[strongSwan] No trusted RSA public key

Justin Michael Schwartzbeck justinmschw at gmail.com
Tue Jan 6 22:19:45 CET 2015


Hi Noel,

I have tried all of those things and get the same results. Here is the log
file after using your method:

Jan  6 14:50:54 my-vpn-client charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64)
Jan  6 14:50:54 my-vpn-client charon: 00[KNL] detected Linux 2.6.32, no
support for RTA_PREFSRC for IPv6 routes
Jan  6 14:50:54 my-vpn-client charon: 00[KNL] known interfaces and IP
addresses:
Jan  6 14:50:54 my-vpn-client charon: 00[KNL]   lo
Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     127.0.0.1
Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     ::1
Jan  6 14:50:54 my-vpn-client charon: 00[KNL]   eth0
Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     192.168.2.227
Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     192.168.2.103
Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     fe80::250:56ff:feaa:6249
Jan  6 14:50:54 my-vpn-client charon: 00[KNL]   eth1
Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     fe80::250:56ff:feaa:b96
Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jan  6 14:50:54 my-vpn-client charon: 00[CFG]   loaded ca certificate
"C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from
'/etc/ipsec.d/cacerts/ca.crt'
Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jan  6 14:50:54 my-vpn-client charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/server.key'
Jan  6 14:50:54 my-vpn-client charon: 00[LIB] loaded plugins: charon curl
aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac
attr kernel-netlink resolve socket-default stroke vici updown eap-identity
eap-aka eap-md5 eap-tls xauth-generic xauth-noauth lookip
Jan  6 14:50:54 my-vpn-client charon: 00[LIB] unable to load 6 plugin
features (6 due to unmet dependencies)
Jan  6 14:50:54 my-vpn-client charon: 00[JOB] spawning 16 worker threads
Jan  6 14:50:54 my-vpn-client charon: 02[NET] waiting for data on sockets
Jan  6 14:50:54 my-vpn-client charon: 05[CFG] received stroke: add
connection 'client-ha'
Jan  6 14:50:59 my-vpn-client charon: 05[KNL] 192.168.2.213 is not a local
address or the interface is down
Jan  6 14:50:59 my-vpn-client charon: 05[CFG]   loaded certificate "CN=
my-vpn-client.company.com, O=Company" from 'server.crt'
Jan  6 14:50:59 my-vpn-client charon: 05[CFG]   id '
my-vpn-client.company.com' not confirmed by certificate, defaulting to 'CN=
my-vpn-client.company.com, O=Company'
Jan  6 14:50:59 my-vpn-client charon: 05[CFG]   loaded certificate "CN=
my-vpn-server.company.com, O=Company" from '/etc/ipsec.d/certs/cws.crt'
Jan  6 14:50:59 my-vpn-client charon: 05[CFG]   id '%any' not confirmed by
certificate, defaulting to 'CN=my-vpn-server.company.com, O=Company'
Jan  6 14:50:59 my-vpn-client charon: 05[CFG] CA certificate
"/etc/ipsec.d/cacerts/ca.crt" not found, discarding CA constraint
Jan  6 14:50:59 my-vpn-client charon: 05[CFG] added configuration
'client-ha'
Jan  6 14:50:59 my-vpn-client charon: 07[CFG] received stroke: initiate
'client-ha'
Jan  6 14:50:59 my-vpn-client charon: 09[MGR] checkout IKE_SA by config
Jan  6 14:50:59 my-vpn-client charon: 09[MGR] created IKE_SA (unnamed)[1]
Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_VENDOR task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_INIT task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_NATD task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_CERT_PRE task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_AUTH task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_CERT_POST task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_CONFIG task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_AUTH_LIFETIME
task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_MOBIKE task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing CHILD_CREATE task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE] activating new tasks
Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_VENDOR task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_INIT task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_NATD task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_CERT_PRE task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_AUTH task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_CERT_POST
task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_CONFIG task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating CHILD_CREATE task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating
IKE_AUTH_LIFETIME task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_MOBIKE task
Jan  6 14:50:59 my-vpn-client charon: 09[IKE] initiating IKE_SA
