Facing issues in setting up VPN connection(IKEv1) using iphone (Defult Cisco VPN client) and Strongswan 4.5.0 server


I am facing issues in setting up VPN connection(IKEv1) using iPhone (Defult Cisco VPN client) and Strongswan 4.5.0 server.

The Strongswan server is running on Ubuntu Linux, which is connected to some wifi hotspot. This is the guide which was used. I generated CA, server and client certificate, with the only difference mentioned below.

“While generating server certificate, as per link CN=vpn.strongswan.org instead of this I changed CN name to CN=”

Once certificates are generated, following (clientCert.p12 and caCert.pem) are sent to mobile via mail and installed on iphone. After installation I notice that certificates are considered as trusted also.

Below are the ip addresses assigned to various interfaces

Linux server wlan0 interface ip where server is running:
Iphone eth0 interface ip address: iphone is also attached with the same wifi hotspot.

Below is the snapshot of client configurations.

  • Description Strong swan
  • Server
  • Account ipsecvpn
  • Password ***********
  • Use certificate ON
  • Certificate client

The above username and password are in sync with the ipsec.secrets file.
I am using the following ipsec.conf configuration:

 # basic configuration
 config setup
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        # charonstart=yes

# Add connections here.
# Sample VPN connections
conn ios1

With the above configurations when I enable VPN on iphone, it says

Could not able to verify server certificate.

I ran Wireshark on a Linux server and observe that initially some ISAKMP message exchanges happens between client and server, which are successful but before authorization, client is sending some informational message and soon after this client is showing error as popup

Could not able to verify server certificate.

Capture logs on Strongswan server and in server logs below errors are observed:

From auth.log

Apr 25 20:16:08 Linux pluto[4025]: |    ISAKMP version: ISAKMP Version 1.0
Apr 25 20:16:08 Linux pluto[4025]: |    exchange type: ISAKMP_XCHG_INFO
Apr 25 20:16:08 Linux pluto[4025]: |    flags: ISAKMP_FLAG_ENCRYPTION
Apr 25 20:16:08 Linux pluto[4025]: |    message ID:  9d 1a ea 4d
Apr 25 20:16:08 Linux pluto[4025]: |    length: 76
Apr 25 20:16:08 Linux pluto[4025]: | ICOOKIE:  f6 b7 06 b2  b1 84 5b 93
Apr 25 20:16:08 Linux pluto[4025]: | RCOOKIE:  86 92 a0 c2  a6 2f ac be
Apr 25 20:16:08 Linux pluto[4025]: | peer:  c0 a8 2b 48
Apr 25 20:16:08 Linux pluto[4025]: | state hash entry 8
Apr 25 20:16:08 Linux pluto[4025]: | state object not found
Apr 25 20:16:08 Linux pluto[4025]: **packet from Informational Exchange is for an unknown (expired?) SA**
Apr 25 20:16:08 Linux pluto[4025]: | next event EVENT_RETRANSMIT in 8 seconds for #8
Apr 25 20:16:16 Linux pluto[4025]: | 
Apr 25 20:16:16 Linux pluto[4025]: | *time to handle event
Apr 25 20:16:16 Linux pluto[4025]: | event after this is EVENT_RETRANSMIT in 2 seconds
Apr 25 20:16:16 Linux pluto[4025]: | handling event EVENT_RETRANSMIT for "ios1" #8
Apr 25 20:16:16 Linux pluto[4025]: | sending 76 bytes for EVENT_RETRANSMIT through wlan0 to
Apr 25 20:16:16 Linux pluto[4025]: |   a6 a5 86 41  4b fb ff 99  c9 18 34 61  01 7b f1 d9
Apr 25 20:16:16 Linux pluto[4025]: |   08 10 06 01  e9 1c ea 60  00 00 00 4c  ba 7d c8 08
Apr 25 20:16:16 Linux pluto[4025]: |   13 47 95 18  19 31 45 30  2e 22 f9 4d  85 2c 27 bc
Apr 25 20:16:16 Linux pluto[4025]: |   9e 9b e1 ae  1e 35 51 6f  ab 80 f5 73  3c 15 8d 20
Apr 25 20:16:16 Linux pluto[4025]: |   4b 46 47 86  50 24 3f 13  15 7d d5 17
Apr 25 20:16:16 Linux pluto[4025]: | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #8
Apr 25 20:16:16 Linux pluto[4025]: | next event EVENT_RETRANSMIT in 2 seconds for #10
Apr 25 20:16:16 Linux pluto[4025]: | rejected packet:
Apr 25 20:16:16 Linux pluto[4025]: | 
Apr 25 20:16:16 Linux pluto[4025]: | control:
Apr 25 20:16:16 Linux pluto[4025]: |   30 00 00 00  00 00 00 00  00 00 00 00  0b 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: |   6f 00 00 00  02 03 03 00  00 00 00 00  00 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: |   02 00 00 00  c0 a8 2b 48  00 00 00 00  00 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: | name:
Apr 25 20:16:16 Linux pluto[4025]: |   02 00 01 f4  c0 a8 2b 48  00 00 00 00  00 00 00 00
Apr 25 20:16:16 Linux pluto[4025]: **ERROR: asynchronous network error report on wlan0 for message to port 500, complainant Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]**

Anybody please provide some update about this error and how to solve this issue.

Best Answer

According to Apple's documentation the gateway's IP address or DNS name has to be contained as subjectAltName in the certificate. Use the following when generating the certificate with OpenSSL.

subjectAltName = IP:

Whether the above is actually required might depend on the iOS version on your device. With iOS 5.1 the identity of the gateway does not seem to be verified.

The above statement is only true for Hybrid authentication. If the client is authenticated with a certificate the gateway identity is actually verified.


Some experiments show that it's sufficient to add the IP address as common name (CN) to the distinguished name (DN) of the certificate, but only if you don't have any subjectAltNames in the certificate. If you do, you have to add the IP address as subjectAltName too.

Also, referring to your statement here:

“While generating server certificate, as per link CN=vpn.strongswan.org instead of this I changed CN name to CN=”

Do you actually have a . (dot) at the end of your CN? If so, please remove it.