[strongSwan] rejecting certificate without digitalSignature or nonRepudiation, keyUsage flags

[lejeczek]

hi eveyone,

I found this - https://wiki.strongswan.org/issues/3139 - but how to make
a good use of it I'm not sure.

I hit such a problem, roadwarrior side of the logs:

...

 
06[MGR] checkin of IKE_SA successful
04[NET] sending packet: from 10.0.0.5[4500] to 10.5.154.202[4500]
04[NET] sending packet: from 10.0.0.5[4500] to 10.5.154.202[4500]
03[NET] received packet: from 10.5.154.202[4500] to 10.0.0.5[4500]
03[NET] waiting for data on sockets
08[MGR] checkout IKEv2 SA by message with SPIs aac5dbe33ca0241f_i
f1e1d0956f4da4b5_r
08[MGR] IKE_SA TO-NRR[4] successfully checked out
08[NET] received packet: from 10.5.154.202[4500] to 10.0.0.5[4500] (576
bytes)
08[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(INT_ADDR_FAIL) N(TS_UNACCEPT) ]
08[CFG]   using trusted certificate "C=Shire, O=NRR,
CN=private.NRR.tam.cos"
08[IKE] rejecting certificate without digitalSignature or nonRepudiation
keyUsage flags
08[IKE] signature validation failed, looking for another key
08[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
08[NET] sending packet: from 10.0.0.5[4500] to 10.5.154.202[4500] (80
bytes)
08[KNL] deleting SAD entry with SPI cfa253fc
08[KNL] deleted SAD entry with SPI cfa253fc
08[MGR] checkin and destroy IKE_SA TO-NRR[4]
08[IKE] IKE_SA TO-NRR[4] state change: CONNECTING => DESTROYING


Is the problem caused be my certificates being crafted in a way which
did not comply with what Strongswan requires?

Or this can be resolved with configuration?

many thanks, L.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1757 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191030/a9a26512/attachment.key>