client-ha[1] to 192.168.2.213
Jan  6 14:50:59 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state
change: CREATED => CONNECTING
Jan  6 14:50:59 my-vpn-client charon: 09[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan  6 14:50:59 my-vpn-client charon: 09[NET] sending packet: from
192.168.2.227[500] to 192.168.2.213[500] (708 bytes)
Jan  6 14:50:59 my-vpn-client charon: 09[MGR] checkin IKE_SA client-ha[1]
Jan  6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from
192.168.2.227[500] to 192.168.2.213[500]
Jan  6 14:50:59 my-vpn-client charon: 02[NET] received packet: from
192.168.2.213[500] to 192.168.2.227[500]
Jan  6 14:50:59 my-vpn-client charon: 02[NET] waiting for data on sockets
Jan  6 14:50:59 my-vpn-client charon: 10[MGR] checkout IKE_SA by message
Jan  6 14:50:59 my-vpn-client charon: 10[MGR] IKE_SA client-ha[1]
successfully checked out
Jan  6 14:50:59 my-vpn-client charon: 10[NET] received packet: from
192.168.2.213[500] to 192.168.2.227[500] (38 bytes)
Jan  6 14:50:59 my-vpn-client charon: 10[ENC] parsed IKE_SA_INIT response 0
[ N(INVAL_KE) ]
Jan  6 14:50:59 my-vpn-client charon: 10[IKE] peer didn't accept DH group
MODP_2048, it requested MODP_1024
Jan  6 14:50:59 my-vpn-client charon: 10[IKE] IKE_SA client-ha[1] state
change: CONNECTING => CREATED
Jan  6 14:50:59 my-vpn-client charon: 10[IKE] activating new tasks
Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_INIT task
Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_NATD task
Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_CERT_PRE task
Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_AUTH task
Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_CERT_POST
task
Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_CONFIG task
Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating CHILD_CREATE task
Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating
IKE_AUTH_LIFETIME task
Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_MOBIKE task
Jan  6 14:50:59 my-vpn-client charon: 10[IKE] initiating IKE_SA
client-ha[1] to 192.168.2.213
Jan  6 14:50:59 my-vpn-client charon: 10[IKE] IKE_SA client-ha[1] state
change: CREATED => CONNECTING
Jan  6 14:50:59 my-vpn-client charon: 10[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan  6 14:50:59 my-vpn-client charon: 10[NET] sending packet: from
192.168.2.227[500] to 192.168.2.213[500] (580 bytes)
Jan  6 14:50:59 my-vpn-client charon: 10[MGR] checkin IKE_SA client-ha[1]
Jan  6 14:50:59 my-vpn-client charon: 10[MGR] check-in of IKE_SA successful.
Jan  6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from
192.168.2.227[500] to 192.168.2.213[500]
Jan  6 14:50:59 my-vpn-client charon: 02[NET] received packet: from
192.168.2.213[500] to 192.168.2.227[500]
Jan  6 14:50:59 my-vpn-client charon: 02[NET] waiting for data on sockets
Jan  6 14:50:59 my-vpn-client charon: 11[MGR] checkout IKE_SA by message
Jan  6 14:50:59 my-vpn-client charon: 11[MGR] IKE_SA client-ha[1]
successfully checked out
Jan  6 14:50:59 my-vpn-client charon: 11[NET] received packet: from
192.168.2.213[500] to 192.168.2.227[500] (381 bytes)
Jan  6 14:50:59 my-vpn-client charon: 11[ENC] parsed IKE_SA_INIT response 0
[ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Jan  6 14:50:59 my-vpn-client charon: 11[IKE] received cert request for
unknown ca with keyid
4e:e1:18:20:b8:6b:65:0e:f3:40:51:73:88:dd:fe:d2:91:52:11:c0
Jan  6 14:50:59 my-vpn-client charon: 11[IKE] received cert request for
"C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
Jan  6 14:50:59 my-vpn-client charon: 11[IKE] received 1 cert requests for
an unknown ca
Jan  6 14:50:59 my-vpn-client charon: 11[IKE] reinitiating already active
tasks
Jan  6 14:50:59 my-vpn-client charon: 11[IKE]   IKE_CERT_PRE task
Jan  6 14:50:59 my-vpn-client charon: 11[IKE]   IKE_AUTH task
Jan  6 14:50:59 my-vpn-client charon: 11[IKE] sending cert request for
"C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
Jan  6 14:50:59 my-vpn-client charon: 11[IKE] building INTERNAL_IP4_DNS
attribute
Jan  6 14:50:59 my-vpn-client charon: 11[IKE] establishing CHILD_SA
client-ha
Jan  6 14:50:59 my-vpn-client charon: 11[KNL] getting SPI for reqid {1}
Jan  6 14:50:59 my-vpn-client charon: 11[KNL] got SPI c837be50 for reqid {1}
Jan  6 14:50:59 my-vpn-client charon: 11[ENC] generating IKE_AUTH request 1
[ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(EAP_ONLY) ]
Jan  6 14:50:59 my-vpn-client charon: 11[NET] sending packet: from
192.168.2.227[4500] to 192.168.2.213[4500] (492 bytes)
Jan  6 14:50:59 my-vpn-client charon: 11[MGR] checkin IKE_SA client-ha[1]
Jan  6 14:50:59 my-vpn-client charon: 11[MGR] check-in of IKE_SA successful.
