[strongSwan] Upgrade issue
Peter Sagerson
psagers at ignorare.net
Fri Mar 23 19:12:38 CET 2012
Hello,
I'm attempting to upgrade from strongSwan 4.4.0 to 4.5.2 and I'm seeing a mysterious failure that I haven't been able to puzzle out. The connection config looks like this (DPD and cipher settings omitted for brevity):
conn ipsec
keyexchange = ikev1
auth = esp
authby = xauthrsasig
xauth = server
left = %defaultroute
leftcert = server.cer
leftsubnet = 0.0.0.0/0
right = %any
rightca = "C=US, ST=Washington, O=Bourgeois Bits LLC, OU=Cloak, CN=Cloak Public IPSec CA"
rightsourceip = 10.137.192.0/18
auto = add
With 4.4.0, this works great; here's a relevant snippet from pluto.log (after all the certs have checked out):
| XAUTHInitRSA check passed with keyid 08:f4:bf:b9:2d:e8:da:89:48:51:70:dc:1a:e8:a8:93:33:02:a1:3c
| peer CA: "C=US, ST=Washington, O=Bourgeois Bits LLC, OU=Cloak, CN=Cloak Public IPSec CA"
| requested CA: %any
| offered CA: "C=US, ST=Washington, O=Bourgeois Bits LLC, OU=Cloak"
| switched from "ipsec" to "ipsec"
| instantiated "ipsec" for [ip redacted]
etc.
"C=US, ST=Washington, O=Bourgeois Bits LLC, OU=Cloak" is the anchor and the other one is the intermediate that has signed the client cert. Both are stored in ipsec.d/cacerts/, so the anchor shouldn't even need to be involved. Now when I use the same config on 4.5.2, I get a slightly different and less encouraging result:
| XAUTHInitRSA check passed with keyid d3:ab:cf:e0:aa:0d:4d:c3:9c:19:d0:6c:7f:99:9b:a5:04:b4:d1:75
| peer CA: "C=US, ST=Washington, O=Bourgeois Bits LLC, OU=Cloak, CN=Cloak Public IPSec CA"
| requested CA: %any
"ipsec"[1] [ip redacted] #1: no suitable connection for peer 'C=US, ST=Washington, O=Bourgeois Bits LLC, OU=Cloak, CN=test at example.com, 55:04:2e=26446c89a73d9027a47821c872d370f8'
The rest of the log output is substantially the same (basically just cert verification). Anyone have a suggestion?
Thanks,
Peter
More information about the Users
mailing list