[strongSwan] No trusted RSA public key

Noel Kuntze noel at familie-kuntze.de
Tue Jan 6 22:48:10 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Justin,

I looked through the log and saw that the other peer never sent his certificate.
Please show us the log and configuraton of the server and check if the whole certificate chain from the root
to the server certificate is available in /etc/ipsec.d/cacerts.
I can see, that the server sends certificate requests for two CAs, one of which is unknown.
> Jan  6 14:50:59 my-vpn-client charon: 11[IKE] received 1 cert requests for an unknown ca

You might be able to work around that by setting leftsendcert=always on the server side.

Also, setting rightca to the path to the servercertificate doesn't seem to have helped, as it seems strongSwan expects
the CA certificate DN here.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 06.01.2015 um 22:19 schrieb Justin Michael Schwartzbeck:
> Hi Noel,
>
> I have tried all of those things and get the same results. Here is the log file after using your method:
>
> Jan  6 14:50:54 my-vpn-client charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64)
> Jan  6 14:50:54 my-vpn-client charon: 00[KNL] detected Linux 2.6.32, no support for RTA_PREFSRC for IPv6 routes
> Jan  6 14:50:54 my-vpn-client charon: 00[KNL] known interfaces and IP addresses:
> Jan  6 14:50:54 my-vpn-client charon: 00[KNL]   lo
> Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     127.0.0.1
> Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     ::1
> Jan  6 14:50:54 my-vpn-client charon: 00[KNL]   eth0
> Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     192.168.2.227
> Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     192.168.2.103
> Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     fe80::250:56ff:feaa:6249
> Jan  6 14:50:54 my-vpn-client charon: 00[KNL]   eth1
> Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     fe80::250:56ff:feaa:b96
> Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Jan  6 14:50:54 my-vpn-client charon: 00[CFG]   loaded ca certificate "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from '/etc/ipsec.d/cacerts/ca.crt'
> Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Jan  6 14:50:54 my-vpn-client charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
> Jan  6 14:50:54 my-vpn-client charon: 00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-aka eap-md5 eap-tls xauth-generic xauth-noauth lookip
> Jan  6 14:50:54 my-vpn-client charon: 00[LIB] unable to load 6 plugin features (6 due to unmet dependencies)
> Jan  6 14:50:54 my-vpn-client charon: 00[JOB] spawning 16 worker threads
> Jan  6 14:50:54 my-vpn-client charon: 02[NET] waiting for data on sockets
> Jan  6 14:50:54 my-vpn-client charon: 05[CFG] received stroke: add connection 'client-ha'
> Jan  6 14:50:59 my-vpn-client charon: 05[KNL] 192.168.2.213 is not a local address or the interface is down
> Jan  6 14:50:59 my-vpn-client charon: 05[CFG]   loaded certificate "CN=my-vpn-client.company.com <http://my-vpn-client.company.com>, O=Company" from 'server.crt'
> Jan  6 14:50:59 my-vpn-client charon: 05[CFG]   id 'my-vpn-client.company.com <http://my-vpn-client.company.com>' not confirmed by certificate, defaulting to 'CN=my-vpn-client.company.com <http://my-vpn-client.company.com>, O=Company'
> Jan  6 14:50:59 my-vpn-client charon: 05[CFG]   loaded certificate "CN=my-vpn-server.company.com <http://my-vpn-server.company.com>, O=Company" from '/etc/ipsec.d/certs/cws.crt'
> Jan  6 14:50:59 my-vpn-client charon: 05[CFG]   id '%any' not confirmed by certificate, defaulting to 'CN=my-vpn-server.company.com <http://my-vpn-server.company.com>, O=Company'
> Jan  6 14:50:59 my-vpn-client charon: 05[CFG] CA certificate "/etc/ipsec.d/cacerts/ca.crt" not found, discarding CA constraint
> Jan  6 14:50:59 my-vpn-client charon: 05[CFG] added configuration 'client-ha'
> Jan  6 14:50:59 my-vpn-client charon: 07[CFG] received stroke: initiate 'client-ha'
> Jan  6 14:50:59 my-vpn-client charon: 09[MGR] checkout IKE_SA by config
