Hi Roger, > Aug 6 16:45:50charon: 11[ENC] <con1|63> generating IKE_AUTH response 1 [ > IDr AUTH EAP/REQ/ID ]
As can be seen above the server does not send its certificate (CERT payload is missing), which the client will require to verify the signature in the AUTH payload. As described in the profile template at [1], iOS won't send a certificate request if ServerCertificateIssuerCommonName is not set in the configuration profile. And if strongSwan does not receive one it will not send its own certificate, by default. To fix this either specify the CA's CN (not the full DN) in the client profile, or set `leftsendcert=always` in the server config to force strongSwan to send the its own certificate even if no certificate request is received. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
