<div dir="ltr"><br><div class="gmail_quote"><div dir="ltr"><div><div><div>I am running 5.6.1 and trying to establish a site to site vlan to a F5 bigip using ikev2 and certificates. The tunnel works ok with psk but when using certificates I get the following in the log:<br><br>11[CFG] checking certificate status of "C=gb, ST=anglesey, L=benllech, O=f5, OU=es, CN=<a href="http://moriarty_k-server_1.winnett.gb" target="_blank">moriarty_k-server_1.<wbr>winnett.gb</a>"<br>11[CFG] fetching crl from 'file:///usr/local/etc/<wbr>swanctl/x509crl/ca-cacert.crl' ...<br>11[CFG] issuer of fetched CRL 'C=gb, ST=anglesey, L=benllech, O=f5, OU=es, CN=<a href="http://moriarty_k-Root_CA.winnett.gb" target="_blank">moriarty_k-Root_CA.winnett.<wbr>gb</a>' does not match CRL issuer '0e:db:41:37:bb:8c:b8:1c:de:<wbr>9b:35:31:de:4d:6b:67:5a:02:57:<wbr>22'<br><br></div>I found a previous thread indicating that the "CRL must contain an authorityKeyIdentifier equal to the subjectKeyIdentifier of the CRL issuer", which I now have ...<br><br>$ openssl crl -in ca-cacert.crl -noout -text | grep -E "CRL extensions:" -A 4<br> CRL extensions:<br> X509v3 Authority Key Identifier: <br> keyid:0E:DB:41:37:BB:8C:B8:1C:<wbr>DE:9B:35:31:DE:4D:6B:67:5A:02:<wbr>57:22<br> DirName:/C=gb/ST=anglesey/L=<wbr>benllech/O=f5/OU=es/CN=<a href="http://moriarty_k-Root_CA.winnett.gb" target="_blank">moriart<wbr>y_k-Root_CA.winnett.gb</a><br> serial:5A:4D:03:09<br><br>$ openssl x509 -in ca-cacert.pem -text | grep -E "X509v3 extensions:" -A 6<br> X509v3 extensions:<br> X509v3 Basic Constraints: critical<br> CA:TRUE<br> X509v3 Subject Key Identifier: <br> 0E:DB:41:37:BB:8C:B8:1C:DE:9B:<wbr>35:31:DE:4D:6B:67:5A:02:57:22<br> X509v3 Authority Key Identifier: <br> keyid:0E:DB:41:37:BB:8C:B8:1C:<wbr>DE:9B:35:31:DE:4D:6B:67:5A:02:<wbr>57:22<br><br></div>Any idea what is wrong ? <br></div><div><br></div><div>Many thanks ...</div><span class="HOEnZb"><font color="#888888"><div><br></div></font></span></div>
</div><br></div>