<div dir="ltr"><div><div><div>Hi Noel,<br><br></div>My VPN server is an IOS router with certificates configured as part of the trustpoint. You said that the server does not send its certificate. What about the message "received end entity cert "CN=<a href="http://my-vpn-server.company.com" target="_blank">my-vpn-server.company.com</a>, O=Company"" that appears above "no trusted RSA public key found for 'CN=<a href="http://my-vpn-server.company.com" target="_blank">my-vpn-server.company.com</a>, O=Company'". Is this end entity cert not the server certificate being sent? Also setting rightca to the DN of the CA certificate is not working either, same error message. According to the log, the CA certificate is being loaded correctly on the client side:<br><br>Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loaded ca certificate "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from '/etc/ipsec.d/cacerts/ca.crt'<br><br></div>So the question remains, why is strongswan not verifying the server certificate by this CA?<br><br></div>I could provide the log and config for my IOS router but I figured that would not be your area of expertise. There is no error message on the router side, only the client, so it seems the problem is with strongswan.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 6, 2015 at 3:48 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello Justin,<br>
<br>
</span>I looked through the log and saw that the other peer never sent his certificate.<br>
Please show us the log and configuraton of the server and check if the whole certificate chain from the root<br>
to the server certificate is available in /etc/ipsec.d/cacerts.<br>
I can see, that the server sends certificate requests for two CAs, one of which is unknown.<br>
<span class="">> Jan 6 14:50:59 my-vpn-client charon: 11[IKE] received 1 cert requests for an unknown ca<br>
<br>
</span>You might be able to work around that by setting leftsendcert=always on the server side.<br>
<br>
Also, setting rightca to the path to the servercertificate doesn't seem to have helped, as it seems strongSwan expects<br>
the CA certificate DN here.<br>
<span class=""><br>
Mit freundlichen Grüßen/Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
</span>Am 06.01.2015 um 22:19 schrieb Justin Michael Schwartzbeck:<br>
<div><div class="h5">> Hi Noel,<br>
><br>
> I have tried all of those things and get the same results. Here is the log file after using your method:<br>
><br>
> Jan 6 14:50:54 my-vpn-client charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64)<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[KNL] detected Linux 2.6.32, no support for RTA_PREFSRC for IPv6 routes<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[KNL] known interfaces and IP addresses:<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[KNL] lo<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[KNL] 127.0.0.1<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[KNL] ::1<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[KNL] eth0<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[KNL] 192.168.2.227<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[KNL] 192.168.2.103<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[KNL] fe80::250:56ff:feaa:6249<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[KNL] eth1<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[KNL] fe80::250:56ff:feaa:b96<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loaded ca certificate "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from '/etc/ipsec.d/cacerts/ca.crt'<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/server.key'<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-aka eap-md5 eap-tls xauth-generic xauth-noauth lookip<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[LIB] unable to load 6 plugin features (6 due to unmet dependencies)<br>
> Jan 6 14:50:54 my-vpn-client charon: 00[JOB] spawning 16 worker threads<br>
> Jan 6 14:50:54 my-vpn-client charon: 02[NET] waiting for data on sockets<br>
> Jan 6 14:50:54 my-vpn-client charon: 05[CFG] received stroke: add connection 'client-ha'<br>
> Jan 6 14:50:59 my-vpn-client charon: 05[KNL] 192.168.2.213 is not a local address or the interface is down<br>
</div></div>> Jan 6 14:50:59 my-vpn-client charon: 05[CFG] loaded certificate "CN=<a href="http://my-vpn-client.company.com" target="_blank">my-vpn-client.company.com</a> <<a href="http://my-vpn-client.company.com" target="_blank">http://my-vpn-client.company.com</a>>, O=Company" from 'server.crt'<br>
