[Openswan Users] Xauth configuration with IOS

Paul Wouters paul at xelerance.com
Fri Oct 7 13:11:06 EDT 2011

On Fri, 7 Oct 2011, Bart Smink wrote:

> Greetings Openswan Users,
> Configuring openswan to work with an Iphone has lead to some problems.
> Currently I have made a few changes to ipsec.conf to enable Xauth, which IOS apparently requires to connect. It looks like Apple
> is using Cisco software to connect. I am using the standard IPSec software of IOS.

It's easier to use openswan+xl2tpd and use L2TP/IPsec on IOS.

> My configuration is IPSec with Xl2tpd and now with Xauth.I have never worked with Xauth before, so I have no point of reference
> with a working situation. It could be that most settings are incorrect or inappropriate.

There is no such thing as L2TP+XAUTH....

> The Iphone is giving the following warning: Could not validate the server certificate.
> I don't know what this means, because I have installed the certificate of the client  and I have installed the Root CA.

The openswan server needs to have the DNS name and/or IP address in its certificate subjectAltname
for iOS to accept it as valid.

> Oct  7 17:57:46 gateway pluto[7032]:   loaded crl file 'heliosnetnlRootCertificate.crl' (733 bytes)
> Oct  7 17:57:47 gateway pluto[7032]: loading certificate from /etc/ipsec.d/certs/HeliosnetGateway.pem
> Oct  7 17:57:47 gateway pluto[7032]:   loaded host cert file '/etc/ipsec.d/certs/HeliosnetGateway.pem' (1396 bytes)
> Oct  7 17:57:47 gateway pluto[7032]:   no subjectAltName matches ID '%fromcert', replaced by subject DN
> Oct  7 17:57:47 gateway pluto[7032]: added connection description "l2tp-X.509-Iphone"

I think you don't even have it in the CN= ? Perhaps it is because you used leftid=%fromcert, which
I think is not required for local certs - only for certs received via IKE.


More information about the Users mailing list