[Openswan Users] need help with ipsec tunnel to iphone

Paul Wouters paul at xelerance.com
Wed May 25 10:21:37 EDT 2011


On Wed, 25 May 2011, Richard Pagotto wrote:

> I have reread the conf and secrets man pages and figured out what username and password i should be using.
> despite your help and a total rewrite of my ipsec.conf it still doesnt work but it does get to the XAUTH phase.
>  
> Im also not using l2tp at all, im going for a pure ipsec tunnel.

There might be proprietary xauth/cisco extensions involved with that, so you're in dangerous unknown waters.

> im pretty sure ive done the cirtificates correctly, and put them in the correct location, theyve been signed, converted
> to p12, installed on the phone with the password and being used in the configuration.

May 25 19:40:22 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: end certificate with identical subject and
issuer not accepted

You generated the CA with the same CN= as one of your host certs. This is rejected because that host could
pretend to be a CA to other hosts. My advise is to always add "CA" to the CN= for a CA, and never to add
it for a host.

Paul


More information about the Users mailing list