Our CA cert is pem format. So, the VPN Gateway (IP or Domain Name) does appear in CN or Subject Alternate Name of the server certificate, correct? If not, that sure will cause the iPhone error you described - "Could not validate the server certificate".
Beyond that, I'm afraid I don't have much to offer. Thanks, Bharath Kumar On Wed, Jan 2, 2013 at 4:55 AM, Jason <[email protected]> wrote: > Bharath, > > On Tue, Jan 01, 2013 at 08:13:54PM -0800, Bharath Kumar wrote: > > On Tue, Jan 1, 2013 at 7:45 PM, Jason <[email protected]> wrote: > > > I just got strongswan installed on my debian squeeze box this evening. > > > everything seems to be going smoothly (eg I'm behind a nat that > > > _actually_ forwards esp packets) until I try to connect. My iphone > > > gives me "Could not validate the server certificate". > > > > > > I'm using the IPSec configuration (no l2tp) with my own CA. > > > > > > So, I've tries a bunch of different flavors of "openssl pkcs12 -export > > > ..." to generate a .p12 of my ca. No matter what I do, I get "The > > > container "Identity Certificate" must contain only one certificate and > > > its private key." > > > > > > Is apple really that daft as to require the CA's _private_ key? No, > I'm > > > probably missing something. Any pointers? I think I reached the end > of > > > both duckduckgo and google... > > > > > Not sure if you are using the procedure documented here but it worked > > flawlessly for us. > > http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple). > > Yes, these are the exact instuctions I followed. > > > One thing I was going to ask is to check if you have > > (a) installed the client certificate in PKCS #12 format AND > > Did that, including key. > > > (b) Installed your CA certificate ADDITIONALLY > > What format was your CA certificate? pkcs12? What exact command did > you use to convert it? > > thx, > > Jason. >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
