<div dir="ltr"><br><div>I was able to establish IKE connection using PSK but when using pubkey I am not able to able to establish the IKE connection.</div><div><br></div><div>When I issue sudo swanctl --initiate --child net</div><div><br></div><div><br></div><div>At receptor, it returns the Auth_failed. Please see the swanctl.conf, strongswan.conf and charon.log. </div><div><br></div><div><div>Aug 1 12:09:21 12[CFG] <rw|1> no issuer certificate found for "C=US, ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"</div><div>Aug 1 12:09:21 12[IKE] <rw|1> no trusted RSA public key found for '10.13.199.185'</div><div>Aug 1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE</div><div>Aug 1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message</div><div>Aug 1 12:09:21 12[ENC] <rw|1> order payloads in message</div><div>Aug 1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message</div><div>Aug 1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</div></div><div><br></div><div>I used following commands to create certificates.</div><div><br></div><div><b>Initiator:</b></div><div>-----------</div><div><br></div><div><span id="gmail-docs-internal-guid-92b23f1a-478a-c206-4a8f-96c937b75a49"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:16px;font-family:calibri;color:rgb(0,0,0);font-weight:700;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">sudo ipsec pki --gen --type rsa --size 4096 --outform pem > /usr/local/etc/swanctl/rsa/strongswanKey.pem</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:16px;font-family:calibri;color:rgb(0,0,0);font-weight:700;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">sudo chmod 600 /usr/local/etc/swanctl/rsa/strongswanKey.pem</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:16px;font-family:calibri;color:rgb(0,0,0);font-weight:700;vertical-align:baseline;white-space:pre-wrap;background-color:transparent"><br></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:16px;font-family:calibri;color:rgb(0,0,0);font-weight:700;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">sudo ipsec pki --self --ca --in /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US, ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem > /usr/local/etc/swanctl/x509ca/strongswanCert.pem</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:16px;font-family:calibri;color:rgb(0,0,0);font-weight:700;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">sudo ipsec pki --print --in /usr/local/etc/swanctl/x509ca/strongswanCert.pem</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:16px;font-family:calibri;color:rgb(0,0,0);font-weight:700;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">sudo ipsec pki --gen --type rsa --size 4096 --outform pem > /usr/local/etc/swanctl/rsa/hostKey.pem</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:16px;font-family:calibri;color:rgb(0,0,0);font-weight:700;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem</span></p><br><br><span style="font-size:16px;font-family:calibri;color:rgb(0,0,0);font-weight:700;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type rsa | ipsec pki --issue --digest sha256 --cacert /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA, L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185 pem > /usr/local/etc/swanctl/x509/hostCert.pem</span></span><br></div><div><span><span style="font-size:16px;font-family:calibri;color:rgb(0,0,0);font-weight:700;vertical-align:baseline;white-space:pre-wrap;background-color:transparent"><br></span></span></div><div><span><span style="font-size:16px;font-family:calibri;color:rgb(0,0,0);font-weight:700;vertical-align:baseline;white-space:pre-wrap;background-color:transparent"><br></span></span></div><div><span><span style="font-size:16px;font-family:calibri;color:rgb(0,0,0);font-weight:700;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Receptor:</span></span></div><div><span><span style="font-size:16px;font-family:calibri;color:rgb(0,0,0);font-weight:700;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">--------------</span></span></div><div><span><span style="vertical-align:baseline;background-color:transparent"><div><font color="#000000" face="calibri"><span style="font-size:16px;white-space:pre-wrap"><b><br></b></span></font></div><div><font color="#000000" face="calibri"><span style="font-size:16px;white-space:pre-wrap"><b>sudo ipsec pki --gen --type rsa --size 4096 --outform pem > /usr/local/etc/swanctl/rsa/strongswanKey.pem</b></span></font></div><div><font color="#000000" face="calibri"><span style="font-size:16px;white-space:pre-wrap"><b><br></b></span></font></div><div><font color="#000000" face="calibri"><span style="font-size:16px;white-space:pre-wrap"><b>sudo chmod 600 /usr/local/etc/swanctl/rsa/strongswanKey.pem</b></span></font></div><div><font color="#000000" face="calibri"><span style="font-size:16px;white-space:pre-wrap"><b><br></b></span></font></div><div><font color="#000000" face="calibri"><span style="font-size:16px;white-space:pre-wrap"><b>sudo ipsec pki --self --ca --in /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US, ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem > /usr/local/etc/swanctl/x509ca/strongswanCert.pem</b></span></font></div><div><font color="#000000" face="calibri"><span style="font-size:16px;white-space:pre-wrap"><b><br></b></span></font></div><div><font color="#000000" face="calibri"><span style="font-size:16px;white-space:pre-wrap"><b>sudo ipsec pki --print --in /usr/local/etc/swanctl/x509ca/strongswanCert.pem</b></span></font></div><div><font color="#000000" face="calibri"><span style="font-size:16px;white-space:pre-wrap"><b><br></b></span></font></div><div><font color="#000000" face="calibri"><span style="font-size:16px;white-space:pre-wrap"><b>sudo ipsec pki --gen --type rsa --size 4096 --outform pem > /usr/local/etc/swanctl/rsa/hostKey.pem</b></span></font></div><div><font color="#000000" face="calibri"><span style="font-size:16px;white-space:pre-wrap"><b><br></b></span></font></div><div><font color="#000000" face="calibri"><span style="font-size:16px;white-space:pre-wrap"><b>sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem</b></span></font></div><div style="color:rgb(0,0,0);font-family:calibri;font-size:16px;font-weight:700;white-space:pre-wrap"><br></div><div><font color="#000000" face="calibri"><span style="font-size:16px;white-space:pre-wrap"><b>sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type rsa | ipsec pki --issue --digest sha256 --cacert /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA, L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130 --outform pem > /usr/local/etc/swanctl/x509/hostCert.pem</b></span></font><span style="color:rgb(0,0,0);font-family:calibri;font-size:16px;font-weight:700;white-space:pre-wrap">
</span></div><div><br></div><div><br></div><div><br></div><div><br></div></span></span></div></div>