[strongSwan] Looking for help with "no trusted RSA public key found for"

Wed Apr 28 23:53:55 CEST 2010

Hello,
   I am having no luck setting up a mutually authenticated tunnel
using certificates.  I have tried mucking around with just about every
ipsec.conf parameter, but no luck.  I also saw the FAQ, but could not
make sense of the answer. Any help is appreciated!!!  Thanks.

Here is my output:

04[CFG] added configuration 'home'
08[CFG] received stroke: initiate 'load'
08[CFG] no config named 'load'
08[CFG]
07[CFG] received stroke: initiate 'home'
10[IKE] initiating IKE_SA home[1] to 172.16.107.2
10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
10[NET] sending packet: from 2.2.2.3[500] to 172.16.107.2[500]
12[NET] received packet: from 172.16.107.2[500] to 2.2.2.3[500]
12[ENC] parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
12[IKE] initiating IKE_SA home[1] to 172.16.107.2
12[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
12[NET] sending packet: from 2.2.2.3[500] to 172.16.107.2[500]
16[NET] received packet: from 172.16.107.2[500] to 2.2.2.3[500]
16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ ]
16[IKE] local host is behind NAT, sending keep alives
16[IKE] received cert request for "O=AcmePacket, OU=CSE,
E=akhindari at acmepacket.com, L=Burlington, ST=MA, C=US, CN=selab.com"
16[IKE] sending cert request for "O=AcmePacket, OU=CSE,
E=akhindari at acmepacket.com, L=Burlington, ST=MA, C=US, CN=selab.com"
16[IKE] authentication of 'C=US, ST=Massachusetts, O=Acme Packet,
OU=Systems Engineering, CN=172.16.107.2' (myself) with RSA signature
successful
16[IKE] sending end entity cert "C=US, ST=Massachusetts, O=Acme
Packet, OU=Systems Engineering, CN=172.16.107.2"
16[IKE] establishing CHILD_SA home
16[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP
SA TSi TSr N(EAP_ONLY) ]
16[NET] sending packet: from 2.2.2.3[4500] to 172.16.107.2[4500]
13[NET] received packet: from 172.16.107.2[4500] to 2.2.2.3[4500]
13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr ]
13[IKE] received end entity cert "C=US, ST=MA, L=Burlington,
O=Engineering, CN=172.16.107.2"
13[IKE] no trusted RSA public key found for '172.16.107.2'
00[DMN] signal of type SIGINT received. Shutting down
00[KNL] received netlink error: Invalid argument (22)

And here is my ipsec.conf file:
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        plutostart=no
        charondebug=all

ca msg1
        cacert=CA-SS-acmesec1.pem
        auto=add

conn %default
        ike=aes128-sha1-modp1024!
        esp=aes128-sha1!
        ikelifetime=23d
        keylife=22d
        rekeymargin=10m
        keyingtries=1
        keyexchange=ikev2
        mobike=no
        auto=add
        lefthostaccess=no
        dpdaction=restart
        dpddelay=45
        rekey=yes
        reauth=no
        forceencaps=yes

conn home
        left=%defaultroute
        leftsourceip=%modeconfig
        leftcert=acmesec1Cert.pem
        leftfirewall=yes
        rightfirewall=yes
        right=172.16.107.2
        rightid=%172.16.107.2
        rightsubnet=192.168.105.0/24