[strongSwan] mobileconfig file - do i need to install a root CA

Giuseppe De Marco giuseppe.demarco at unical.it
Thu Jan 11 13:29:23 CET 2018


You can even use charon-cmd this way:

charon-cmd --host SERVER_HOSTNAME --profile ikev2-eap --identity LOGIN
--cert /PATH/TO/ca.crt

Using a valid CA lets Windows10 and MacOSX clients run without CA.crt, with
GNU/Linux we have to have ca.crt instead

2018-01-11 13:17 GMT+01:00 Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting>:

> Put the root CA and the intermediate CAs into /etc/ipsec.d/cacerts, then
> run `ipsec stroke rereadcacerts` and then retry.
> If that does not help, check the logs of iOS. You can get access to them
> via Apple's SDK.
>
> On 11.01.2018 13:13, Alex Sharaz wrote:
> > Thats what is  confusing, its the QuoVadis root CA which is one we use
> on a whole batch of servers and my osx machine validates those certs just
> fine. ... and I can see them ( root and intermediate)  in the system root
> keystore... but certainly if I remove it from the mobileconfig file I don't
> connect ,if I put it in there I do
> > A
> >
> > On 11 January 2018 at 12:01, Noel Kuntze <noel.kuntze+strongswan-users-
> ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.
> consulting>> wrote:
> >
> >     Hi,
> >
> >     You only need to install a root certificate, if the issuer of your
> server certificate or its root certificate are not in the client's
> certificate store.
> >     A client needs to be able to verify the server's certificate from
> the root to the server certificate. That includes CRLs and OCSP.
> >
> >     That's PKI 101.
> >
> >     Kind regards
> >
> >     Noel
> >
> >     On 10.01.2018 12:44, Alex Sharaz wrote:
> >     > Hi,
> >     > I've got a .mobileconfig file set up that will allow a macOS/iOS
> user to connect to my SSwan VPN server (5.6.1)
> >     > In it I have a cert payload defined containing both the
> intermediate and root cert of the server certificate. This all works just
> fine
> >     >
> >     > However, our security people are objecting to the fact that I'm
> installing a root CA on the client device.
> >     >
> >     > Server cert has an intermediate cet between it and the root CA
> >     >
> >     > server config is
> >     >
> >     > conn it-services-ikev2
> >     >   left=%any
> >     >   leftauth=pubkey
> >     >   leftcert=vpn.york.ac.uk.pem
> >     >   leftid=@vpn.york.ac.uk <http://vpn.york.ac.uk> <
> http://vpn.york.ac.uk>
> >     >   leftsendcert=always
> >     >   leftsubnet=0.0.0.0/0,::/0 <http://0.0.0.0/0,::/0> <
> http://0.0.0.0/0,::/0>
> >     >   leftfirewall=yes
> >     >   right=%any
> >     >   rightauth=eap-radius
> >     >   rightsendcert=never
> >     >   rightgroups="Cserv"
> >     >   eap_identity=%any
> >     >   keyexchange=ikev2
> >     >   rightsourceip=%itservices
> >     >   fragmentation=yes
> >     >   auto=add
> >     >
> >     >
> >     > If I remove the root cert from the mobileconfig, connection fails.
> Should I be able to connect without the root CA in the payload?
> >     >
> >     > Rgds
> >     > Alex
> >     >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/0f3a0fda/attachment.html>


More information about the Users mailing list