[strongSwan] Strongswan VPN with CA
Michal Grzelak
michal.grzelak at nordcloud.com
Wed May 16 15:20:05 CEST 2018
Thanks Phil for input.
I have public certs in /etc/ipsec.d/cacerts copied. Moreover has been
playing with leftca and rigthca and that didn't help - always has the same
error.
On Wed, May 16, 2018 at 2:10 PM, Phil Frost <phil at postmates.com> wrote:
> It doesn't appear you've configured strongswan to trust any CAs anywhere.
> See /etc/ipsec.d/cacerts, the "CA SECTIONS" section in ipsec.conf(5), and
> the leftca and rightca options.
>
> On Wed, May 16, 2018 at 9:40 AM Michal Grzelak <
> michal.grzelak at nordcloud.com> wrote:
>
>> I have a Site to Site VPN between Strongswan and Cisco working over PSK.
>> Wanted to upgrade it to authenticate via Certificates, but can't get it
>> done. Receiving following error:
>>
>>
>> May 9 13:57:20 strongswan charon: 13[CFG] ocsp response correctly signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Validation Authority - G2"
>>
>> May 9 13:57:20 strongswan charon: 13[CFG] ocsp response is valid: until May 11 01:05:00 2018
>>
>> May 9 13:57:20 strongswan charon: 13[CFG] using cached ocsp response
>>
>> May 9 13:57:20 strongswan charon: 13[CFG] certificate status is good
>>
>> May 9 13:57:20 strongswan charon: 13[CFG] certificate policy 2.16.840.1.114413.1.7.23.1 for 'OU=Domain Control Validated, CN=hostname.somedomain.com' not allowed by trustchain, ignored
>>
>> May 9 13:57:20 strongswan charon: 13[CFG] certificate policy 2.23.140.1.2.1 for 'OU=Domain Control Validated, CN=hostname.somedomain.com' not allowed by trustchain, ignored
>>
>> May 9 13:57:20 strongswan charon: 13[CFG] reached self-signed root ca with a path length of 1
>>
>> May 9 13:57:20 strongswan charon: 13[IKE] signature validation failed, looking for another key
>>
>> The Certificates for both ends are signed by two different CA, but
>> already exchanged public root and intermediate certs. On cisco side I see
>> the tunnel goes up for both Phase 1 and 2, so its good. Strongswan has
>> problem with it and no SA is up.
>>
>> Configuration:
>>
>> conn testconn
>> auto=start
>> left=%any
>> leftfirewall=yes
>> leftid=@strongswan.mydomain.com
>> leftid=x.x.x.x
>> leftcert=strongswan.mydomain.com.pem
>> right=y.y.y.y
>> rightid=%any
>> rightid=@hostname.somedomain.com
>> type=tunnel
>> ikelifetime=24h
>> keylife=1h
>> esp=aes256-sha384-ecp521
>> ike=aes256-sha384-modp1024
>> keyingtries=%forever
>> keyexchange=ikev2
>> leftsubnet=z.z.z.z/z
>> rightsubnet=u.u.u.u/u
>> dpddelay=10s
>> dpdtimeout=30s
>> dpdaction=restart
>>
>> What be wrong here? Any suggestions?
>> Thanks.
>>
>>
>> --
>> Best regards,
>> Michał
>>
>>
--
Best regards,
Michał Grzelak
Senior Cloud Architect
Nordcloud Poland sp. z o.o.
Dąbrowskiego 79A, 60-575 Poznań
<https://maps.google.com/?q=D%C4%85browskiego+79A,+60-575+Pozna%C5%84&entry=gmail&source=g>
michal.grzelak at nordcloud.com <maciej.mietlinski at nordcloud.com>
www.nordcloud.com
<http://www.nordcloud.com>
<http://www.nordcloud.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180516/5e460e8e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 86E3A1CF-CF6F-45A4-B1C4-2E790A7F8807.png
Type: image/png
Size: 18491 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180516/5e460e8e/attachment-0001.png>
More information about the Users
mailing list