[strongSwan] "no trusted RSA public key found" with iOS ikev2

SM K sacho.polo at gmail.com
Thu Nov 19 08:38:54 CET 2015

Hi Tobias,

I am sorry for cross posting in dev group.
I found that it was a problem with version 5.1.3 of strongswan, The same
setup worked with 5.3.0 of strognswan. I have verified this twice, moving
up and down in strongswan versions. I have the LocalIdentifier in the CN
part of the SAN. The iOS device still sends the ID as FQDN.

Since we use strongswan 5.1.3 (with patches), i have to figure the changes
that allow version 5.3.0 to work and bring them into 5.1.3 if possible.


On Wed, Nov 18, 2015 at 2:23 AM, Tobias Brunner <tobias at strongswan.org>

> Hi,
> Could you please not cross-post your emails to the users and dev mailing
> lists.  This is clearly a configuration issue that has nothing to do
> with strongSwan's development.
> > The client cert installed on the ipad has the followign subject
> >                  Subject: CN=1-ios-test1-ikev2
> > and Subject Alt name
> >                   X509v3 Subject Alternative Name:
> >
> DirName:/CN=1-ios-test1-ikev2/OU=CF-CAL/O=120
> You have to add a SAN of DNS:1-ios-test1-ikev2 to your client
> certificate as the client configured with
> > <key>LocalIdentifier</key>
> > <string>1-ios-test1-ikev2</string>
> will send an identity of type FQDN with the value `1-ios-test1-ikev2`.
> AFAIK it's still not possible to configure a DN in the client profile so
> you have to add this as SAN to your certificate.
> Regards,
> Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151118/a8dc90d3/attachment.html>

More information about the Users mailing list