[strongSwan] Can't connect to Strongswan

Tobias Brunner tobias at strongswan.org
Thu Jul 19 15:06:33 CEST 2018

Hi Alexander,

> I believe the problem is here, but I still somewhat new to the logs:
> Jul 19 13:18:09 below charon: 09[IKE] signature validation failed, looking for another key
> Jul 19 13:18:09 below charon: 09[CFG] no issuer certificate found for "C=CH, O=strongSwan, CN=Client Key“

These issues could be related.  For instance, if you created multiple
client certificates/keys and signed them with different CA keys.

> I have used ipsec pki --verify --in certs/ClientCert.pem --cacert cacerts/strongswanCert.pem in an attempt to check the certificates, and everything seems OK: "certificate trusted, lifetimes valid“

Question is whether that's the certificate/key the client currently
uses.  I also wonder why the daemon has two different client
certificates available (as `rightcert` is not configured).  Did you
create and distribute a new client certificate and not restart the
daemon (or flush the certificate cache)?  Check the list of loaded
certificates with `ipsec listcerts` (and the CA certs with `listcacerts`).


More information about the Users mailing list