[strongSwan] Strongswan VPN with CA

Phil Frost phil at postmates.com
Wed May 16 14:10:27 CEST 2018 

It doesn't appear you've configured strongswan to trust any CAs anywhere.
See /etc/ipsec.d/cacerts, the "CA SECTIONS" section in ipsec.conf(5), and
the leftca and rightca options.

On Wed, May 16, 2018 at 9:40 AM Michal Grzelak <michal.grzelak at nordcloud.com>
wrote:

> I have a Site to Site VPN between Strongswan and Cisco working over PSK.
> Wanted to upgrade it to authenticate via Certificates, but can't get it
> done. Receiving following error:
>
>
> May  9 13:57:20 strongswan charon: 13[CFG]   ocsp response correctly signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Validation Authority - G2"
>
> May  9 13:57:20 strongswan charon: 13[CFG]   ocsp response is valid: until May 11 01:05:00 2018
>
> May  9 13:57:20 strongswan charon: 13[CFG]   using cached ocsp response
>
> May  9 13:57:20 strongswan charon: 13[CFG] certificate status is good
>
> May  9 13:57:20 strongswan charon: 13[CFG] certificate policy 2.16.840.1.114413.1.7.23.1 for 'OU=Domain Control Validated, CN=hostname.somedomain.com' not allowed by trustchain, ignored
>
> May  9 13:57:20 strongswan charon: 13[CFG] certificate policy 2.23.140.1.2.1 for 'OU=Domain Control Validated, CN=hostname.somedomain.com' not allowed by trustchain, ignored
>
> May  9 13:57:20 strongswan charon: 13[CFG]   reached self-signed root ca with a path length of 1
>
> May  9 13:57:20 strongswan charon: 13[IKE] signature validation failed, looking for another key
>
> The Certificates for both ends are signed by two different CA, but already
> exchanged public root and intermediate certs. On cisco side I see the
> tunnel goes up for both Phase 1 and 2, so its good. Strongswan has problem
> with it and no SA is up.
>
> Configuration:
>
> conn testconn
>     auto=start
>     left=%any
>     leftfirewall=yes
>     leftid=@strongswan.mydomain.com
>     leftid=x.x.x.x
>     leftcert=strongswan.mydomain.com.pem
>     right=y.y.y.y
>     rightid=%any
>     rightid=@hostname.somedomain.com
>     type=tunnel
>     ikelifetime=24h
>     keylife=1h
>     esp=aes256-sha384-ecp521
>     ike=aes256-sha384-modp1024
>     keyingtries=%forever
>     keyexchange=ikev2
>     leftsubnet=z.z.z.z/z
>     rightsubnet=u.u.u.u/u
>     dpddelay=10s
>     dpdtimeout=30s
>     dpdaction=restart
>
> What be wrong here? Any suggestions?
> Thanks.
>
>
> --
> Best regards,
> MichaƂ
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180516/9f98e7d6/attachment.html>

More information about the Users mailing list