[strongSwan] Linux client won't connect.

Dusan Ilic dusan at comhem.se
Sat Aug 26 14:35:53 CEST 2017

Hi Chama,

Android client (or probably OS) already have LE root CA, that's why it just works.
On Linux you have to download the intermediate chain, found here https://www.identrust.com/certificates/trustid/root-download-x3.html

---- Chama Sparky skrev ----

>Hello, This is my first try setting up strongswan and ipsec. I'm used to
>openvpn but that is no longer a viable option.  I have two strongswan
>servers running on Debian with let's encrypt  on. I thought it would be
>nice not to deal with certificates on the client side. I can connect to
>both boxes just fine form my android with IKEv2 EAP authentication.
>On my linux desktop, at first strongswan was unable to fetch ocsp from LE
>servers. Installing the curl plugin fixed that.  Now, I'm stuck with a
>public key error that I can not seem to solve.
>Here is the last bit of the log:
>checking certificate status of "CN=some.domain.com"
>  requesting ocsp status from 'http://ocsp.int-x3.letsencrypt.org' ...
>  ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=Let's
>Encrypt Authority X3"
>  ocsp response is valid: until Aug 25 18:00:00 2017
>certificate status is good
>no issuer certificate found for "C=US, O=Let's Encrypt, CN=Let's Encrypt
>Authority X3"
>no trusted RSA public key found for 'some.domain.com'
>generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>sending packet: from[4500] to 999.199.**.**[4500] (76 bytes)
>establishing connection 'vpn' failed
>I have tried to install the LE root certificates on my system.  But the
>problem persists. Here is the ipsec.conf on my desktop:
>conn vpn
>    keyexchange=ikev2
>    dpdaction=clear
>    dpddelay=300s
>    eap_identity=dobry
>    leftauth=eap-mschapv2
>    left=%defaultroute
>    leftsourceip=%config
>    right=some.domain.com
>    rightauth=pubkey
>    rightsubnet=
>    rightid=%any
>    type=tunnel
>    auto=add
>Please, let me know what other informations might be relevant.
>Any pointers would be greatly appreciated.   Thank you for reading.
>   -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170826/f400529f/attachment.html>

More information about the Users mailing list