[strongSwan] problem with IOS / Iphone, android works okay, please help :)

Lewis Robson robsonl at conscious.co.uk
Thu Oct 7 16:34:57 CEST 2021 

Hello all,

we are having some problems connecting in an iphone user to the 
strongswan solution, android works okay, through the strongswan app, 
however apple doesnt seem to work and doesnt have a strongswan app.


the certificates are signed by our external ca, the user certs were 
generated the same way and as mentioned the android config( a different 
config to the one below) works fine (and ios doesnt work with out 
android config)

the error we are seeing when trying to connect in the iphone is:

received TLS peer certificate
Oct  7 15:27:19 charon[21758]: 12[TLS] received TLS intermediate certificate

CN=our CA, E=ca at company'

Oct  7 15:27:19 charon[21758]: 12[TLS] no trusted certificate found for 
'user' to verify TLS peer
Oct  7 15:27:19 charon[21758]: 12[TLS] sending fatal TLS alert 
'certificate unknown'


the user has the CA aswell as the key(s) on the phone.


the config ipsec.conf we are using:

conn ikev2-vpn
     auto=add
     compress=no
     type=tunnel
     keyexchange=ikev2
     fragmentation=yes
     forceencaps=yes
     dpdaction=clear
     dpddelay=300s
     rekey=no
     left=%any
     leftid=@cerberus.conscious.co.uk
     leftcert=theservercertificate
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     right=%any
     rightid=%any
     rightauth=eap-tls
     rightsourceip=10.10.10.0/24
     rightdns=8.8.8.8,8.8.4.4
     rightsendcert=never
     eap_identity=%identity
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!


any help much appreciated

thankyou

More information about the Users mailing list