[strongSwan] Is certificate matching compatible with ios8/ikev2?

Jill M. Dove jilldove at gmail.com
Fri Jun 12 12:56:39 CEST 2015

I am using Apple Configurator to set up the client profile, which includes:

   - Certificate identification, by uploading a pfx file into the
   Certificate payload.
   - In the vpn payload configurator requires both a local identifier and
   remote identifier, so  the remote identifier is vpn.example.com, and
   local identifier testclient.
   - The SAN in the certificate matches the local identifer, hence

On the ipsec.conf file, I have the following configuration.
 config setup
#        uniqueids=never
 conn TEMPLATE_IKEv2_Apple

This configuration works fine, and the client connects to the vpn, however
I can see that the client device is identifying itself as testclient, in
accordance with the local identifier I gave it.

My problem is integrating the ios8 ikev2 devices into my production
environment, where I actually assign the rightsourceip address according to
the values in the certificate distinguished name field.  To do this for
other devices I'm matching on the rightid DN, hence rightid="C=GB, OU=*,

My question is my ios8 devices seem to be identifying themselves to
strongswan solely according to their local identifier (testclient) rather
than the certificate DN.  It also won't be possible to replicate the
contents of the DN in the local identifier (and the SAN).

Therefore is there anyway I can still use certificate matching to assign
the rightsourceip, when ios8 forces explict assignment of a local
identifier in the client profile?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150612/f6530237/attachment.html>

More information about the Users mailing list