Jan  6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from
192.168.2.227[4500] to 192.168.2.213[4500]
Jan  6 14:50:59 my-vpn-client charon: 02[NET] received packet: from
192.168.2.213[4500] to 192.168.2.227[4500]
Jan  6 14:50:59 my-vpn-client charon: 02[NET] waiting for data on sockets
Jan  6 14:50:59 my-vpn-client charon: 12[MGR] checkout IKE_SA by message
Jan  6 14:50:59 my-vpn-client charon: 12[MGR] IKE_SA client-ha[1]
successfully checked out
Jan  6 14:50:59 my-vpn-client charon: 12[NET] received packet: from
192.168.2.213[4500] to 192.168.2.227[4500] (972 bytes)
Jan  6 14:50:59 my-vpn-client charon: 12[ENC] parsed IKE_AUTH response 1 [
V IDr CERT AUTH EAP/REQ/ID ]
Jan  6 14:50:59 my-vpn-client charon: 12[IKE] received end entity cert "CN=
my-vpn-server.company.com, O=Company"
Jan  6 14:50:59 my-vpn-client charon: 12[IKE] no trusted RSA public key
found for 'CN=my-vpn-server.company.com, O=Company'
Jan  6 14:50:59 my-vpn-client charon: 12[ENC] generating INFORMATIONAL
request 2 [ N(AUTH_FAILED) ]
Jan  6 14:50:59 my-vpn-client charon: 12[NET] sending packet: from
192.168.2.227[4500] to 192.168.2.213[4500] (76 bytes)
Jan  6 14:50:59 my-vpn-client charon: 12[KNL] deleting SAD entry with SPI
c837be50  (mark 0/0x00000000)
Jan  6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from
192.168.2.227[4500] to 192.168.2.213[4500]
Jan  6 14:50:59 my-vpn-client charon: 12[KNL] deleted SAD entry with SPI
c837be50 (mark 0/0x00000000)
Jan  6 14:50:59 my-vpn-client charon: 12[MGR] checkin and destroy IKE_SA
client-ha[1]
Jan  6 14:50:59 my-vpn-client charon: 12[IKE] IKE_SA client-ha[1] state
change: CONNECTING => DESTROYING
Jan  6 14:50:59 my-vpn-client charon: 12[MGR] check-in and destroy of
IKE_SA successful


On Tue, Jan 6, 2015 at 2:48 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Justin,
>
> Set rightca to the DN of the CA certificate or to the file name or file
> path of the Ca certificate.
> As an alternative, you can get a copy of the server's certificate and do
> the same for rightcert.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 06.01.2015 um 21:23 schrieb Justin Michael Schwartzbeck:
> > Hello,
> >
> > I am trying to set up a strongswan client to connect to a VPN endpoint.
