[Openswan Users] Xauth configuration with IOS
Paul Wouters
paul at xelerance.com
Fri Oct 7 13:11:06 EDT 2011
On Fri, 7 Oct 2011, Bart Smink wrote:
> Greetings Openswan Users,
>
> Configuring openswan to work with an Iphone has lead to some problems.
>
> Currently I have made a few changes to ipsec.conf to enable Xauth, which IOS apparently requires to connect. It looks like Apple
> is using Cisco software to connect. I am using the standard IPSec software of IOS.
It's easier to use openswan+xl2tpd and use L2TP/IPsec on IOS.
> My configuration is IPSec with Xl2tpd and now with Xauth.I have never worked with Xauth before, so I have no point of reference
> with a working situation. It could be that most settings are incorrect or inappropriate.
There is no such thing as L2TP+XAUTH....
> The Iphone is giving the following warning: Could not validate the server certificate.
> I don't know what this means, because I have installed the certificate of the client and I have installed the Root CA.
The openswan server needs to have the DNS name and/or IP address in its certificate subjectAltname
for iOS to accept it as valid.
> Oct 7 17:57:46 gateway pluto[7032]: loaded crl file 'heliosnetnlRootCertificate.crl' (733 bytes)
> Oct 7 17:57:47 gateway pluto[7032]: loading certificate from /etc/ipsec.d/certs/HeliosnetGateway.pem
> Oct 7 17:57:47 gateway pluto[7032]: loaded host cert file '/etc/ipsec.d/certs/HeliosnetGateway.pem' (1396 bytes)
> Oct 7 17:57:47 gateway pluto[7032]: no subjectAltName matches ID '%fromcert', replaced by subject DN
> Oct 7 17:57:47 gateway pluto[7032]: added connection description "l2tp-X.509-Iphone"
I think you don't even have it in the CN= ? Perhaps it is because you used leftid=%fromcert, which
I think is not required for local certs - only for certs received via IKE.
Paul
More information about the Users
mailing list