<div dir="ltr"><div><div><div>I am running 5.6.1 and trying to establish a site to site vlan to a F5 bigip using ikev2 and certificates. The tunnel works ok with psk but when using certificates I get the following in the log:<br><br>11[CFG] checking certificate status of "C=gb, ST=anglesey, L=benllech, O=f5, OU=es, CN=<a href="http://moriarty_k-server_1.winnett.gb">moriarty_k-server_1.winnett.gb</a>"<br>11[CFG]   fetching crl from 'file:///usr/local/etc/swanctl/x509crl/ca-cacert.crl' ...<br>11[CFG] issuer of fetched CRL 'C=gb, ST=anglesey, L=benllech, O=f5, OU=es, CN=<a href="http://moriarty_k-Root_CA.winnett.gb">moriarty_k-Root_CA.winnett.gb</a>' does not match CRL issuer '0e:db:41:37:bb:8c:b8:1c:de:9b:35:31:de:4d:6b:67:5a:02:57:22'<br><br></div>I found a previous thread indicating that the "CRL must contain an authorityKeyIdentifier equal to the subjectKeyIdentifier of the CRL issuer", which I now have ...<br><br>$ openssl crl -in ca-cacert.crl -noout -text | grep -E "CRL extensions:" -A 4<br>        CRL extensions:<br>            X509v3 Authority Key Identifier: <br>                keyid:0E:DB:41:37:BB:8C:B8:1C:DE:9B:35:31:DE:4D:6B:67:5A:02:57:22<br>                DirName:/C=gb/ST=anglesey/L=benllech/O=f5/OU=es/CN=<a href="http://moriarty_k-Root_CA.winnett.gb">moriarty_k-Root_CA.winnett.gb</a><br>                serial:5A:4D:03:09<br><br>$ openssl x509 -in ca-cacert.pem -text | grep -E "X509v3 extensions:" -A 6<br>        X509v3 extensions:<br>            X509v3 Basic Constraints: critical<br>                CA:TRUE<br>            X509v3 Subject Key Identifier: <br>                0E:DB:41:37:BB:8C:B8:1C:DE:9B:35:31:DE:4D:6B:67:5A:02:57:22<br>            X509v3 Authority Key Identifier: <br>                keyid:0E:DB:41:37:BB:8C:B8:1C:DE:9B:35:31:DE:4D:6B:67:5A:02:57:22<br><br></div>Any idea what is wrong ? <br></div><div><br></div><div>Many thanks ...</div><div><br></div>Matthew<br></div>