IPSEC using Strongswan for iPhones and Mac computers

If you want to use the built-in IPSEC VPN clients of iPhones and Mac computers, there is a very good documentation at the Strongswan site itself.

Most important are two things – you have to make sure your binaries have been built using the --enable-cisco-quirks option. Then it will behave like a Cisco router and you can make an IPSEC only tunnel. [This is not necessary anymore.]

The second issue (which is important for the Mac computers, iPhones seem to ignore this) is the server certificate. You must add the server’s full qualified domain name as it is seen by the clients to the certificate’s common name (which is normal) and the “X509v3 Subject Alternative Name” as “DNS:your.domain.tld”. Otherwise you will get the message that your server’s certificate is not correct.

Since my ipsec binaries were unable to add the “Subject Alternative Name”, I went back to good old openssl to create my CA and certificates. It is all standard, but you have to add the option “subjectAltName = DNS:copy:commonName” to openssl.cnf (server_cert section).

If you follow the documentation mentioned above and the two issues explained here you will be able to use the tunnel for both iPhones and Macs!