> Here is my configuration:
> >
> > # ipsec.conf - strongSwan IPsec configuration file
> > config setup
> >                charondebug="ike 2, knl 2, mgr 2, net 2"
> > ca main
> >                cacert=ca.crt
> > conn client-ha
> >      aaa_identity="CN=my-radius-server.company.com <
> http://my-radius-server.company.com>, O=Company"
> >      keyexchange=ikev2
> >      right=my-vpn-server.company.com <http://my-vpn-server.company.com>
> >      rightid=%any
> >      rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> >      leftsourceip=%config
> >      leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> >      leftauth=eap-tls
> >      left=10.89.150.227
> >      leftid="my-radius-client.company.com <
> http://my-radius-client.company.com>"
> >      leftcert=server.crt
> >      auto=add
> >
> > I have my ca.crt in /etc/ipsec.d/cacerts, my client certificate
> (server.crt) in /etc/ipsec.d/certs, and my client key (server.key) in
> /etc/ipsec.d/private. I also have the server.key listed in
> /etc/ipsec.secrets. My strongswan client's certificate and my vpn
> endpoint's certificate are both signed by the same CA. I have checked the
> vpn's cert against the ca.crt on my strongswan client to make sure that it
> was properly signed. However for some reason my strongswan client is not
> verifying the VPN's certificate. Below is the complete error output
> starting with an "ipsec restart" and then followed by an "ipsec up" on that
> profile:
> >
> > Jan  6 11:18:11 my-vpn-client charon: 00[DMN] Starting IKE charon daemon
> (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64)
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL] detected Linux 2.6.32, no
> support for RTA_PREFSRC for IPv6 routes
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL] known interfaces and IP
> addresses:
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]   lo
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     127.0.0.1
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     ::1
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]   eth0
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     192.168.2.227
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     192.168.2.103
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]
>  fe80::250:56ff:feaa:6249
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]   eth1
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     fe80::250:56ff:feaa:b96
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading ca certificates
> from '/etc/ipsec.d/cacerts'
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG]   loaded ca certificate
> "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from
> '/etc/ipsec.d/cacerts/ca.crt'
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading aa certificates
> from '/etc/ipsec.d/aacerts'
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading attribute
> certificates from '/etc/ipsec.d/acerts'
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG]   loaded RSA private key
> from '/etc/ipsec.d/private/server.key'
> > Jan  6 11:18:11 my-vpn-client charon: 00[LIB] loaded plugins: charon
> curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints
> pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc
> cmac hmac attr kernel-netlink resolve socket-default stroke vici updown
> eap-identity eap-aka eap-md5 eap-tls xauth-generic xauth-noauth lookip
> > Jan  6 11:18:11 my-vpn-client charon: 00[LIB] unable to load 6 plugin
> features (6 due to unmet dependencies)
> > Jan  6 11:18:11 my-vpn-client charon: 00[JOB] spawning 16 worker threads
> > Jan  6 11:18:11 my-vpn-client charon: 02[NET] waiting for data on sockets
> > Jan  6 11:18:11 my-vpn-client charon: 04[CFG] received stroke: add
> connection 'client-ha'
> > Jan  6 11:18:11 my-vpn-client charon: 04[KNL] 192.168.2.213 is not a
> local address or the interface is down
> > Jan  6 11:18:11 my-vpn-client charon: 04[CFG]   loaded certificate "CN=
> my-vpn-client.company.com <http://my-vpn-client.company.com>, O=Company"
> from 'server.crt'
> > Jan  6 11:18:11 my-vpn-client charon: 04[CFG]   id '
> my-vpn-client.company.com <http://my-vpn-client.company.com>' not
> confirmed by certificate, defaulting to 'CN=my-vpn-client.company.com <
> http://my-vpn-client.company.com>, O=Company'
> > Jan  6 11:18:11 my-vpn-client charon: 04[CFG] added configuration
> 'client-ha'
> > Jan  6 11:18:31 my-vpn-client charon: 06[CFG] received stroke: initiate
> 'client-ha'
> > Jan  6 11:18:31 my-vpn-client charon: 08[MGR] checkout IKE_SA by config
> > Jan  6 11:18:31 my-vpn-client charon: 08[MGR] created IKE_SA (unnamed)[1]
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_VENDOR task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_INIT task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_NATD task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_PRE task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_AUTH task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_POST task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CONFIG task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_AUTH_LIFETIME
> task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_MOBIKE task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing CHILD_CREATE task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] activating new tasks
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_VENDOR
