Re: [strongSwan] iOS (iPad) connections without xauth

[Fiederling, Daniel]

Hi Martin,

thank you very much for your answer.

As Peter wrote the only way to disable XAuth is using an IPCU profile. I'm 
discussing that issue with our mdm vendor because currently they don't support 
setting the XAuthEnabled parameter.
Maybe one should add that parameter to the wiki article about iOS devices.

About my second issue I have a question regarding the crl signing. The crl is 
produced by our root ca (Microsoft based). I put the certificate of the ca in 
ipsec.d/cacerts/. Do I need to put that (or another?) certificate for crl 
verification into another subfolder of ipsec.d/? Or has the ca certificate to 
be part of the openssl trust chain of the local system?

The key usage of the ca certificate look right:

        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE

bye
Daniel





Besuchen Sie WAREMA auf der ISH 2013 in Frankfurt.
12.03. - 16.03.2013, Halle 10.3, Stand A79
http://www.warema.de

-----Ursprüngliche Nachricht-----
Von: Martin Willi [mailto:mar...@strongswan.org]
Gesendet: Mittwoch, 27. Februar 2013 09:06
An: Fiederling, Daniel
Cc: 'users@lists.strongswan.org'
Betreff: Re: [strongSwan] iOS (iPad) connections without xauth

Hi Daniel,

> if I change the authby to rsasig it seems as if the client still tries
> to enforce xauth:

I'm not sure, but I don't think there is a way to configure the native iOS 
client to use certificate authentication only. It always wants to do XAuth.

You may try the patch at [1]; it implements a simple XAuth mechanism that does 
no authentication, but just returns SUCCESS. With the patch applied, configure 
rightauth2=xauth-noauth.

> 01[CFG] checking certificate status of "***del*** 
> E=daniel.fiederl...@warema.de"
> 01[CFG]   fetching crl from 'http://cert.example.org/CertEnroll/myca.crl' ...
> 01[CFG]   using trusted certificate "DC=org, DC=example, CN=myca"
> 01[CFG] crl response verification failed

The daemon is unable to verify the CRL signature, therefore the CRL can't be 
used to check for revoked certificates. Do you have the CRL signer certificate 
and the full trust-chain installed on your system?
Does it have the CRLSigner X509 keyusage or the CA basic constraint flag set?

> 01[LIB] LDAP bind to 'ldap:///CN=myca,[...]' failed: Can't contact
> LDAP server

Your LDAP URI does not contain any host information. Unfortunately there is 
currently no way to configure a static LDAP host for your URIs in strongSwan.

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=fb780b21

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users