.62.119.121[4500] to 195.102.55.203[4500]
> Dec 10 09:28:19 vpn2 charon: 12[IKE] IKE_SA win7[1] state change: CONNECTING => DESTROYING
>
> Key setup:
>
> cd /etc/ipsec.d/
> ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem
> cat private/strongswanKey.pem
> chmod 600 private/strongswanKey.pem
> ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" --outform pem > cacerts/strongswanCert.pem
> cat cacerts/strongswanCert.pem
> ipsec pki --print --in cacerts/strongswanCert.pem
> ipsec pki --gen --type rsa --size 4096 --outform pem > private/vpnHostKey.pem
> chmod 600 private/vpnHostKey.pem
> ipsec pki --pub --in private/vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=strongSwan, CN=strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/>" --sanstrongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/> --flag serverAuth --flag ikeIntermediate --outform pem > certs/vpnHostCert.pem
> ipsec pki --print --in certs/vpnHostCert.pem
> ipsec pki --gen --type rsa --size 4096 --outform pem > private/RsaKey.pem
> chmod private/RsaKey.pem
> chmod 600 private/RsaKey.pem
> ipsec pki --pub --in private/RsaKey.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=strongSwan, CN=client at yahoo.com <mailto:client at yahoo.com>" --san client at yahoo.com <mailto:client at yahoo.com> --outform pem > certs/RsaCert.pem
> openssl pkcs12 -export -inkey private/RsaKey.pem -in certs/RsaCert.pem -name "Ecdsa VPN Certificate" -certfile cacerts/strongswanCert.pem -caname "StrongSwan Root CA" -out RsaUser.p12
>
> Strongswan.conf
>
> charon {
>         load_modular = yes
>         plugins {
>                 include strongswan.d/charon/*.conf
>                 eap-radius {
>                         class_group = yes
>                         eap_start = yes
>                         servers {
>                                 primary {
>                                         address = localhost
>                                         secret =sharedsec
>                                         nas_identifer = ipsec-gateway
>                                         sockets = 20
>                                 }
>                         }
>                 }
>         }
> }
>
> include strongswan.d/*.conf
>
> Mobile config XML:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
> <plist version="1.0">
> <dict>
>     <!-- Set the name to whatever you like, it is used in the profile list on the device -->
>     <key>PayloadDisplayName</key>
>     <string>Strong Hold VPN2</string>
>     <!-- This is a reverse-DNS style unique identifier used to detect duplicate profiles -->
>     <key>PayloadIdentifier</key>
>     <string>strongholdvpn2</string>
>     <!-- A globally unique identifier, use uuidgen on Linux/Mac OS X to generate it -->
>     <key>PayloadUUID</key>
>     <string>1f93912b-5fd2-4455-99fd-13b9a47b4582</string>
>     <key>PayloadType</key>
>     <string>Configuration</string>
>     <key>PayloadVersion</key>
>     <integer>1</integer>
>     <key>PayloadContent</key>
>     <array>
>         <!-- It is possible to add multiple VPN payloads with different identifiers/UUIDs and names -->
>         <dict>
>             <!-- This is an extension of the identifier given above -->
>             <key>PayloadIdentifier</key>
>             <string>StrongHoldVPN2</string>
>             <!-- A globally unique identifier for this payload -->
>             <key>PayloadUUID</key>
>             <string>82e4456d-3f03-4f15-b26f-4225d89465b7</string>
>             <key>PayloadType</key>
>             <string>com.apple.vpn.managed</string>
>             <key>PayloadVersion</key>
>             <integer>1</integer>
>             <!-- This is the name of the VPN conneciton as seen in the VPN application later -->
>             <key>UserDefinedName</key>
>             <string>StrongHold VPN2</string>
>             <key>VPNType</key>
>             <string>IKEv2</string>
>             <key>IKEv2</key>
>             <dict>
>                 <!-- Hostname or IP address of the VPN server -->
>                 <key>RemoteAddress</key>
>                 <string>strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/></string>
>                 <!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty.
