[strongSwan] iOS IKEv2, signature validation failed

Markus Miedaner markus at marcap.de
Tue Jul 11 13:14:57 CEST 2017 

I’m very sorry but I forgot to mention that I uploaded the full log file of the connection attempt here: https://pastebin.com/WeqEwSwF <https://pastebin.com/WeqEwSwF>

Thanks,
Markus

> Am 11.07.2017 um 13:10 schrieb Markus Miedaner <markus at marcap.de <mailto:markus at marcap.de>>:
> 
> Dear Community,
> 
> I’m currently having issues configuring a IPsec VPN with IKEv2 support. I used the „Apple Configurator 2“ to create a phone profile which includes the certificates. When I’m trying to connect to the server I get the following error message:
> 
>> Jul 11 12:05:51 delogin charon[6353]: 04[CFG] certificate status is not available
> Jul 11 12:05:51 delogin charon[6353]: 04[CFG]   certificate "C=DE, O=Marcap, CN=strongSwan Root CA" key: 4096 bit RSA
> Jul 11 12:05:51 delogin charon[6353]: 04[CFG]   reached self-signed root ca with a path length of 0
> Jul 11 12:05:51 delogin charon[6353]: 04[CFG]   using trusted certificate "C=DE, O=Marcap, CN=home.marcap.de <http://home.marcap.de/>"
> Jul 11 12:05:51 delogin charon[6353]: 04[IKE] signature validation failed, looking for another key
>> 
> Even though it finds the certificates. I used the following how-to to configure the server: https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html <https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html> with the exception that I’m using a server at home but the router has port forwarding enabled and a static route set. I think that’s not the problem otherwise the communication with the server wouldn’t work at all.
> 
> Someone else describes a similar issue here: https://discussions.apple.com/thread/7890497?start=0&tstart=0 <https://discussions.apple.com/thread/7890497?start=0&tstart=0> 
> 
> I used the following commands according to the how-to in order to generate the certificates:
> ---------------
> #server certs
> 
> ipsec pki --gen --type rsa --size 4096 --outform der > private/strongswanKey.der
> ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.der --type rsa --dn "C=DE, O=Marcap, CN=strongSwan Root CA" --outform der > cacerts/strongswanCert.der
> ipsec pki --gen --type rsa --size 4096 --outform der > private/vpnHostKey.der
> 
> ipsec pki --pub --in private/vpnHostKey.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --dn "C=DE, O=Marcap, CN=home.marcap.de <http://home.marcap.de/>" --san home.marcap.de <http://home.marcap.de/> --san 192.168.1.22 --san @192.168.1.22 --flag serverAuth --flag ikeIntermediate --outform der > certs/vpnHostCert.der
> 
> #client certs
> 
> ipsec pki --gen --type rsa --size 2048 --outform der > private/markusPhoneKey.der
> 
> ipsec pki --pub --in private/markusPhoneKey.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.der --cakey private/strongswanKey.der --dn "C=DE, O=Marcap, CN=markus at marcap.de <mailto:CN=markus at marcap.de>" --san "markus at marcap.de <mailto:markus at marcap.de>" --san "markus at 192.168.1.22 <mailto:markus at 192.168.1.22>" --outform der > certs/markusPhoneCert.der
> 
> #convert and bundle to p12
> 
> openssl rsa -inform DER -in private/markusPhoneKey.der -out private/markusPhoneKey.pem -outform PEM
> openssl x509 -inform DER -in certs/markusPhoneCert.der -out certs/markusPhoneCert.pem -outform PEM
> openssl x509 -inform DER -in cacerts/strongswanCert.der -out cacerts/strongswanCert.pem -outform PEM
> 
> openssl pkcs12 -export -inkey private/markusPhoneKey.pem -in certs/markusPhoneCert.pem -name "Markus's Phone VPN Certificate" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out p12/markusPhone.p12
> ———————
> 
> This is what I configured in the VPN profile for the iPhone (screenshots externally hosted). The phone profile includes the above .p12 file and cacerts/strongswanCert.der:
> 
> http://up.picr.de/29749790jy.png <http://up.picr.de/29749790jy.png>
> http://up.picr.de/29749788ue.png <http://up.picr.de/29749788ue.png> 
> 
> 
> Would love to feed back the solution to the referenced websites because I’m sure other’s struggle with that as well. 
> Any hints what could go wrong are highly appreciated!
> 
> Thanks in advance for helping,
> Markus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170711/e1b9b4b6/attachment-0001.html>

More information about the Users mailing list