> Jan  6 14:50:59 my-vpn-client charon: 09[MGR] created IKE_SA (unnamed)[1]
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_VENDOR task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_INIT task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_NATD task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_CERT_PRE task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_AUTH task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_CERT_POST task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_CONFIG task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_AUTH_LIFETIME task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_MOBIKE task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing CHILD_CREATE task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE] activating new tasks
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_VENDOR task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_INIT task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_NATD task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_CERT_PRE task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_AUTH task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_CERT_POST task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_CONFIG task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating CHILD_CREATE task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_AUTH_LIFETIME task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_MOBIKE task
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE] initiating IKE_SA client-ha[1] to 192.168.2.213
> Jan  6 14:50:59 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state change: CREATED => CONNECTING
> Jan  6 14:50:59 my-vpn-client charon: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jan  6 14:50:59 my-vpn-client charon: 09[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500] (708 bytes)
> Jan  6 14:50:59 my-vpn-client charon: 09[MGR] checkin IKE_SA client-ha[1]
> Jan  6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500]
> Jan  6 14:50:59 my-vpn-client charon: 02[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500]
> Jan  6 14:50:59 my-vpn-client charon: 02[NET] waiting for data on sockets
> Jan  6 14:50:59 my-vpn-client charon: 10[MGR] checkout IKE_SA by message
> Jan  6 14:50:59 my-vpn-client charon: 10[MGR] IKE_SA client-ha[1] successfully checked out
> Jan  6 14:50:59 my-vpn-client charon: 10[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500] (38 bytes)
> Jan  6 14:50:59 my-vpn-client charon: 10[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> Jan  6 14:50:59 my-vpn-client charon: 10[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
> Jan  6 14:50:59 my-vpn-client charon: 10[IKE] IKE_SA client-ha[1] state change: CONNECTING => CREATED
> Jan  6 14:50:59 my-vpn-client charon: 10[IKE] activating new tasks
> Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_INIT task
> Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_NATD task
> Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_CERT_PRE task
> Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_AUTH task
> Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_CERT_POST task
> Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_CONFIG task
> Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating CHILD_CREATE task
> Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_AUTH_LIFETIME task
> Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_MOBIKE task
> Jan  6 14:50:59 my-vpn-client charon: 10[IKE] initiating IKE_SA client-ha[1] to 192.168.2.213
> Jan  6 14:50:59 my-vpn-client charon: 10[IKE] IKE_SA client-ha[1] state change: CREATED => CONNECTING
> Jan  6 14:50:59 my-vpn-client charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jan  6 14:50:59 my-vpn-client charon: 10[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500] (580 bytes)
> Jan  6 14:50:59 my-vpn-client charon: 10[MGR] checkin IKE_SA client-ha[1]
> Jan  6 14:50:59 my-vpn-client charon: 10[MGR] check-in of IKE_SA successful.