> Jan 6 14:50:59 my-vpn-client charon: 05[CFG] id '<a href="http://my-vpn-client.company.com" target="_blank">my-vpn-client.company.com</a> <<a href="http://my-vpn-client.company.com" target="_blank">http://my-vpn-client.company.com</a>>' not confirmed by certificate, defaulting to 'CN=<a href="http://my-vpn-client.company.com" target="_blank">my-vpn-client.company.com</a> <<a href="http://my-vpn-client.company.com" target="_blank">http://my-vpn-client.company.com</a>>, O=Company'<br>
> Jan 6 14:50:59 my-vpn-client charon: 05[CFG] loaded certificate "CN=<a href="http://my-vpn-server.company.com" target="_blank">my-vpn-server.company.com</a> <<a href="http://my-vpn-server.company.com" target="_blank">http://my-vpn-server.company.com</a>>, O=Company" from '/etc/ipsec.d/certs/cws.crt'<br>
> Jan 6 14:50:59 my-vpn-client charon: 05[CFG] id '%any' not confirmed by certificate, defaulting to 'CN=<a href="http://my-vpn-server.company.com" target="_blank">my-vpn-server.company.com</a> <<a href="http://my-vpn-server.company.com" target="_blank">http://my-vpn-server.company.com</a>>, O=Company'<br>
> Jan 6 14:50:59 my-vpn-client charon: 05[CFG] CA certificate "/etc/ipsec.d/cacerts/ca.crt" not found, discarding CA constraint<br>
<div><div class="h5">> Jan 6 14:50:59 my-vpn-client charon: 05[CFG] added configuration 'client-ha'<br>
> Jan 6 14:50:59 my-vpn-client charon: 07[CFG] received stroke: initiate 'client-ha'<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[MGR] checkout IKE_SA by config<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[MGR] created IKE_SA (unnamed)[1]<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_VENDOR task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_INIT task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_NATD task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_CERT_PRE task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_AUTH task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_CERT_POST task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_CONFIG task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_AUTH_LIFETIME task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_MOBIKE task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing CHILD_CREATE task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating new tasks<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_VENDOR task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_INIT task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_NATD task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_CERT_PRE task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_AUTH task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_CERT_POST task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_CONFIG task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating CHILD_CREATE task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_AUTH_LIFETIME task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_MOBIKE task<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] initiating IKE_SA client-ha[1] to 192.168.2.213<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state change: CREATED => CONNECTING<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500] (708 bytes)<br>
> Jan 6 14:50:59 my-vpn-client charon: 09[MGR] checkin IKE_SA client-ha[1]<br>
> Jan 6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500]<br>
> Jan 6 14:50:59 my-vpn-client charon: 02[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500]<br>
> Jan 6 14:50:59 my-vpn-client charon: 02[NET] waiting for data on sockets<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[MGR] checkout IKE_SA by message<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[MGR] IKE_SA client-ha[1] successfully checked out<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500] (38 bytes)<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[IKE] IKE_SA client-ha[1] state change: CONNECTING => CREATED<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating new tasks<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating IKE_INIT task<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating IKE_NATD task<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating IKE_CERT_PRE task<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating IKE_AUTH task<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating IKE_CERT_POST task<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating IKE_CONFIG task<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating CHILD_CREATE task<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating IKE_AUTH_LIFETIME task<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating IKE_MOBIKE task<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[IKE] initiating IKE_SA client-ha[1] to 192.168.2.213<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[IKE] IKE_SA client-ha[1] state change: CREATED => CONNECTING<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500] (580 bytes)<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[MGR] checkin IKE_SA client-ha[1]<br>
