[strongSwan] how to tell the iphone to send the issuer certificate?
Harald Dunkel
harald.dunkel at aixigo.de
Thu Oct 29 12:11:59 CET 2015
Hi folks,
strongswan 5.3.3 on Linux, IOS 9.1, IKEv2:
Using strongswan on both peers I see in the log file that
the roadwarrior sends the issuer certificate next to its
own end entity certificate to the gateway. The iphone doesn't.
Result:
no trusted RSA public key found for 'iphone01.example.com'
:-(
Which magic trick would you suggest to tell the iphone to
send the issuer certificate as well?
How comes that strongswan on the gateway doesn't use its
local cacerts database for the missing cert?
Anonymized ipsec.conf is attached. Please excuse that there
is no log file included, but it contains too much sensible
information to be posted on a mailing list.
Every helpful comment is highly appreciated.
Harri
-------------- next part --------------
config setup
charondebug="dmn 2, mgr 2, ike 3, chd 2, cfg 3, net 2"
conn %default
left = gate.example.com
leftcert = gate.example.com.pem
leftsendcert = always
leftsubnet = 10.1.1.0/24
leftfirewall = yes
ikelifetime = 3h
lifetime = 1h
rekey = yes
dpdaction = hold
dpddelay = 30s
#
# IKEv2 using RSA authentication
conn IPSec-IKEv2
keyexchange = ikev2
ike = aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024!
esp = aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024!
right = %any
rightauth = pubkey
rightsendcert = ifasked
rightsourceip = %dhcp
# fragmentation = yes
auto = add
#
# IKEv1 using xauth (i.e. enter password)
conn CiscoIPSec
keyexchange = ikev1
ike = aes256-sha1-modp1536!
esp = aes256-sha1!
rightauth = pubkey
right = %any
rightsourceip = %dhcp
rightauth2 = xauth
auto = add
More information about the Users
mailing list