[strongSwan] iOS IKEv2, signature validation failed

Tue Jul 11 13:10:08 CEST 2017

Dear Community,

I’m currently having issues configuring a IPsec VPN with IKEv2 support. I used the „Apple Configurator 2“ to create a phone profile which includes the certificates. When I’m trying to connect to the server I get the following error message:

…
Jul 11 12:05:51 delogin charon[6353]: 04[CFG] certificate status is not available
Jul 11 12:05:51 delogin charon[6353]: 04[CFG]   certificate "C=DE, O=Marcap, CN=strongSwan Root CA" key: 4096 bit RSA
Jul 11 12:05:51 delogin charon[6353]: 04[CFG]   reached self-signed root ca with a path length of 0
Jul 11 12:05:51 delogin charon[6353]: 04[CFG]   using trusted certificate "C=DE, O=Marcap, CN=home.marcap.de <http://home.marcap.de/>"
Jul 11 12:05:51 delogin charon[6353]: 04[IKE] signature validation failed, looking for another key
…

Even though it finds the certificates. I used the following how-to to configure the server: https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html <https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html> with the exception that I’m using a server at home but the router has port forwarding enabled and a static route set. I think that’s not the problem otherwise the communication with the server wouldn’t work at all.

Someone else describes a similar issue here: https://discussions.apple.com/thread/7890497?start=0&tstart=0 <https://discussions.apple.com/thread/7890497?start=0&tstart=0> 

I used the following commands according to the how-to in order to generate the certificates:
---------------
#server certs

ipsec pki --gen --type rsa --size 4096 --outform der > private/strongswanKey.der
ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.der --type rsa --dn "C=DE, O=Marcap, CN=strongSwan Root CA" --outform der > cacerts/strongswanCert.der
ipsec pki --gen --type rsa --size 4096 --outform der > private/vpnHostKey.der

ipsec pki --pub --in private/vpnHostKey.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --dn "C=DE, O=Marcap, CN=home.marcap.de <http://home.marcap.de/>" --san home.marcap.de <http://home.marcap.de/> --san 192.168.1.22 --san @192.168.1.22 --flag serverAuth --flag ikeIntermediate --outform der > certs/vpnHostCert.der

#client certs

ipsec pki --gen --type rsa --size 2048 --outform der > private/markusPhoneKey.der

ipsec pki --pub --in private/markusPhoneKey.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --dn "C=DE, O=Marcap, CN=markus at marcap.de <mailto:CN=markus at marcap.de>" --san "markus at marcap.de <mailto:markus at marcap.de>" --san "markus at 192.168.1.22 <mailto:markus at 192.168.1.22>" --outform der > certs/markusPhoneCert.der

#convert and bundle to p12

openssl rsa -inform DER -in private/markusPhoneKey.der -out private/markusPhoneKey.pem -outform PEM
openssl x509 -inform DER -in certs/markusPhoneCert.der -out certs/markusPhoneCert.pem -outform PEM
openssl x509 -inform DER -in cacerts/strongswanCert.der -out cacerts/strongswanCert.pem -outform PEM

openssl pkcs12 -export -inkey private/markusPhoneKey.pem -in certs/markusPhoneCert.pem -name "Markus's Phone VPN Certificate" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out p12/markusPhone.p12
———————

This is what I configured in the VPN profile for the iPhone (screenshots externally hosted). The phone profile includes the above .p12 file and cacerts/strongswanCert.der:

http://up.picr.de/29749790jy.png <http://up.picr.de/29749790jy.png>
http://up.picr.de/29749788ue.png <http://up.picr.de/29749788ue.png> 

Would love to feed back the solution to the referenced websites because I’m sure other’s struggle with that as well. 
Any hints what could go wrong are highly appreciated!

Thanks in advance for helping,
Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170711/9e7bf410/attachment.html>