[strongSwan] mobileconfig file - do i need to install a root CA
Alex Sharaz
alex.sharaz at york.ac.uk
Wed Jan 10 12:44:50 CET 2018
Hi,
I've got a .mobileconfig file set up that will allow a macOS/iOS user to
connect to my SSwan VPN server (5.6.1)
In it I have a cert payload defined containing both the intermediate and
root cert of the server certificate. This all works just fine
However, our security people are objecting to the fact that I'm installing
a root CA on the client device.
Server cert has an intermediate cet between it and the root CA
server config is
conn it-services-ikev2
left=%any
leftauth=pubkey
leftcert=vpn.york.ac.uk.pem
leftid=@vpn.york.ac.uk
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
leftfirewall=yes
right=%any
rightauth=eap-radius
rightsendcert=never
rightgroups="Cserv"
eap_identity=%any
keyexchange=ikev2
rightsourceip=%itservices
fragmentation=yes
auto=add
If I remove the root cert from the mobileconfig, connection fails. Should I
be able to connect without the root CA in the payload?
Rgds
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180110/17fffd85/attachment.html>
More information about the Users
mailing list