> Jan  6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500]
> Jan  6 14:50:59 my-vpn-client charon: 02[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500]
> Jan  6 14:50:59 my-vpn-client charon: 02[NET] waiting for data on sockets
> Jan  6 14:50:59 my-vpn-client charon: 11[MGR] checkout IKE_SA by message
> Jan  6 14:50:59 my-vpn-client charon: 11[MGR] IKE_SA client-ha[1] successfully checked out
> Jan  6 14:50:59 my-vpn-client charon: 11[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500] (381 bytes)
> Jan  6 14:50:59 my-vpn-client charon: 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> Jan  6 14:50:59 my-vpn-client charon: 11[IKE] received cert request for unknown ca with keyid 4e:e1:18:20:b8:6b:65:0e:f3:40:51:73:88:dd:fe:d2:91:52:11:c0
> Jan  6 14:50:59 my-vpn-client charon: 11[IKE] received cert request for "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
> Jan  6 14:50:59 my-vpn-client charon: 11[IKE] received 1 cert requests for an unknown ca
> Jan  6 14:50:59 my-vpn-client charon: 11[IKE] reinitiating already active tasks
> Jan  6 14:50:59 my-vpn-client charon: 11[IKE]   IKE_CERT_PRE task
> Jan  6 14:50:59 my-vpn-client charon: 11[IKE]   IKE_AUTH task
> Jan  6 14:50:59 my-vpn-client charon: 11[IKE] sending cert request for "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
> Jan  6 14:50:59 my-vpn-client charon: 11[IKE] building INTERNAL_IP4_DNS attribute
> Jan  6 14:50:59 my-vpn-client charon: 11[IKE] establishing CHILD_SA client-ha
> Jan  6 14:50:59 my-vpn-client charon: 11[KNL] getting SPI for reqid {1}
> Jan  6 14:50:59 my-vpn-client charon: 11[KNL] got SPI c837be50 for reqid {1}
> Jan  6 14:50:59 my-vpn-client charon: 11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
> Jan  6 14:50:59 my-vpn-client charon: 11[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500] (492 bytes)
> Jan  6 14:50:59 my-vpn-client charon: 11[MGR] checkin IKE_SA client-ha[1]
> Jan  6 14:50:59 my-vpn-client charon: 11[MGR] check-in of IKE_SA successful.
> Jan  6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500]
> Jan  6 14:50:59 my-vpn-client charon: 02[NET] received packet: from 192.168.2.213[4500] to 192.168.2.227[4500]
> Jan  6 14:50:59 my-vpn-client charon: 02[NET] waiting for data on sockets
> Jan  6 14:50:59 my-vpn-client charon: 12[MGR] checkout IKE_SA by message
> Jan  6 14:50:59 my-vpn-client charon: 12[MGR] IKE_SA client-ha[1] successfully checked out
> Jan  6 14:50:59 my-vpn-client charon: 12[NET] received packet: from 192.168.2.213[4500] to 192.168.2.227[4500] (972 bytes)
> Jan  6 14:50:59 my-vpn-client charon: 12[ENC] parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ]
> Jan  6 14:50:59 my-vpn-client charon: 12[IKE] received end entity cert "CN=my-vpn-server.company.com <http://my-vpn-server.company.com>, O=Company"
> Jan  6 14:50:59 my-vpn-client charon: 12[IKE] no trusted RSA public key found for 'CN=my-vpn-server.company.com <http://my-vpn-server.company.com>, O=Company'
> Jan  6 14:50:59 my-vpn-client charon: 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> Jan  6 14:50:59 my-vpn-client charon: 12[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500] (76 bytes)
> Jan  6 14:50:59 my-vpn-client charon: 12[KNL] deleting SAD entry with SPI c837be50  (mark 0/0x00000000)
> Jan  6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500]
> Jan  6 14:50:59 my-vpn-client charon: 12[KNL] deleted SAD entry with SPI c837be50 (mark 0/0x00000000)
> Jan  6 14:50:59 my-vpn-client charon: 12[MGR] checkin and destroy IKE_SA client-ha[1]
> Jan  6 14:50:59 my-vpn-client charon: 12[IKE] IKE_SA client-ha[1] state change: CONNECTING => DESTROYING
> Jan  6 14:50:59 my-vpn-client charon: 12[MGR] check-in and destroy of IKE_SA successful
>
>
> On Tue, Jan 6, 2015 at 2:48 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Justin,
>
> Set rightca to the DN of the CA certificate or to the file name or file path of the Ca certificate.