>                      IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN -->
>                 <key>RemoteIdentifier</key>
>                 <string>strongholdvpn2.ddns.net <http://strongholdvpn2.ddns.net/></string>
>                 <!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used -->
>                 <key>LocalIdentifier</key>
>                 <string>client at strongholdvpn2.ddns.net <mailto:client at strongholdvpn2.ddns.net></string>
>                 <!-- Optional, if it matches the CN of the root CA certificate (not the full subject DN) a certificate request will be sent
>                      NOTE: If this is not configured make sure to configure leftsendcert=always on the server, otherwise it won't send its certificate -->
>                 <key>ServerCertificateIssuerCommonName</key>
>                 <string>Example Root CA</string>
>                 <!-- Optional, the CN or one of the subjectAltNames of the server certificate to verify it, if not set RemoteIdentifier will be used -->
>                 <key>ServerCertificateCommonName</key>
>                 <string>RsaCert.pem</string>
>                 <!-- The server is authenticated using a certificate -->
>                 <key>AuthenticationMethod</key>
>                 <string>Certificate</string>
>                 <!-- The client uses EAP to authenticate -->
>                 <key>ExtendedAuthEnabled</key>
>                 <integer>1</integer>
>                 <!-- User name for EAP authentication, must be set as there is currently no prompt during installation.
>                      IMPORTANT: Because there is no prompt and this value cannot be changed later on the device a separate profile is required for every user -->
>                 <key>AuthName</key>
>                 <string>carl</string>
>                 <!-- Optional password for EAP authentication, if it is not set the user is prompted when the profile is installed
>                 <key>AuthPassword</key>
>                 <string>connect1</string>
>                 -->
>                 <!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES.
>                      IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration -->
>                 <key>IKESecurityAssociationParameters</key>
>                 <dict>
>                     <key>EncryptionAlgorithm</key>
>                     <string>AES-128</string>
>                     <key>IntegrityAlgorithm</key>
>                     <string>SHA1-96</string>
>                     <key>DiffieHellmanGroup</key>
>                     <integer>14</integer>
>                 </dict>
>                 <key>ChildSecurityAssociationParameters</key>
>                 <dict>
>                     <key>EncryptionAlgorithm</key>
>                     <string>AES-128</string>
>                     <key>IntegrityAlgorithm</key>
>                     <string>SHA1-96</string>
>                     <key>DiffieHellmanGroup</key>
>                     <integer>14</integer>
>                 </dict>
>             </dict>
>         </dict>
> <!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration -->
>         <dict>
>             <key>PayloadIdentifier</key>
>             <string>StrongHoldVPN2</string>
>             <key>PayloadUUID</key>
>             <string>18587b2c-33e0-4adf-a432-6fbcae543408</string>
>             <key>PayloadType</key>
>             <string>com.apple.security.root</string>
>             <key>PayloadVersion</key>
>             <integer>1</integer>
>             <!-- This is the Base64 (PEM) encoded CA certificate -->
>             <key>PayloadContent</key>
>             <data>
>             LS0tL (trunkated for this brevity)==
>             </data>
>         </dict>
>     </array>
> </dict>
> </plist>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUiKj2AAoJEDg5KY9j7GZYkx8P/i4WpHs35lbH+l5Dlp2ysmZm
RAEl0rX92FA0sAbfspRvsoudPufUqeiR0Y2XCCuk/q3Sw1rAlmGDQPM4dG1Rt00g
Y53QK/x6SWbQ/gvkvJZJ0qTrr8MMu6ARhtxRWFb5jtpsNgaZA1PO8loAGkofXw6o
oBK45TBSML7qu32TiaZM7Bh4fMQWeXDok3R9hwclWJ8iOOyn3dku9Se+flwR6VD6
efIJmeZYHZ1Q1kFxfgKHAnS41u3FsM5MmolPGt6hSM8LOMJkEZaQZFJ5QzsJNcs7
YZ1NVRiRvQjQQVZ9fUJr8VaePxbub5ABGecMATgzTSFdiIgcSDgLQXXBAZ3A7mmG
/7zpnKUumMzauXTG6zTsRTVSo2+222lUXee9M3ZO2MB0Z+70zEcU61snhCmU0MKg
NPDQ5vEjq6iNnDB3e5UXNfZkCM/xfpvgd4i+poFwxBF4j8Hd03NwSY8GElIbrUF4
IvRNIIbE5qwMbQkqnAepSL4J996VWZyUyDFcEZcXscl2N7WHsVd60i82R4WrVMlL
0SrkaXIVmBH3nag+joldzbhwSNKI8/1grcrGSJGwhOK+mNPCFkKkN2LQLDloBu80
YI9K0LgtPS8E8oroSuK0LpC5b4USPULBLvSsOYba4MdXfY4ktHULTKSNKc61CHW6
OkcL1lvc/DcsiluvR7ei
=QETF
-----END PGP SIGNATURE-----



More information about the Users mailing list