> task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_INIT task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_NATD task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_CERT_PRE
> task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_AUTH task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_CERT_POST
> task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_CONFIG
> task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating CHILD_CREATE
> task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating
> IKE_AUTH_LIFETIME task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_MOBIKE
> task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] initiating IKE_SA
> client-ha[1] to 192.168.2.213
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] IKE_SA client-ha[1] state
> change: CREATED => CONNECTING
> > Jan  6 11:18:31 my-vpn-client charon: 08[ENC] generating IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > Jan  6 11:18:31 my-vpn-client charon: 08[NET] sending packet: from
> 192.168.2.227[500] to 192.168.2.213[500] (708 bytes)
> > Jan  6 11:18:31 my-vpn-client charon: 08[MGR] checkin IKE_SA client-ha[1]
> > Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from
> 192.168.2.227[500] to 192.168.2.213[500]
> > Jan  6 11:18:31 my-vpn-client charon: 02[NET] received packet: from
> 192.168.2.213[500] to 192.168.2.227[500]
> > Jan  6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets
> > Jan  6 11:18:31 my-vpn-client charon: 09[MGR] checkout IKE_SA by message
> > Jan  6 11:18:31 my-vpn-client charon: 09[MGR] IKE_SA client-ha[1]
> successfully checked out
> > Jan  6 11:18:31 my-vpn-client charon: 09[NET] received packet: from
> 192.168.2.213[500] to 192.168.2.227[500] (38 bytes)
> > Jan  6 11:18:31 my-vpn-client charon: 09[ENC] parsed IKE_SA_INIT
> response 0 [ N(INVAL_KE) ]
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE] peer didn't accept DH
> group MODP_2048, it requested MODP_1024
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state
> change: CONNECTING => CREATED
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE] activating new tasks
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_INIT task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_NATD task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_CERT_PRE
> task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_AUTH task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_CERT_POST
> task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_CONFIG
> task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating CHILD_CREATE
> task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating
> IKE_AUTH_LIFETIME task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_MOBIKE
> task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE] initiating IKE_SA
> client-ha[1] to 192.168.2.213
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state
> change: CREATED => CONNECTING
> > Jan  6 11:18:31 my-vpn-client charon: 09[ENC] generating IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > Jan  6 11:18:31 my-vpn-client charon: 09[NET] sending packet: from
> 192.168.2.227[500] to 192.168.2.213[500] (580 bytes)
> > Jan  6 11:18:31 my-vpn-client charon: 09[MGR] checkin IKE_SA client-ha[1]
> > Jan  6 11:18:31 my-vpn-client charon: 09[MGR] check-in of IKE_SA
> successful.
> > Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from
> 192.168.2.227[500] to 192.168.2.213[500]
> > Jan  6 11:18:31 my-vpn-client charon: 02[NET] received packet: from
> 192.168.2.213[500] to 192.168.2.227[500]
> > Jan  6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets
> > Jan  6 11:18:31 my-vpn-client charon: 10[MGR] checkout IKE_SA by message
> > Jan  6 11:18:31 my-vpn-client charon: 10[MGR] IKE_SA client-ha[1]
> successfully checked out
> > Jan  6 11:18:31 my-vpn-client charon: 10[NET] received packet: from
> 192.168.2.213[500] to 192.168.2.227[500] (381 bytes)
> > Jan  6 11:18:31 my-vpn-client charon: 10[ENC] parsed IKE_SA_INIT
> response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] received cert request for
> unknown ca with keyid
> 4e:e1:18:20:b8:6b:65:0e:f3:40:51:73:88:dd:fe:d2:91:52:11:c0
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] received cert request for
> "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] received 1 cert requests
> for an unknown ca
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] reinitiating already
> active tasks
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE]   IKE_CERT_PRE task
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE]   IKE_AUTH task
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] sending cert request for
> "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] building INTERNAL_IP4_DNS
> attribute
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] establishing CHILD_SA
> client-ha
> > Jan  6 11:18:31 my-vpn-client charon: 10[KNL] getting SPI for reqid {1}
> > Jan  6 11:18:31 my-vpn-client charon: 10[KNL] got SPI ccd30cb7 for reqid
> {1}
> > Jan  6 11:18:31 my-vpn-client charon: 10[ENC] generating IKE_AUTH
> request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_4_ADDR) N(EAP_ONLY) ]
> > Jan  6 11:18:31 my-vpn-client charon: 10[NET] sending packet: from
> 192.168.2.227[4500] to 192.168.2.213[4500] (428 bytes)
> > Jan  6 11:18:31 my-vpn-client charon: 10[MGR] checkin IKE_SA client-ha[1]
> > Jan  6 11:18:31 my-vpn-client charon: 10[MGR] check-in of IKE_SA
> successful.
> > Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from
> 192.168.2.227[4500] to 192.168.2.213[4500]
> > Jan  6 11:18:31 my-vpn-client charon: 02[NET] received packet: from
> 192.168.2.213[4500] to 192.168.2.227[4500]
> > Jan  6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets
> > Jan  6 11:18:31 my-vpn-client charon: 11[MGR] checkout IKE_SA by message
> > Jan  6 11:18:31 my-vpn-client charon: 11[MGR] IKE_SA client-ha[1]
> successfully checked out
> > Jan  6 11:18:31 my-vpn-client charon: 11[NET] received packet: from
> 192.168.2.213[4500] to 192.168.2.227[4500] (956 bytes)
> > Jan  6 11:18:31 my-vpn-client charon: 11[ENC] parsed IKE_AUTH response 1
> [ V IDr CERT AUTH EAP/REQ/ID ]
> > Jan  6 11:18:31 my-vpn-client charon: 11[IKE] received end entity cert
> "CN=my-vpn-server.company.com <http://my-vpn-server.company.com>,
> O=Company"
> > Jan  6 11:18:31 my-vpn-client charon: 11[IKE] no trusted RSA public key
> found for 'my-vpn-server.company.com <http://my-vpn-server.company.com>'
> > Jan  6 11:18:31 my-vpn-client charon: 11[ENC] generating INFORMATIONAL
> request 2 [ N(AUTH_FAILED) ]
> > Jan  6 11:18:31 my-vpn-client charon: 11[NET] sending packet: from
> 192.168.2.227[4500] to 192.168.2.213[4500] (76 bytes)
> > Jan  6 11:18:31 my-vpn-client charon: 11[KNL] deleting SAD entry with
> SPI ccd30cb7  (mark 0/0x00000000)
> > Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from
> 192.168.2.227[4500] to 192.168.2.213[4500]
> > Jan  6 11:18:31 my-vpn-client charon: 11[KNL] deleted SAD entry with SPI
> ccd30cb7 (mark 0/0x00000000)
> > Jan  6 11:18:31 my-vpn-client charon: 11[MGR] checkin and destroy IKE_SA
> client-ha[1]
> > Jan  6 11:18:31 my-vpn-client charon: 11[IKE] IKE_SA client-ha[1] state
> change: CONNECTING => DESTROYING
> > Jan  6 11:18:31 my-vpn-client charon: 11[MGR] check-in and destroy of
> IKE_SA successful
> > Jan  6 11:18:35 my-vpn-client charon: 12[MGR] checkout IKE_SA
> > Jan  6 11:18:35 my-vpn-client charon: 13[MGR] checkout IKE_SA
> > Jan  6 11:18:35 my-vpn-client charon: 14[MGR] checkout IKE_SA
> >
> > The important failure message here is "no trusted RSA public key found
> for 'my-vpn-server.company.com <http://my-vpn-server.company.com>'". I
> have also tried setting the eap identity in the vpn endpoint to the full DN
> in the server certificate but that didn't work either. I don't understand
> why this would be failing if the certificate is properly signed by the CA.
> Can someone tell me if I am missing something?
> >
> > Thanks for the help.
> > -Justin
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUrEoPAAoJEDg5KY9j7GZYswIQAJjaxLAtSQTiHj1GU3wkc9l6
> 5klLIIlMlhygDOrmbbOst0WouyBfAUQAg3H/BkX5VBb6iXspK5RixDg6YqWru79a
> xLSMYyPMpeHLAvAB1SRQTx8RwlEs1UnXiio4kE47QV4BmARLiYEY5WhGvTpVOPMF
> hdmScVzQ2CQ20sLZmL/NHtTBm57s2w9cDZX/vNGsQxeHUfF54X6xoo9KM+S2so3F
> uXO0F83L8N66uWUDuITVFqWNyWpwX1G8yCewIFV8gEvvAZkPkUechjG+as8Oal4C
> zs4jpAZA49XmzWBbgSxCjIgDrUHP5RCnfKjRywS8QZvt+Ak6Nf+dcE9fxXSqP3N6
> /cpAmOxapCg5C13a5QkoDntgncBUgF6HACfyOA0Lo4H6e5o8BnNRbA/r/zNQmkdi
> DHVMqV4wbSoOdFq6SN8VK+yDPZjZwkHXcyiGBa2v7wrjPXcCIG+7DGo55oirTW+V
> wQ/S16htXISB9uN/YRtMwaP6K54zZthP0/d3xtbE8kYdVgUqdvgZhjm+jJOKjIRc
> eF7F9ChDEQI4TM2ditjHTqE4+gtnoRwA1bpwim5reS1/L6rp1Dk5mBvLjLETVnYb
> qvsi0IGixX+FlMGhRWuNU97rOfIig9rO+ZSXBMHgyHhWgXrv5tf6oDd+eAvdBwkX
> jLd4ISNIP+/QWeWS3Hk/
> =RJTz
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150106/a409b3bd/attachment-0001.html>


More information about the Users mailing list