> As an alternative, you can get a copy of the server's certificate and do the same for rightcert.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 06.01.2015 um 21:23 schrieb Justin Michael Schwartzbeck:
> > Hello,
>
> > I am trying to set up a strongswan client to connect to a VPN endpoint. Here is my configuration:
>
> > # ipsec.conf - strongSwan IPsec configuration file
> > config setup
> >                charondebug="ike 2, knl 2, mgr 2, net 2"
> > ca main
> >                cacert=ca.crt
> > conn client-ha
> >      aaa_identity="CN=my-radius-server.company.com <http://my-radius-server.company.com> <http://my-radius-server.company.com>, O=Company"
> >      keyexchange=ikev2
> >      right=my-vpn-server.company.com <http://my-vpn-server.company.com> <http://my-vpn-server.company.com>
> >      rightid=%any
> >      rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> >      leftsourceip=%config
> >      leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> >      leftauth=eap-tls
> >      left=10.89.150.227
> >      leftid="my-radius-client.company.com <http://my-radius-client.company.com> <http://my-radius-client.company.com>"
> >      leftcert=server.crt
> >      auto=add
>
> > I have my ca.crt in /etc/ipsec.d/cacerts, my client certificate (server.crt) in /etc/ipsec.d/certs, and my client key (server.key) in /etc/ipsec.d/private. I also have the server.key listed in /etc/ipsec.secrets. My strongswan client's certificate and my vpn endpoint's certificate are both signed by the same CA. I have checked the vpn's cert against the ca.crt on my strongswan client to make sure that it was properly signed. However for some reason my strongswan client is not verifying the VPN's certificate. Below is the complete error output starting with an "ipsec restart" and then followed by an "ipsec up" on that profile:
>
> > Jan  6 11:18:11 my-vpn-client charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64)
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL] detected Linux 2.6.32, no support for RTA_PREFSRC for IPv6 routes
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL] known interfaces and IP addresses:
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]   lo
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     127.0.0.1
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     ::1
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]   eth0
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     192.168.2.227
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     192.168.2.103
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     fe80::250:56ff:feaa:6249
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]   eth1
> > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     fe80::250:56ff:feaa:b96
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG]   loaded ca certificate "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from '/etc/ipsec.d/cacerts/ca.crt'
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> > Jan  6 11:18:11 my-vpn-client charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
> > Jan  6 11:18:11 my-vpn-client charon: 00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-aka eap-md5 eap-tls xauth-generic xauth-noauth lookip
> > Jan  6 11:18:11 my-vpn-client charon: 00[LIB] unable to load 6 plugin features (6 due to unmet dependencies)
> > Jan  6 11:18:11 my-vpn-client charon: 00[JOB] spawning 16 worker threads
> > Jan  6 11:18:11 my-vpn-client charon: 02[NET] waiting for data on sockets
> > Jan  6 11:18:11 my-vpn-client charon: 04[CFG] received stroke: add connection 'client-ha'
> > Jan  6 11:18:11 my-vpn-client charon: 04[KNL] 192.168.2.213 is not a local address or the interface is down
> > Jan  6 11:18:11 my-vpn-client charon: 04[CFG]   loaded certificate "CN=my-vpn-client.company.com <http://my-vpn-client.company.com> <http://my-vpn-client.company.com>, O=Company" from 'server.crt'
> > Jan  6 11:18:11 my-vpn-client charon: 04[CFG]   id 'my-vpn-client.company.com <http://my-vpn-client.company.com> <http://my-vpn-client.company.com>' not confirmed by certificate, defaulting to 'CN=my-vpn-client.company.com <http://my-vpn-client.company.com> <http://my-vpn-client.company.com>, O=Company'
> > Jan  6 11:18:11 my-vpn-client charon: 04[CFG] added configuration 'client-ha'
> > Jan  6 11:18:31 my-vpn-client charon: 06[CFG] received stroke: initiate 'client-ha'
> > Jan  6 11:18:31 my-vpn-client charon: 08[MGR] checkout IKE_SA by config
> > Jan  6 11:18:31 my-vpn-client charon: 08[MGR] created IKE_SA (unnamed)[1]
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_VENDOR task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_INIT task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_NATD task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_PRE task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_AUTH task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_POST task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CONFIG task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_AUTH_LIFETIME task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_MOBIKE task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing CHILD_CREATE task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] activating new tasks
