[strongSwan] Can't connect to Strongswan
Tobias Brunner
tobias at strongswan.org
Thu Jul 19 15:06:33 CEST 2018
Hi Alexander,
> I believe the problem is here, but I still somewhat new to the logs:
>
> Jul 19 13:18:09 below charon: 09[IKE] signature validation failed, looking for another key
> Jul 19 13:18:09 below charon: 09[CFG] no issuer certificate found for "C=CH, O=strongSwan, CN=Client Key“
These issues could be related. For instance, if you created multiple
client certificates/keys and signed them with different CA keys.
> I have used ipsec pki --verify --in certs/ClientCert.pem --cacert cacerts/strongswanCert.pem in an attempt to check the certificates, and everything seems OK: "certificate trusted, lifetimes valid“
Question is whether that's the certificate/key the client currently
uses. I also wonder why the daemon has two different client
certificates available (as `rightcert` is not configured). Did you
create and distribute a new client certificate and not restart the
daemon (or flush the certificate cache)? Check the list of loaded
certificates with `ipsec listcerts` (and the CA certs with `listcacerts`).
Regards,
Tobias
More information about the Users
mailing list