[strongSwan] Same config for strongSwan, different outcome between Android and iOS

[Tobias Brunner]

Hi Laurens,

>> The latter is of course because it does not send any certificate
>> requests, whereas 156 of them are sent by the Android app (each a 20
>> byte SHA-1 hash).  As I mentioned before, you can avoid that by
>> selecting your CA certificate in the VPN profile in the app.  This
>> should avoid having to fragment the IKE_AUTH message and might improve
>> the success rate significantly.
> 
> This last bit brings me to my next problem. From the file 
> OnePlusOne_20160607_Wifi_Working1_ClientLog, I get this:
> 
> Jul  6 17:26:31 06[IKE] received end entity cert "CN=us.npu.io"
> Jul  6 17:26:31 06[CFG]   using certificate "CN=us.npu.io"
> Jul  6 17:26:31 06[CFG]   using trusted intermediate ca certificate 
> "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
> Jul  6 17:26:31 06[CFG]   using trusted ca certificate "O=Digital 
> Signature Trust Co., CN=DST Root CA X3"
> Jul  6 17:26:31 06[CFG]   reached self-signed root ca with a path length 
> of 1
> Jul  6 17:26:31 06[IKE] authentication of 'us.npu.io' with RSA signature 
> successful
> 
> If I select the certificate "Digital Signature Trust Co., DST Root CA 
> X3". I get a new error message:
> 
> Jul 14 19:47:22 13[IKE] received end entity cert "CN=us.npu.io"
> Jul 14 19:47:22 13[CFG]   using certificate "CN=us.npu.io"
> Jul 14 19:47:22 13[CFG] no issuer certificate found for "CN=us.npu.io"
> Jul 14 19:47:22 13[IKE] no trusted RSA public key found for 'us.npu.io'
> Jul 14 19:47:22 13[ENC] generating INFORMATIONAL request 2 [ 
> N(AUTH_FAILED) ]
> 
> Any idea what I'm missing now?

Looks like the server does not send the intermediate CA certificate
"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3".  So either
install that on the server in /etc/ipsec.d/cacerts so it does send it,
or try selecting the intermediate CA certificate as trust anchor on the
client.

Regards,
Tobias