[strongSwan] policy missing in issuing certificate/no trusted RSA public key found/deleting IKE_SA
Damien Benoist
dams.benoist at gmail.com
Fri Jun 21 17:22:32 CEST 2013
Thanks Martin,
Now I'm getting the following log messages:
charon: 13[ENC] parsed INFORMATIONAL_V1 request 3643419866 [ HASH N(INVAL_ID) ]
charon: 13[IKE] received INVALID_ID_INFORMATION error notify
charon: 14[NET] received packet: from <remoteIP>[4500] to
<localIP>[4500] (84 bytes)
charon: 14[ENC] parsed INFORMATIONAL_V1 request 2844175511 [ HASH D ]
charon: 14[IKE] received DELETE for IKE_SA cnx[1]
charon: 14[IKE] deleting IKE_SA cnx[1] between <localIP>[...]...<remoteIP>[...]
# ipsec up cnx
...
received INVALID_ID_INFORMATION error notify
establishing connection 'cnt' failed
2013/6/21 Martin Willi <martin at strongswan.org>:
> Hi Damien,
>
>> 02[CFG] policy 1.2.250.1.141.1.1.1 missing in issuing certificate '...'
>> 02[IKE] no trusted RSA public key found for '...'
>
> Your issuing CA certificate does not have the certificate policy [1]
> (nor an anyPolicy) that is included in your issued certificate.
> Therefore your certificate is considered invalid, and the tunnel can't
> get established.
>
> You may disable advanced X.509 constraints checking, if you don't
> need/want it, using the --disable-constraints ./configure option.
>
> Regards
> Martin
>
> [1]http://tools.ietf.org/html/rfc5280#section-4.2.1.4
>
More information about the Users
mailing list