[strongSwan] Cert question

Andreas Steffen andreas.steffen at strongswan.org
Thu Feb 24 20:29:43 CET 2011

Hello Gary,

it is not goo practice to load the peer certificate
(i.e. rightcert locally). Better copy the CA certificate
which signed the peer certificate and issued all other
certificates into the /etc/ipsec.d/cacerts/ directory
so that trust can be established.



On 02/24/2011 08:04 PM, Gary Smith wrote:
>> The error message
>> : 15[IKE] received AUTHENTICATION_FAILED notify error
>> means that the authentication failed on the remote side.
>> Please check the logs of the peer.
>> Andreas
> Andreas,
> I've sorted a few things on this end. It appears that TinyCA was putting the email address as the altName by default so there was no match. Anyway, that issue has been fixed.
> I received an error on connect this time saying that it couldn't validate each others cert so I copied the left cert to the right machine, and vice versa and tweaked the .conf file to look like this:
> conn fre-lin
>          left=x.x.x.x
>          leftcert=left-cert.pem
>          leftid=@left
>          leftsubnet=leftlocal/21
>          leftfirewall=yes
>          right=y.y.y.y
>          rightcert=right-cert.pem
>          rightid=@right
>          rightsubnet=rightlocal/21
>          auto=add
> Is this the correct way to handle the problem of finding the correct cert for the right (by explicitly adding it to the connection)?
> I can ping both sides of the tunnel now (that is the local vpn internal IP) so I guess it's working.
> Gary Smith

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list