> Jan 6 14:50:59 my-vpn-client charon: 10[MGR] check-in of IKE_SA successful.<br>
> Jan 6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500]<br>
> Jan 6 14:50:59 my-vpn-client charon: 02[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500]<br>
> Jan 6 14:50:59 my-vpn-client charon: 02[NET] waiting for data on sockets<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[MGR] checkout IKE_SA by message<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[MGR] IKE_SA client-ha[1] successfully checked out<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500] (381 bytes)<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[IKE] received cert request for unknown ca with keyid 4e:e1:18:20:b8:6b:65:0e:f3:40:51:73:88:dd:fe:d2:91:52:11:c0<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[IKE] received cert request for "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[IKE] received 1 cert requests for an unknown ca<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[IKE] reinitiating already active tasks<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[IKE] IKE_CERT_PRE task<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[IKE] IKE_AUTH task<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[IKE] sending cert request for "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[IKE] building INTERNAL_IP4_DNS attribute<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[IKE] establishing CHILD_SA client-ha<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[KNL] getting SPI for reqid {1}<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[KNL] got SPI c837be50 for reqid {1}<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500] (492 bytes)<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[MGR] checkin IKE_SA client-ha[1]<br>
> Jan 6 14:50:59 my-vpn-client charon: 11[MGR] check-in of IKE_SA successful.<br>
> Jan 6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500]<br>
> Jan 6 14:50:59 my-vpn-client charon: 02[NET] received packet: from 192.168.2.213[4500] to 192.168.2.227[4500]<br>
> Jan 6 14:50:59 my-vpn-client charon: 02[NET] waiting for data on sockets<br>
> Jan 6 14:50:59 my-vpn-client charon: 12[MGR] checkout IKE_SA by message<br>
> Jan 6 14:50:59 my-vpn-client charon: 12[MGR] IKE_SA client-ha[1] successfully checked out<br>
> Jan 6 14:50:59 my-vpn-client charon: 12[NET] received packet: from 192.168.2.213[4500] to 192.168.2.227[4500] (972 bytes)<br>
> Jan 6 14:50:59 my-vpn-client charon: 12[ENC] parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ]<br>
</div></div>> Jan 6 14:50:59 my-vpn-client charon: 12[IKE] received end entity cert "CN=<a href="http://my-vpn-server.company.com" target="_blank">my-vpn-server.company.com</a> <<a href="http://my-vpn-server.company.com" target="_blank">http://my-vpn-server.company.com</a>>, O=Company"<br>
> Jan 6 14:50:59 my-vpn-client charon: 12[IKE] no trusted RSA public key found for 'CN=<a href="http://my-vpn-server.company.com" target="_blank">my-vpn-server.company.com</a> <<a href="http://my-vpn-server.company.com" target="_blank">http://my-vpn-server.company.com</a>>, O=Company'<br>
> Jan 6 14:50:59 my-vpn-client charon: 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]<br>
<span class="">> Jan 6 14:50:59 my-vpn-client charon: 12[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500] (76 bytes)<br>
> Jan 6 14:50:59 my-vpn-client charon: 12[KNL] deleting SAD entry with SPI c837be50 (mark 0/0x00000000)<br>
> Jan 6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500]<br>
> Jan 6 14:50:59 my-vpn-client charon: 12[KNL] deleted SAD entry with SPI c837be50 (mark 0/0x00000000)<br>
> Jan 6 14:50:59 my-vpn-client charon: 12[MGR] checkin and destroy IKE_SA client-ha[1]<br>
> Jan 6 14:50:59 my-vpn-client charon: 12[IKE] IKE_SA client-ha[1] state change: CONNECTING => DESTROYING<br>
> Jan 6 14:50:59 my-vpn-client charon: 12[MGR] check-in and destroy of IKE_SA successful<br>
><br>
><br>
</span><span class="">> On Tue, Jan 6, 2015 at 2:48 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> wrote:<br>
><br>
><br>
> Hello Justin,<br>
><br>
> Set rightca to the DN of the CA certificate or to the file name or file path of the Ca certificate.<br>
> As an alternative, you can get a copy of the server's certificate and do the same for rightcert.<br>
><br>
> Mit freundlichen Grüßen/Regards,<br>
> Noel Kuntze<br>
><br>
> GPG Key ID: 0x63EC6658<br>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
><br>
> Am 06.01.2015 um 21:23 schrieb Justin Michael Schwartzbeck:<br>
> > Hello,<br>
><br>
> > I am trying to set up a strongswan client to connect to a VPN endpoint. Here is my configuration:<br>
><br>
> > # ipsec.conf - strongSwan IPsec configuration file<br>
> > config setup<br>
