[strongSwan] Strongswan VPN with CA

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed May 16 14:20:40 CEST 2018


Hello Phil,

No, that's not the problem. It's because the CA screwed up the settings of the X509 policy mapping extension. I don't quite know the details of /what/ they got wrong, but as far as I can tell,
the CA certificate is either missing the extension value that allows any policy or has INHIBIT_ANY_POLICY set.

Kind regards

Noel

On 16.05.2018 14:10, Phil Frost wrote:
> It doesn't appear you've configured strongswan to trust any CAs anywhere. See /etc/ipsec.d/cacerts, the "CA SECTIONS" section in ipsec.conf(5), and the leftca and rightca options.
>
> On Wed, May 16, 2018 at 9:40 AM Michal Grzelak <michal.grzelak at nordcloud.com <mailto:michal.grzelak at nordcloud.com>> wrote:
>
>     I have a Site to Site VPN between Strongswan and Cisco working over PSK. Wanted to upgrade it to authenticate via Certificates, but can't get it done. Receiving following error:
>
>
>     |May 9 13:57:20 strongswan charon: 13[CFG] ocsp response correctly signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Validation Authority - G2" May 9 13:57:20 strongswan charon: 13[CFG] ocsp response is valid: until May 11 01:05:00 2018 May 9 13:57:20 strongswan charon: 13[CFG] using cached ocsp response May 9 13:57:20 strongswan charon: 13[CFG] certificate status is good May 9 13:57:20 strongswan charon: 13[CFG] certificate policy 2.16.840.1.114413.1.7.23.1 for 'OU=Domain Control Validated, CN=hostname.somedomain.com <http://hostname.somedomain.com>' not allowed by trustchain, ignored May 9 13:57:20 strongswan charon: 13[CFG] certificate policy 2.23.140.1.2.1 for 'OU=Domain Control Validated, CN=hostname.somedomain.com <http://hostname.somedomain.com>' not allowed by trustchain, ignored May 9 13:57:20 strongswan charon: 13[CFG] reached self-signed root ca with a path length of 1 May 9 13:57:20 strongswan charon: 13[IKE] signature
>     validation failed, looking for another key |
>
>     The Certificates for both ends are signed by two different CA, but already exchanged public root and intermediate certs. On cisco side I see the tunnel goes up for both Phase 1 and 2, so its good. Strongswan has problem with it and no SA is up.
>
>     Configuration:
>
>     |conn testconn auto=start left=%any leftfirewall=yes leftid=@strongswan.mydomain.com <http://strongswan.mydomain.com> leftid=x.x.x.x leftcert=strongswan.mydomain.com.pem right=y.y.y.y rightid=%any rightid=@hostname.somedomain.com <http://hostname.somedomain.com> type=tunnel ikelifetime=24h keylife=1h esp=aes256-sha384-ecp521 ike=aes256-sha384-modp1024 keyingtries=%forever keyexchange=ikev2 leftsubnet=z.z.z.z/z rightsubnet=u.u.u.u/u dpddelay=10s dpdtimeout=30s dpdaction=restart |
>
>     What be wrong here? Any suggestions?
>
>     Thanks.
>
>
>     -- 
>     Best regards,
>     MichaƂ
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180516/55d58074/attachment.sig>


More information about the Users mailing list