[strongSwan] signature validation failed error
agarwalpiyush at gmail.com
Mon May 15 19:40:53 CEST 2017
I am running into a strange issue and would appreciate any help in
debugging what could be going wrong.
I am using self-signed certs for both my client and server. Client sends
its cert to server (via out of band channel) and vice-versa so that
verification can be done.
I am using the same subject DN for both my client and server (again, as bad
as this is, this works for our setup).
All is good and IPsec comes up. Now I am simulating failure scenario where
the server dies and restarts after say 40 seconds and expect IPsec to come
up again because client is programmed to retry every 30 seconds. [BTW, the
client here is detecting the server is down by checking output of setkey -D
to see if mature bi-directional IPsec SAs are present or not]
Client logic on detecting IPsec down for 30 seconds (Start state is IPsec
transport tunnel established):
1) Call ipsec stop
2) Receive out of band event that server is up, connect to server
3) Regenerate private key and store in ipsec.d/private/
4) Regenerate self-signed cert and store in ipsec.d/certs/client.cert
3) Get server's self-signed cert and store in local
ipsec.d/certs/server.cert. Send client's self-signed cert to server
4) ipsec start to bring tunnel up
Server events (Start state is IPsec transport tunnel established):
1) Server is shut down resulting in ipsec daemon stopping
2) After 40 seconds, server restarts
3) Generate private key and store in ipsec.d/private/
4) Generate self-signed cert and store in ipsec.d/certs/server.cert
5) Receives out of band event that client is trying to register
6) Send own cert to client and store client's cert in
7) ipsec start to bring tunnel up
7.1) Each subsequent client re-attempt (30 seconds), will lead to "ipsec
reload" and not "ipsec stop/start" cycle on server end.
At this point the server logs complain the following:
*07[CFG] selected peer config 'x.x.x.x'*
*07[CFG] using trusted certificate "ABCDEFGH"*
*07[IKE] signature validation failed, looking for another key*
Appreciate any guidance.
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users