> > charondebug="ike 2, knl 2, mgr 2, net 2"<br>
> > ca main<br>
> > cacert=ca.crt<br>
> > conn client-ha<br>
</span>> > aaa_identity="CN=<a href="http://my-radius-server.company.com" target="_blank">my-radius-server.company.com</a> <<a href="http://my-radius-server.company.com" target="_blank">http://my-radius-server.company.com</a>> <<a href="http://my-radius-server.company.com" target="_blank">http://my-radius-server.company.com</a>>, O=Company"<br>
> > keyexchange=ikev2<br>
> > right=<a href="http://my-vpn-server.company.com" target="_blank">my-vpn-server.company.com</a> <<a href="http://my-vpn-server.company.com" target="_blank">http://my-vpn-server.company.com</a>> <<a href="http://my-vpn-server.company.com" target="_blank">http://my-vpn-server.company.com</a>><br>
> > rightid=%any<br>
> > rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
> > leftsourceip=%config<br>
> > leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
> > leftauth=eap-tls<br>
> > left=10.89.150.227<br>
> > leftid="<a href="http://my-radius-client.company.com" target="_blank">my-radius-client.company.com</a> <<a href="http://my-radius-client.company.com" target="_blank">http://my-radius-client.company.com</a>> <<a href="http://my-radius-client.company.com" target="_blank">http://my-radius-client.company.com</a>>"<br>
<div><div class="h5">> > leftcert=server.crt<br>
> > auto=add<br>
><br>
> > I have my ca.crt in /etc/ipsec.d/cacerts, my client certificate (server.crt) in /etc/ipsec.d/certs, and my client key (server.key) in /etc/ipsec.d/private. I also have the server.key listed in /etc/ipsec.secrets. My strongswan client's certificate and my vpn endpoint's certificate are both signed by the same CA. I have checked the vpn's cert against the ca.crt on my strongswan client to make sure that it was properly signed. However for some reason my strongswan client is not verifying the VPN's certificate. Below is the complete error output starting with an "ipsec restart" and then followed by an "ipsec up" on that profile:<br>
><br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64)<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] detected Linux 2.6.32, no support for RTA_PREFSRC for IPv6 routes<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] known interfaces and IP addresses:<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] lo<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] 127.0.0.1<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] ::1<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] eth0<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] 192.168.2.227<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] 192.168.2.103<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] fe80::250:56ff:feaa:6249<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] eth1<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] fe80::250:56ff:feaa:b96<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loaded ca certificate "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from '/etc/ipsec.d/cacerts/ca.crt'<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/server.key'<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-aka eap-md5 eap-tls xauth-generic xauth-noauth lookip<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[LIB] unable to load 6 plugin features (6 due to unmet dependencies)<br>
> > Jan 6 11:18:11 my-vpn-client charon: 00[JOB] spawning 16 worker threads<br>
> > Jan 6 11:18:11 my-vpn-client charon: 02[NET] waiting for data on sockets<br>
> > Jan 6 11:18:11 my-vpn-client charon: 04[CFG] received stroke: add connection 'client-ha'<br>
> > Jan 6 11:18:11 my-vpn-client charon: 04[KNL] 192.168.2.213 is not a local address or the interface is down<br>
</div></div>> > Jan 6 11:18:11 my-vpn-client charon: 04[CFG] loaded certificate "CN=<a href="http://my-vpn-client.company.com" target="_blank">my-vpn-client.company.com</a> <<a href="http://my-vpn-client.company.com" target="_blank">http://my-vpn-client.company.com</a>> <<a href="http://my-vpn-client.company.com" target="_blank">http://my-vpn-client.company.com</a>>, O=Company" from 'server.crt'<br>
> > Jan 6 11:18:11 my-vpn-client charon: 04[CFG] id '<a href="http://my-vpn-client.company.com" target="_blank">my-vpn-client.company.com</a> <<a href="http://my-vpn-client.company.com" target="_blank">http://my-vpn-client.company.com</a>> <<a href="http://my-vpn-client.company.com" target="_blank">http://my-vpn-client.company.com</a>>' not confirmed by certificate, defaulting to 'CN=<a href="http://my-vpn-client.company.com" target="_blank">my-vpn-client.company.com</a> <<a href="http://my-vpn-client.company.com" target="_blank">http://my-vpn-client.company.com</a>> <<a href="http://my-vpn-client.company.com" target="_blank">http://my-vpn-client.company.com</a>>, O=Company'<br>
