[strongSwan] Can't connect with chained certificates

[Ygor Amadeo Sartori Regados]

Hi.

I have configured strongSwan with X.509 authentication for roadwarriors. 
It uses IKEv1 (for some Windows clients) and IKEv2 (some Linux clients).

I'm trying to change the PKI to one using chained CAs. I created a Sub-CA 
only for VPN roadwarriors' certificates. When I've changed the 
certificates, I couldn't connect anymore. When I used my previous single-
level CA, it worked fine.

Has anyone had such a problem? (sorry if my english is bad)

My configuration:
*Server:*
config setup
    nat_traversal=yes
    plutostderrlog=/var/log/pluto.log

ca principal
    cacert = ca-principal.pem
    auto = add

ca vpn
    cacert = ca-vpn.pem
    auto = add

conn %default
    auto=add
    leftfirewall=yes
    rekey=no
    dpdaction=clear
    dpddelay=60
    dpdtimeout=180

conn rw
    left=%defaultroute
    leftcert=rw.pem
    leftsubnet=192.168.0.0/24
    pfs=no
    right=%any
    rightsubnetwithin=0.0.0.0/0

*Client:*
config setup
    nat_traversal = yes
    plutostart = yes
    charonstart = yes
    plutostderrlog = /var/log/pluto.log

conn %default
    leftfirewall=yes
    mobike=yes
    compress=yes
    auto=start

conn rw
    leftcert = dst.pem
    keyexchange=ikev2
    left = %defaultroute
    right = ***.***.***.***
    rightsubnet = 192.168.0.0/24

Log on server (masked IP addresses and certificate info):

Apr 10 23:18:46 mailproxy charon: 13[NET] received packet: from +++.++.++
+.+++[17615] to ***.***.***.***[500] 
Apr 10 23:18:46 mailproxy charon: 13[ENC] parsed IKE_SA_INIT request 0 
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 
Apr 10 23:18:46 mailproxy charon: 13[IKE] +++.++.+++.+++ is initiating an 
IKE_SA 
Apr 10 23:18:46 mailproxy charon: 13[IKE] remote host is behind NAT 
Apr 10 23:18:46 mailproxy charon: 13[IKE] sending cert request for 
"O=***, OU=***, E=****, L=****, ST=**, C=**, CN=AC Raiz"
Apr 10 23:18:46 mailproxy charon: 13[IKE] sending cert request for "C=**, 
ST=**, O=***, OU=***, CN=AC para VPNs, E=****" 
Apr 10 23:18:46 mailproxy charon: 13[ENC] generating IKE_SA_INIT response 
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 
Apr 10 23:18:46 mailproxy charon: 13[NET] sending packet: from 
***.***.***.***[500] to +++.++.+++.+++[17615] 
Apr 10 23:18:46 mailproxy charon: 14[NET] received packet: from +++.++.++
+.+++[17619] to ***.***.***.***[4500] 
Apr 10 23:18:46 mailproxy charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi 
CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N
(MULT_AUTH) ] 
Apr 10 23:18:46 mailproxy charon: 14[IKE] received cert request for 
"C=**, ST=**, O=***, OU=***, CN=AC para VPNs, E=****" 
Apr 10 23:18:46 mailproxy charon: 14[IKE] received cert request for 
"O=***, OU=***, E=****, L=****, ST=**, C=**, CN=AC Raiz"
Apr 10 23:18:46 mailproxy charon: 14[IKE] received end entity cert "C=**, 
ST=**, O=***, OU=****, CN=Ygor A. S. Regados (PC), E=*******" 
Apr 10 23:18:46 mailproxy charon: 14[CFG] looking for peer configs 
matching ***.***.***.***[***.***.***.***]...+++.++.+++.+++[C=**, ST=**, 
O=***, OU=***, CN=Ygor A. S. Regados (PC), E=*******] 
Apr 10 23:18:46 mailproxy charon: 14[CFG] no matching peer config found 
Apr 10 23:18:46 mailproxy charon: 14[IKE] peer supports MOBIKE 
Apr 10 23:18:46 mailproxy charon: 14[ENC] generating IKE_AUTH response 1 
[ N(AUTH_FAILED) ] 
Apr 10 23:18:46 mailproxy charon: 14[NET] sending packet: from 
***.***.***.***[4500] to +++.++.+++.+++[17619] 

-- 
Ygor