<div dir="auto"><div style="margin:0px;padding:0px;font-family:"source sans pro","trebuchet ms",helvetica,sans-serif;font-size:18px;background-color:rgb(255,255,255)" dir="auto"><div style="margin:41px 0px 0px;padding:0px;border-top:1px solid rgb(178,178,178);width:1440px"><div style="margin:0px;padding:0px;height:574px;float:left;border-right:1px solid rgb(178,178,178);width:360px"><div style="margin:0px;padding:0px;height:574px"><section style="margin:0px;padding:0px"><div style="margin:0px;padding:4px 0px 0px"><section style="margin:0px;padding:0px 8px 8px;width:359px;height:1685px"><header style="margin:0px;padding:0px 0px 5px;width:343px;border-bottom:1px solid rgb(199,199,199)"><br></header><header style="margin:0px;padding:0px 0px 5px;width:343px;border-bottom:1px solid rgb(199,199,199)">Hello, </header><header style="margin:0px;padding:0px 0px 5px;width:343px;border-bottom:1px solid rgb(199,199,199)">This is my first try setting up strongswan and ipsec. I'm used to openvpn but that is no longer a viable option.  I have two strongswan servers running on Debian with let's encrypt  on. I thought it would be nice not to deal with certificates on the client side. I can connect to both boxes just fine form my android with IKEv2 EAP authentication.  <br></header><div style="margin:10px 0px 0px;padding:0px;line-height:1.3;word-wrap:break-word"><br style="margin:0px;padding:0px">On my linux desktop, at first strongswan was unable to fetch ocsp from LE servers. Installing the curl plugin fixed that.  Now, I'm stuck with a public key error that I can not seem to solve.<br style="margin:0px;padding:0px">Here is the last bit of the log:<br style="margin:0px;padding:0px"><br style="margin:0px;padding:0px"><br style="margin:0px;padding:0px">checking certificate status of "CN=<a href="http://some.domain.com">some.domain.com</a>"<br style="margin:0px;padding:0px">  requesting ocsp status from '<a href="http://ocsp.int-x3.letsencrypt.org" style="margin:0px;padding:0px;color:rgb(0,0,0)">http://ocsp.int-x3.letsencrypt.org</a>' ...<br style="margin:0px;padding:0px">  ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"<br style="margin:0px;padding:0px">  ocsp response is valid: until Aug 25 18:00:00 2017<br style="margin:0px;padding:0px">certificate status is good<br style="margin:0px;padding:0px">no issuer certificate found for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"<br style="margin:0px;padding:0px">no trusted RSA public key found for '<a href="http://some.domain.com">some.domain.com</a>'<br style="margin:0px;padding:0px">generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]<br style="margin:0px;padding:0px">sending packet: from 192.168.31.116[4500] to 999.199.**.**[4500] (76 bytes)<br style="margin:0px;padding:0px">establishing connection 'vpn' failed<br style="margin:0px;padding:0px"><br style="margin:0px;padding:0px">I have tried to install the LE root certificates on my system.  But the problem persists. Here is the ipsec.conf on my desktop:<br style="margin:0px;padding:0px"><br style="margin:0px;padding:0px">conn vpn<br style="margin:0px;padding:0px">    keyexchange=ikev2<br style="margin:0px;padding:0px">    dpdaction=clear<br style="margin:0px;padding:0px">    dpddelay=300s<br style="margin:0px;padding:0px">    eap_identity=dobry<br style="margin:0px;padding:0px">    leftauth=eap-mschapv2<br style="margin:0px;padding:0px">    left=%defaultroute<br style="margin:0px;padding:0px">    leftsourceip=%config<br style="margin:0px;padding:0px">    right=<a href="http://some.domain.com">some.domain.com</a><br style="margin:0px;padding:0px">    rightauth=pubkey<br style="margin:0px;padding:0px">    rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br style="margin:0px;padding:0px">    rightid=%any<br style="margin:0px;padding:0px">    type=tunnel<br style="margin:0px;padding:0px">    auto=add<br style="margin:0px;padding:0px"><br style="margin:0px;padding:0px">Please, let me know what other informations might be relevant. <br style="margin:0px;padding:0px">Any pointers would be greatly appreciated.   Thank you for reading.<br></div><div style="margin:10px 0px 0px;padding:0px;line-height:1.3;word-wrap:break-word"></div></section></div></section></div></div><div style="margin:0px;padding:0px;height:574px;float:left;border-right:1px solid rgb(178,178,178);width:360px"><div style="margin:0px;padding:0px;height:574px"><div style="margin:0px;padding:0px 0px 42px"></div></div></div></div></div><header style="margin:0px;padding:0px;height:42px;line-height:42px;border-bottom:1px solid rgb(178,178,178);background-color:rgb(248,248,248);font-family:"source sans pro","trebuchet ms",helvetica,sans-serif;font-size:18px"><button style="margin:0px;padding:0px 5px 0px 30px;font-family:"source sans pro","trebuchet ms",helvetica,sans-serif;font-size:18px;display:block;height:41px;line-height:41px;text-align:left;border-width:0px;border-style:initial;border-color:initial;color:rgb(81,93,110);float:left;max-width:30%;text-overflow:ellipsis;white-space:nowrap;vertical-align:top">Sent</button><div style="margin:0px;padding:0px;height:41px;width:55px;float:right"><menu style="margin:0px;padding:0px;height:41px"><ul style="margin:0px;padding:0px;list-style-type:none;float:right"><li style="margin:0px;padding:0px;float:right;width:45px;height:41px"><div style="margin:0px;padding:0px;color:rgb(81,93,110);display:inline-block;width:45px;text-align:center;font-size:28px"></div></li></ul></menu></div><div style="margin:0px auto;padding:0px;font-family:'source sans pro light','trebuchet ms','helvetica',sans-serif;text-align:center;text-overflow:ellipsis;white-space:nowrap;vertical-align:top;width:126px">1/1</div></header></div>