<div><div class="h5">> > Jan 6 11:18:11 my-vpn-client charon: 04[CFG] added configuration 'client-ha'<br>
> > Jan 6 11:18:31 my-vpn-client charon: 06[CFG] received stroke: initiate 'client-ha'<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[MGR] checkout IKE_SA by config<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[MGR] created IKE_SA (unnamed)[1]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_VENDOR task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_INIT task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_NATD task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_PRE task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_AUTH task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_POST task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CONFIG task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_AUTH_LIFETIME task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_MOBIKE task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing CHILD_CREATE task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating new tasks<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_VENDOR task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_INIT task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_NATD task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_CERT_PRE task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_AUTH task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_CERT_POST task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_CONFIG task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating CHILD_CREATE task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_AUTH_LIFETIME task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_MOBIKE task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] initiating IKE_SA client-ha[1] to 192.168.2.213<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] IKE_SA client-ha[1] state change: CREATED => CONNECTING<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500] (708 bytes)<br>
> > Jan 6 11:18:31 my-vpn-client charon: 08[MGR] checkin IKE_SA client-ha[1]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 02[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[MGR] checkout IKE_SA by message<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[MGR] IKE_SA client-ha[1] successfully checked out<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500] (38 bytes)<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state change: CONNECTING => CREATED<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating new tasks<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_INIT task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_NATD task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_CERT_PRE task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_AUTH task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_CERT_POST task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_CONFIG task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating CHILD_CREATE task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_AUTH_LIFETIME task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_MOBIKE task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] initiating IKE_SA client-ha[1] to 192.168.2.213<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state change: CREATED => CONNECTING<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500] (580 bytes)<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[MGR] checkin IKE_SA client-ha[1]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 09[MGR] check-in of IKE_SA successful.<br>
> > Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 02[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[MGR] checkout IKE_SA by message<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[MGR] IKE_SA client-ha[1] successfully checked out<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500] (381 bytes)<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] received cert request for unknown ca with keyid 4e:e1:18:20:b8:6b:65:0e:f3:40:51:73:88:dd:fe:d2:91:52:11:c0<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] received cert request for "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] received 1 cert requests for an unknown ca<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] reinitiating already active tasks<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] IKE_CERT_PRE task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] IKE_AUTH task<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] sending cert request for "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] building INTERNAL_IP4_DNS attribute<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] establishing CHILD_SA client-ha<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[KNL] getting SPI for reqid {1}<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[KNL] got SPI ccd30cb7 for reqid {1}<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500] (428 bytes)<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[MGR] checkin IKE_SA client-ha[1]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 10[MGR] check-in of IKE_SA successful.<br>
> > Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 02[NET] received packet: from 192.168.2.213[4500] to 192.168.2.227[4500]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets<br>
> > Jan 6 11:18:31 my-vpn-client charon: 11[MGR] checkout IKE_SA by message<br>
> > Jan 6 11:18:31 my-vpn-client charon: 11[MGR] IKE_SA client-ha[1] successfully checked out<br>
> > Jan 6 11:18:31 my-vpn-client charon: 11[NET] received packet: from 192.168.2.213[4500] to 192.168.2.227[4500] (956 bytes)<br>
> > Jan 6 11:18:31 my-vpn-client charon: 11[ENC] parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ]<br>
</div></div>> > Jan 6 11:18:31 my-vpn-client charon: 11[IKE] received end entity cert "CN=<a href="http://my-vpn-server.company.com" target="_blank">my-vpn-server.company.com</a> <<a href="http://my-vpn-server.company.com" target="_blank">http://my-vpn-server.company.com</a>> <<a href="http://my-vpn-server.company.com" target="_blank">http://my-vpn-server.company.com</a>>, O=Company"<br>
> > Jan 6 11:18:31 my-vpn-client charon: 11[IKE] no trusted RSA public key found for '<a href="http://my-vpn-server.company.com" target="_blank">my-vpn-server.company.com</a> <<a href="http://my-vpn-server.company.com" target="_blank">http://my-vpn-server.company.com</a>> <<a href="http://my-vpn-server.company.com" target="_blank">http://my-vpn-server.company.com</a>>'<br>
<span class="">> > Jan 6 11:18:31 my-vpn-client charon: 11[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 11[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500] (76 bytes)<br>
> > Jan 6 11:18:31 my-vpn-client charon: 11[KNL] deleting SAD entry with SPI ccd30cb7 (mark 0/0x00000000)<br>
> > Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 11[KNL] deleted SAD entry with SPI ccd30cb7 (mark 0/0x00000000)<br>
> > Jan 6 11:18:31 my-vpn-client charon: 11[MGR] checkin and destroy IKE_SA client-ha[1]<br>
> > Jan 6 11:18:31 my-vpn-client charon: 11[IKE] IKE_SA client-ha[1] state change: CONNECTING => DESTROYING<br>
> > Jan 6 11:18:31 my-vpn-client charon: 11[MGR] check-in and destroy of IKE_SA successful<br>
> > Jan 6 11:18:35 my-vpn-client charon: 12[MGR] checkout IKE_SA<br>
> > Jan 6 11:18:35 my-vpn-client charon: 13[MGR] checkout IKE_SA<br>
> > Jan 6 11:18:35 my-vpn-client charon: 14[MGR] checkout IKE_SA<br>
><br>
</span>> > The important failure message here is "no trusted RSA public key found for '<a href="http://my-vpn-server.company.com" target="_blank">my-vpn-server.company.com</a> <<a href="http://my-vpn-server.company.com" target="_blank">http://my-vpn-server.company.com</a>> <<a href="http://my-vpn-server.company.com" target="_blank">http://my-vpn-server.company.com</a>>'". I have also tried setting the eap identity in the vpn endpoint to the full DN in the server certificate but that didn't work either. I don't understand why this would be failing if the certificate is properly signed by the CA. Can someone tell me if I am missing something?<br>
<span class="">><br>
> > Thanks for the help.<br>
> > -Justin<br>
><br>
><br>
> > _______________________________________________<br>
> > Users mailing list<br>
</span>> > <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
> > <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
><br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
<span class="">> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
</span>iQIcBAEBCAAGBQJUrFgYAAoJEDg5KY9j7GZYoA4P/3W7mRLnKQr3qRAtPToW21/Y<br>
2B9Ej0/9VUy8KHanfJ8oL2AcGq99vSdnXR21q310MESw3XpbRKgXwMUaXwSy+eOY<br>
WKUdHQtW3euzF3n6QiiOepjTUwWKjPPt6lNj4cjevv3I3niKH3B7in1lVllq/BQe<br>
0KDv/2+Nv3G9Ku0HNG+4mfISy0o5PTurQYqbG7HkQhPfxCS+Uo5dvIjnR22sBrvw<br>
/zV2nriMteodemn9uyT0B2Qv7weOhwjg476Iob2FKhWqDCkDMDpijVscqPOlEZNg<br>
JexW+dnVICh7tO3zA0kM/Os3OFS8JtmROXbYZKjvVNoxVFYz+R0toHR0bFI6+R9f<br>
CGICBzGenEyCZHYJt5NgReUSyHxYEQKxkjzcafPAXKRUZGW9QTsgcVkR5CWJ5c4S<br>
GoAuy0kPU4mEBt04uFN8EJ2IBE9lRe1FVUw6uNbQKOxRsvUSAEDHuO8mi2fmeDBy<br>
ZGCOg5Jk2s+9mvLqZ5VcBck9sDVICHJOZnf7yK/GfFaHUo6jKvmBnF1XX7b3eaOG<br>
+tttdta0hM7O3TiDFfe7btLWgiWJM+RkfQPOmmfgqHfPK3h7ajwhH/WJj/htBGrS<br>
a/yanGSYR01bXf8pKP3FlCQiJ1PmiDXvsr0OGJ7oOepXk6GxgIsvJiEzb6nu4Xoy<br>
8qGnoG3/G7VAXt6u4vSD<br>
=C4m5<br>
<div class="HOEnZb"><div class="h5">-----END PGP SIGNATURE-----<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a></div></div></blockquote></div><br></div>