[strongSwan] problem with IOS / Iphone, android works okay, please help :)

Thu, 07 Oct 2021 07:35:09 -0700 

Hello all,
we are having some problems connecting in an iphone user to the strongswan solution, android works okay, through the strongswan app, however apple doesnt seem to work and doesnt have a strongswan app. 



the certificates are signed by our external ca, the user certs were 
generated the same way and as mentioned the android config( a different 
config to the one below) works fine (and ios doesnt work with out 
android config)


the error we are seeing when trying to connect in the iphone is:

received TLS peer certificate
Oct  7 15:27:19 charon[21758]: 12[TLS] received TLS intermediate certificate

CN=our CA, E=ca@company'


Oct  7 15:27:19 charon[21758]: 12[TLS] no trusted certificate found for 
'user' to verify TLS peer
Oct  7 15:27:19 charon[21758]: 12[TLS] sending fatal TLS alert 
'certificate unknown'



the user has the CA aswell as the key(s) on the phone.


the config ipsec.conf we are using:

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@cerberus.conscious.co.uk
    leftcert=theservercertificate
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-tls
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!


any help much appreciated

thankyou
























					Reply via email to