[strongSwan] Strongswan VPN with CA

Michal Grzelak michal.grzelak at nordcloud.com
Wed May 16 11:40:22 CEST 2018 

I have a Site to Site VPN between Strongswan and Cisco working over PSK.
Wanted to upgrade it to authenticate via Certificates, but can't get it
done. Receiving following error:


May  9 13:57:20 strongswan charon: 13[CFG]   ocsp response correctly
signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go
Daddy Root Validation Authority - G2"

May  9 13:57:20 strongswan charon: 13[CFG]   ocsp response is valid:
until May 11 01:05:00 2018

May  9 13:57:20 strongswan charon: 13[CFG]   using cached ocsp response

May  9 13:57:20 strongswan charon: 13[CFG] certificate status is good

May  9 13:57:20 strongswan charon: 13[CFG] certificate policy
2.16.840.1.114413.1.7.23.1 for 'OU=Domain Control Validated,
CN=hostname.somedomain.com' not allowed by trustchain, ignored

May  9 13:57:20 strongswan charon: 13[CFG] certificate policy
2.23.140.1.2.1 for 'OU=Domain Control Validated,
CN=hostname.somedomain.com' not allowed by trustchain, ignored

May  9 13:57:20 strongswan charon: 13[CFG]   reached self-signed root
ca with a path length of 1

May  9 13:57:20 strongswan charon: 13[IKE] signature validation
failed, looking for another key

The Certificates for both ends are signed by two different CA, but already
exchanged public root and intermediate certs. On cisco side I see the
tunnel goes up for both Phase 1 and 2, so its good. Strongswan has problem
with it and no SA is up.

Configuration:

conn testconn
    auto=start
    left=%any
    leftfirewall=yes
    leftid=@strongswan.mydomain.com
    leftid=x.x.x.x
    leftcert=strongswan.mydomain.com.pem
    right=y.y.y.y
    rightid=%any
    rightid=@hostname.somedomain.com
    type=tunnel
    ikelifetime=24h
    keylife=1h
    esp=aes256-sha384-ecp521
    ike=aes256-sha384-modp1024
    keyingtries=%forever
    keyexchange=ikev2
    leftsubnet=z.z.z.z/z
    rightsubnet=u.u.u.u/u
    dpddelay=10s
    dpdtimeout=30s
    dpdaction=restart

What be wrong here? Any suggestions?
Thanks.

-- 
Best regards,
MichaƂ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180516/492eb78d/attachment.html>

More information about the Users mailing list