<div dir="ltr"><div>Thanks Phil for input. <br></div><div>I have public certs in /etc/ipsec.d/cacerts copied. Moreover has been playing with leftca and rigthca and that didn't help - always has the same error.<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 16, 2018 at 2:10 PM, Phil Frost <span dir="ltr"><<a href="mailto:phil@postmates.com" target="_blank">phil@postmates.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">It doesn't appear you've configured strongswan to trust any CAs anywhere. See /etc/ipsec.d/cacerts, the "CA SECTIONS" section in ipsec.conf(5), and the leftca and rightca options.</div><div class="HOEnZb"><div class="h5"><br><div class="gmail_quote"><div dir="ltr">On Wed, May 16, 2018 at 9:40 AM Michal Grzelak <<a href="mailto:michal.grzelak@nordcloud.com" target="_blank">michal.grzelak@nordcloud.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">
<div class="m_-3784503834383898372m_5646570929133274853gmail-post-text">
<p>I have a Site to Site VPN between Strongswan and Cisco working over
PSK. Wanted to upgrade it to authenticate via Certificates, but can't
get it done. Receiving following error: <br></p><p><br></p>
<pre><code>May 9 13:57:20 strongswan charon: 13[CFG] ocsp response correctly signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Validation Authority - G2"
May 9 13:57:20 strongswan charon: 13[CFG] ocsp response is valid: until May 11 01:05:00 2018
May 9 13:57:20 strongswan charon: 13[CFG] using cached ocsp response
May 9 13:57:20 strongswan charon: 13[CFG] certificate status is good
May 9 13:57:20 strongswan charon: 13[CFG] certificate policy 2.16.840.1.114413.1.7.23.1 for 'OU=Domain Control Validated, CN=<a href="http://hostname.somedomain.com" target="_blank">hostname.somedomain.com</a>' not allowed by trustchain, ignored
May 9 13:57:20 strongswan charon: 13[CFG] certificate policy 2.23.140.1.2.1 for 'OU=Domain Control Validated, CN=<a href="http://hostname.somedomain.com" target="_blank">hostname.somedomain.com</a>' not allowed by trustchain, ignored
May 9 13:57:20 strongswan charon: 13[CFG] reached self-signed root ca with a path length of 1
May 9 13:57:20 strongswan charon: 13[IKE] signature validation failed, looking for another key
</code></pre>
<p>The Certificates for both ends are signed by two different CA, but
already exchanged public root and intermediate certs. On cisco side I
see the tunnel goes up for both Phase 1 and 2, so its good. Strongswan
has problem with it and no SA is up.<br></p>
<p>Configuration:</p>
<pre><code>conn testconn
auto=start
left=%any
leftfirewall=yes
leftid=@<a href="http://strongswan.mydomain.com" target="_blank">strongswan.mydomain.<wbr>com</a>
leftid=x.x.x.x
leftcert=strongswan.mydomain.<wbr>com.pem
right=y.y.y.y
rightid=%any
rightid=@<a href="http://hostname.somedomain.com" target="_blank">hostname.somedomain.<wbr>com</a>
type=tunnel
ikelifetime=24h
keylife=1h
esp=aes256-sha384-ecp521
ike=aes256-sha384-modp1024
keyingtries=%forever
keyexchange=ikev2
leftsubnet=z.z.z.z/z
rightsubnet=u.u.u.u/u
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
</code></pre>
<p>What be wrong here? Any suggestions?</p>
</div>
Thanks.</div><div dir="ltr"><br clear="all"><div><br>-- <br><div class="m_-3784503834383898372m_5646570929133274853gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div><div dir="ltr"><div><div dir="ltr"><div>Best regards,<br>Michał <br></div><br></div></div></div></div></div></div></div></div></div>
</div></div></blockquote></div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div><div dir="ltr"><div><div dir="ltr"><div>Best regards,<br>Michał Grzelak<br></div><div>Senior Cloud Architect<br></div><div><br></div><div>Nordcloud Poland sp. z o.o.<br></div><div><a href="https://maps.google.com/?q=D%C4%85browskiego+79A,+60-575+Pozna%C5%84&entry=gmail&source=g" target="_blank">Dąbrowskiego 79A, 60-575 Poznań</a><br></div><div><a href="mailto:maciej.mietlinski@nordcloud.com" target="_blank">michal.grzelak@nordcloud.com</a></div><div><a href="http://www.nordcloud.com" target="_blank">www.nordcloud.com</a></div><div><a href="http://www.nordcloud.com" target="_blank"><br></a></div><div><a href="http://www.nordcloud.com" target="_blank"><img src="cid:24A0F11E-C76A-491E-A08C-180990268E09" type="image/png" width="250.000000" height="53.000000"></a></div></div></div></div></div></div></div></div></div></div>
</div>