[strongSwan] Example of functional setup running strongswan ikev2 with os x 10.11 clients using ms-chapv2 ?

Tobias Brunner tobias at strongswan.org
Mon Aug 10 12:14:47 CEST 2015

Hi Roger,

> Aug 6 16:45:50charon: 11[ENC] <con1|63> generating IKE_AUTH response 1 [

As can be seen above the server does not send its certificate (CERT
payload is missing), which the client will require to verify the
signature in the AUTH payload.

As described in the profile template at [1], iOS won't send a
certificate request if ServerCertificateIssuerCommonName is not set in
the configuration profile.  And if strongSwan does not receive one it
will not send its own certificate, by default.

To fix this either specify the CA's CN (not the full DN) in the client
profile, or set `leftsendcert=always` in the server config to force
strongSwan to send the its own certificate even if no certificate
request is received.


[1] https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile

More information about the Users mailing list