[strongSwan] "no trusted RSA public key found" with iOS ikev2

SM K sacho.polo at gmail.com
Wed Nov 18 04:25:07 CET 2015


Hi,

I am trying to make a connection from an iPad using ikev2 and am getting an
error "no trusted RSA public key found for '1-ios-test1-ikev2' when
strongswan tries to authenticate the cert. I cannot figure why I get this
error. The same works with Ikev1. Can someone please help?

I have followed the instructions here-
https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile and
https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)#Certificate-requirements-for-iOS-interoperability
.

My connection definition in strongswan is
conn iOSDeviceXauth
        authby=rsasig
        left=10.99.102.225
        leftsubnet=0.0.0.0/0
        leftcert=strongswan.crt
        right=%any
        rightsourceip=192.168.1.0/24
        auto=add
        keyexchange=ikev2
        leftupdown=updown.sh
        dpddelay=10
        dpdtimeout=30
        dpdaction=clear
        fragmentation=yes
        leftsendcert=always

The client and server cert are from the same root CA. the root CA is copied
to /etc/ipsec.d/cacerts directory, the private key for the server cert is
mentioned in the secrets file. The client cert and key are NOT copied to
the VPN gateway. But the client cert is signed by the root CA on the VPN
gateway.

The client cert installed on the ipad has the followign subject
                 Subject: CN=1-ios-test1-ikev2
and Subject Alt name
                  X509v3 Subject Alternative Name:
                               DirName:/CN=1-ios-test1-ikev2/OU=CF-CAL/O=120


The profile installed on the phone has the following
 <key>PayloadCertificateUUID</key>
<string>eba13c23-dc37-4012-b557-be9881c87f93</string>
<key>RemoteAddress</key> <string>10.99.102.225</string>
<key>LocalIdentifier</key> <string>1-ios-test1-ikev2</string>
<key>RemoteIdentifier</key> <string>10.99.102.225</string>
<key>AuthenticationMethod</key> <string>Certificate</string>
<key>ExtendedAuthEnabled</key> <integer>0</integer> </dict>
<key>VPNType</key> <string>IKEv2</string> <key>PayloadType</key>
<string>com.apple.vpn.managed</string> </dict>

What am I missing? Any help will be greatly appreciated.

regards,
sk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151117/4589dee9/attachment.html>


More information about the Users mailing list