[strongSwan] mobileconfig file - do i need to install a root CA

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jan 11 13:17:15 CET 2018 

Put the root CA and the intermediate CAs into /etc/ipsec.d/cacerts, then run `ipsec stroke rereadcacerts` and then retry.
If that does not help, check the logs of iOS. You can get access to them via Apple's SDK.

On 11.01.2018 13:13, Alex Sharaz wrote:
> Thats what is  confusing, its the QuoVadis root CA which is one we use on a whole batch of servers and my osx machine validates those certs just fine. ... and I can see them ( root and intermediate)  in the system root keystore... but certainly if I remove it from the mobileconfig file I don't connect ,if I put it in there I do
> A
> 
> On 11 January 2018 at 12:01, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.consulting>> wrote:
> 
>     Hi,
> 
>     You only need to install a root certificate, if the issuer of your server certificate or its root certificate are not in the client's certificate store.
>     A client needs to be able to verify the server's certificate from the root to the server certificate. That includes CRLs and OCSP.
> 
>     That's PKI 101.
> 
>     Kind regards
> 
>     Noel
> 
>     On 10.01.2018 12:44, Alex Sharaz wrote:
>     > Hi,
>     > I've got a .mobileconfig file set up that will allow a macOS/iOS user to connect to my SSwan VPN server (5.6.1)
>     > In it I have a cert payload defined containing both the intermediate and root cert of the server certificate. This all works just fine
>     >
>     > However, our security people are objecting to the fact that I'm installing a root CA on the client device.
>     >
>     > Server cert has an intermediate cet between it and the root CA
>     >
>     > server config is
>     >
>     > conn it-services-ikev2
>     >   left=%any
>     >   leftauth=pubkey
>     >   leftcert=vpn.york.ac.uk.pem
>     >   leftid=@vpn.york.ac.uk <http://vpn.york.ac.uk> <http://vpn.york.ac.uk>
>     >   leftsendcert=always
>     >   leftsubnet=0.0.0.0/0,::/0 <http://0.0.0.0/0,::/0> <http://0.0.0.0/0,::/0>
>     >   leftfirewall=yes
>     >   right=%any
>     >   rightauth=eap-radius
>     >   rightsendcert=never
>     >   rightgroups="Cserv"
>     >   eap_identity=%any
>     >   keyexchange=ikev2
>     >   rightsourceip=%itservices
>     >   fragmentation=yes
>     >   auto=add
>     >
>     >
>     > If I remove the root cert from the mobileconfig, connection fails. Should I be able to connect without the root CA in the payload?
>     >
>     > Rgds
>     > Alex
>     >
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/a5088be0/attachment.sig>

More information about the Users mailing list