<div dir="ltr">It doesn't appear you've configured strongswan to trust any CAs anywhere. See /etc/ipsec.d/cacerts, the "CA SECTIONS" section in ipsec.conf(5), and the leftca and rightca options.</div><br><div class="gmail_quote"><div dir="ltr">On Wed, May 16, 2018 at 9:40 AM Michal Grzelak <<a href="mailto:michal.grzelak@nordcloud.com">michal.grzelak@nordcloud.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">
<div class="m_5646570929133274853gmail-post-text">
<p>I have a Site to Site VPN between Strongswan and Cisco working over
PSK. Wanted to upgrade it to authenticate via Certificates, but can't
get it done. Receiving following error: <br></p><p><br></p>
<pre><code>May 9 13:57:20 strongswan charon: 13[CFG] ocsp response correctly signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Validation Authority - G2"
May 9 13:57:20 strongswan charon: 13[CFG] ocsp response is valid: until May 11 01:05:00 2018
May 9 13:57:20 strongswan charon: 13[CFG] using cached ocsp response
May 9 13:57:20 strongswan charon: 13[CFG] certificate status is good
May 9 13:57:20 strongswan charon: 13[CFG] certificate policy 2.16.840.1.114413.1.7.23.1 for 'OU=Domain Control Validated, CN=<a href="http://hostname.somedomain.com" target="_blank">hostname.somedomain.com</a>' not allowed by trustchain, ignored
May 9 13:57:20 strongswan charon: 13[CFG] certificate policy 2.23.140.1.2.1 for 'OU=Domain Control Validated, CN=<a href="http://hostname.somedomain.com" target="_blank">hostname.somedomain.com</a>' not allowed by trustchain, ignored
May 9 13:57:20 strongswan charon: 13[CFG] reached self-signed root ca with a path length of 1
May 9 13:57:20 strongswan charon: 13[IKE] signature validation failed, looking for another key
</code></pre>
<p>The Certificates for both ends are signed by two different CA, but
already exchanged public root and intermediate certs. On cisco side I
see the tunnel goes up for both Phase 1 and 2, so its good. Strongswan
has problem with it and no SA is up.<br></p>
<p>Configuration:</p>
<pre><code>conn testconn
auto=start
left=%any
leftfirewall=yes
leftid=@<a href="http://strongswan.mydomain.com" target="_blank">strongswan.mydomain.com</a>
leftid=x.x.x.x
leftcert=strongswan.mydomain.com.pem
right=y.y.y.y
rightid=%any
rightid=@<a href="http://hostname.somedomain.com" target="_blank">hostname.somedomain.com</a>
type=tunnel
ikelifetime=24h
keylife=1h
esp=aes256-sha384-ecp521
ike=aes256-sha384-modp1024
keyingtries=%forever
keyexchange=ikev2
leftsubnet=z.z.z.z/z
rightsubnet=u.u.u.u/u
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
</code></pre>
<p>What be wrong here? Any suggestions?</p>
</div>
Thanks.</div><div dir="ltr"><br clear="all"><div><br>-- <br><div class="m_5646570929133274853gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div><div dir="ltr"><div><div dir="ltr"><div>Best regards,<br>MichaĆ <br></div><br></div></div></div></div></div></div></div></div></div>
</div></div></blockquote></div>