[strongSwan] using eap-tls and eap-mschapv2 simultaneously

Derek Cameron dcamero at outlook.com
Tue Jan 5 05:23:05 CET 2016

Hi, Josh,

Thank you.

You can probably just have two "conn" sections where they differ, with a shared "%default" conn where they are the same, but I have not tried this myself.

The certificates issued by "Let's Encrypt" work fine as server certificates if you are going to use user/password authentication (eap-mschapv2) on the iOS client side.

sudo openssl x509 -in /etc/letsencrypt/live/vpn.example.com/fullchain.pem -text

Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1
. . .
Subject: CN=vpn.example.com
. . .
X509v3 Subject Alternative Name:

The special rules for iOS and OS X are, of course, imposed by Apple rather than by Strongswan. They are described in the Strongswan wiki on the page https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) especially in the sections "Certificate requirements for iOS interoperability" and "Certificate examples using strongSwan PKI tool"


More information about the Users mailing list