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_VENDOR task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_INIT task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_NATD task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_CERT_PRE task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_AUTH task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_CERT_POST task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_CONFIG task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating CHILD_CREATE task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_AUTH_LIFETIME task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_MOBIKE task
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] initiating IKE_SA client-ha[1] to 192.168.2.213
> > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] IKE_SA client-ha[1] state change: CREATED => CONNECTING
> > Jan  6 11:18:31 my-vpn-client charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > Jan  6 11:18:31 my-vpn-client charon: 08[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500] (708 bytes)
> > Jan  6 11:18:31 my-vpn-client charon: 08[MGR] checkin IKE_SA client-ha[1]
> > Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500]
> > Jan  6 11:18:31 my-vpn-client charon: 02[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500]
> > Jan  6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets
> > Jan  6 11:18:31 my-vpn-client charon: 09[MGR] checkout IKE_SA by message
> > Jan  6 11:18:31 my-vpn-client charon: 09[MGR] IKE_SA client-ha[1] successfully checked out
> > Jan  6 11:18:31 my-vpn-client charon: 09[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500] (38 bytes)
> > Jan  6 11:18:31 my-vpn-client charon: 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state change: CONNECTING => CREATED
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE] activating new tasks
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_INIT task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_NATD task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_CERT_PRE task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_AUTH task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_CERT_POST task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_CONFIG task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating CHILD_CREATE task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_AUTH_LIFETIME task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_MOBIKE task
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE] initiating IKE_SA client-ha[1] to 192.168.2.213
> > Jan  6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state change: CREATED => CONNECTING
> > Jan  6 11:18:31 my-vpn-client charon: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > Jan  6 11:18:31 my-vpn-client charon: 09[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500] (580 bytes)
> > Jan  6 11:18:31 my-vpn-client charon: 09[MGR] checkin IKE_SA client-ha[1]
> > Jan  6 11:18:31 my-vpn-client charon: 09[MGR] check-in of IKE_SA successful.
> > Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500]
> > Jan  6 11:18:31 my-vpn-client charon: 02[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500]
> > Jan  6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets
> > Jan  6 11:18:31 my-vpn-client charon: 10[MGR] checkout IKE_SA by message
> > Jan  6 11:18:31 my-vpn-client charon: 10[MGR] IKE_SA client-ha[1] successfully checked out
> > Jan  6 11:18:31 my-vpn-client charon: 10[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500] (381 bytes)
> > Jan  6 11:18:31 my-vpn-client charon: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] received cert request for unknown ca with keyid 4e:e1:18:20:b8:6b:65:0e:f3:40:51:73:88:dd:fe:d2:91:52:11:c0
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] received cert request for "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] received 1 cert requests for an unknown ca
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] reinitiating already active tasks
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE]   IKE_CERT_PRE task
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE]   IKE_AUTH task
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] sending cert request for "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] building INTERNAL_IP4_DNS attribute
> > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] establishing CHILD_SA client-ha
> > Jan  6 11:18:31 my-vpn-client charon: 10[KNL] getting SPI for reqid {1}
> > Jan  6 11:18:31 my-vpn-client charon: 10[KNL] got SPI ccd30cb7 for reqid {1}
> > Jan  6 11:18:31 my-vpn-client charon: 10[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
> > Jan  6 11:18:31 my-vpn-client charon: 10[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500] (428 bytes)
> > Jan  6 11:18:31 my-vpn-client charon: 10[MGR] checkin IKE_SA client-ha[1]
> > Jan  6 11:18:31 my-vpn-client charon: 10[MGR] check-in of IKE_SA successful.
> > Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500]
> > Jan  6 11:18:31 my-vpn-client charon: 02[NET] received packet: from 192.168.2.213[4500] to 192.168.2.227[4500]
> > Jan  6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets
> > Jan  6 11:18:31 my-vpn-client charon: 11[MGR] checkout IKE_SA by message
> > Jan  6 11:18:31 my-vpn-client charon: 11[MGR] IKE_SA client-ha[1] successfully checked out
> > Jan  6 11:18:31 my-vpn-client charon: 11[NET] received packet: from 192.168.2.213[4500] to 192.168.2.227[4500] (956 bytes)
> > Jan  6 11:18:31 my-vpn-client charon: 11[ENC] parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ]
> > Jan  6 11:18:31 my-vpn-client charon: 11[IKE] received end entity cert "CN=my-vpn-server.company.com <http://my-vpn-server.company.com> <http://my-vpn-server.company.com>, O=Company"
> > Jan  6 11:18:31 my-vpn-client charon: 11[IKE] no trusted RSA public key found for 'my-vpn-server.company.com <http://my-vpn-server.company.com> <http://my-vpn-server.company.com>'
> > Jan  6 11:18:31 my-vpn-client charon: 11[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> > Jan  6 11:18:31 my-vpn-client charon: 11[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500] (76 bytes)
> > Jan  6 11:18:31 my-vpn-client charon: 11[KNL] deleting SAD entry with SPI ccd30cb7  (mark 0/0x00000000)
> > Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500]
> > Jan  6 11:18:31 my-vpn-client charon: 11[KNL] deleted SAD entry with SPI ccd30cb7 (mark 0/0x00000000)
> > Jan  6 11:18:31 my-vpn-client charon: 11[MGR] checkin and destroy IKE_SA client-ha[1]
> > Jan  6 11:18:31 my-vpn-client charon: 11[IKE] IKE_SA client-ha[1] state change: CONNECTING => DESTROYING
> > Jan  6 11:18:31 my-vpn-client charon: 11[MGR] check-in and destroy of IKE_SA successful
> > Jan  6 11:18:35 my-vpn-client charon: 12[MGR] checkout IKE_SA
> > Jan  6 11:18:35 my-vpn-client charon: 13[MGR] checkout IKE_SA
> > Jan  6 11:18:35 my-vpn-client charon: 14[MGR] checkout IKE_SA
>
> > The important failure message here is "no trusted RSA public key found for 'my-vpn-server.company.com <http://my-vpn-server.company.com> <http://my-vpn-server.company.com>'". I have also tried setting the eap identity in the vpn endpoint to the full DN in the server certificate but that didn't work either. I don't understand why this would be failing if the certificate is properly signed by the CA. Can someone tell me if I am missing something?
>
> > Thanks for the help.
> > -Justin
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
>     _______________________________________________
>     Users mailing list
>     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>     https://lists.strongswan.org/mailman/listinfo/users
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUrFgYAAoJEDg5KY9j7GZYoA4P/3W7mRLnKQr3qRAtPToW21/Y
2B9Ej0/9VUy8KHanfJ8oL2AcGq99vSdnXR21q310MESw3XpbRKgXwMUaXwSy+eOY
WKUdHQtW3euzF3n6QiiOepjTUwWKjPPt6lNj4cjevv3I3niKH3B7in1lVllq/BQe
0KDv/2+Nv3G9Ku0HNG+4mfISy0o5PTurQYqbG7HkQhPfxCS+Uo5dvIjnR22sBrvw
/zV2nriMteodemn9uyT0B2Qv7weOhwjg476Iob2FKhWqDCkDMDpijVscqPOlEZNg
JexW+dnVICh7tO3zA0kM/Os3OFS8JtmROXbYZKjvVNoxVFYz+R0toHR0bFI6+R9f
CGICBzGenEyCZHYJt5NgReUSyHxYEQKxkjzcafPAXKRUZGW9QTsgcVkR5CWJ5c4S
GoAuy0kPU4mEBt04uFN8EJ2IBE9lRe1FVUw6uNbQKOxRsvUSAEDHuO8mi2fmeDBy
ZGCOg5Jk2s+9mvLqZ5VcBck9sDVICHJOZnf7yK/GfFaHUo6jKvmBnF1XX7b3eaOG
+tttdta0hM7O3TiDFfe7btLWgiWJM+RkfQPOmmfgqHfPK3h7ajwhH/WJj/htBGrS
a/yanGSYR01bXf8pKP3FlCQiJ1PmiDXvsr0OGJ7oOepXk6GxgIsvJiEzb6nu4Xoy
8qGnoG3/G7VAXt6u4vSD
=C4m5
-----END PGP SIGNATURE-----



More information about the Users mailing list