[strongSwan] iphone-to-strongswan configuration - working example.
Tobias Brunner
tobias at strongswan.org
Thu Jun 23 10:05:40 CEST 2022
Hi Kamil,
> It has to be:
> --8<---------------cut here---------------start------------->8---
> openssl pkcs12 -export -legacy -inkey private/key -in cert -out cert.p12
> --8<---------------cut here---------------end--------------->8---
> and then profile was installed correctly.
Note that `-legacy` is an option only available since OpenSSL 3. It
causes the legacy crypto provider to get loaded, which makes RC2 and
3DES available and the latter the default algorithm to encrypt the
private key. Without that option AES256-CBC is used instead and PBKDF2
replaces the legacy PKCS#12 KDF to derive the encryption key. Apple
clients apparently only support the old PKCS#5 schemes.
I've added this to the known issues in the documentation [1].
Regards,
Tobias
[1]
https://docs.strongswan.org/docs/5.9/interop/appleIkev2Profile.html#_known_issues
More information about the Users
mailing list