Hi everyone,
I am trying to configure a host-to-host transport IPsec tunnel. Each
host uses the other host's self-signed certificate to do
authentication. But I encountered some "X509: temporary cert import
operation failed" error.
Here is my configuration file:
config setup
uniqueids=yes
conn %default
keyingtries=%forever
type=transport
auto=route
ike=aes_gcm256-sha2_256
esp=aes_gcm256
ikev2=insist
conn tun-in-1
left=10.33.79.92
right=10.33.79.149
leftid=@host_2
rightid=@host_1
leftcert="host_2"
rightcert="host_1"
leftrsasigkey=%cert
leftprotoport=udp/6081
rightprotoport=udp
conn tun-out-1
left=10.33.79.92
right=10.33.79.149
leftid=@host_2
rightid=@host_1
leftcert="host_2"
rightcert="host_1"
leftrsasigkey=%cert
leftprotoport=udp
rightprotoport=udp/6081
Here is the error message:
002 "tun-in-1" #5: initiating v2 parent SA
133 "tun-in-1" #5: STATE_PARENT_I1: initiate
133 "tun-in-1" #5: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "tun-in-1" #5: tun-in-1 ESP/AH proposals for initiator:
1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED
134 "tun-in-1" #6: STATE_PARENT_I2: sent v2I2, expected v2R2
{auth=IKEv2
cipher=aes_gcm_16_256 integ=n/a prf=sha2_256 group=MODP2048}
002 "tun-in-1" #6: X509: temporary cert import operation failed
002 "tun-in-1" #6: cert verify failed with internal error
002 "tun-in-1" #6: X509: Certificate rejected for this connection
002 "tun-in-1" #6: X509: CERT payload bogus or revoked
224 "tun-in-1" #6: STATE_PARENT_I2: v2N_AUTHENTICATION_FAILED
After this, I did some further investigation. When I change each
host's certificate to CA-signed certificate (signed by the same CA),
everything works.
What is exactly my problem? Is the self-signed certificate not allowed?
I really appreciate it if anyone can give me some clue.
-Qiuyu
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
