Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-16 Thread Jafar Al-Gharaibeh


On 2/16/2018 3:39 AM, Sujoy wrote:


The config file is same but then also it failed by saying "unable to 
install inbound and outbound IPsec SA (SAD) in kernel failed to 
establish CHILD_SA, keeping IKE_SA".




It is failing with the error "IPsec SA: unsupported mode". That means 
transport (USE_TRANSP  one line above) mode is not supported. This is 
due to using kernel-libipsec plugin (look at the loaded plugins list) 
which  doesn't not implement transport mode as far as I  know. Either 
disable that plugin or switch back to tunnel mode.




Re: [strongSwan] peer cert verification: X509: temporary cert import operation failed

2018-02-16 Thread Thomas Jarosch
Hi,

On Thursday, 15 February 2018 17:37:24 CET Thomas Jarosch wrote:
> Feb 15 17:20:11.324390: "companyserver" #1: Peer ID is ID_DER_ASN1_DN:
> 'CN=firewall.company.com, O=Company, OU=HQ' Feb 15 17:20:11.324416: |
> checking for CERT payloads
> Feb 15 17:20:11.324426: | found at last one CERT payload, calling
> pluto_process_certs() Feb 15 17:20:11.324498: | nothing to decode
> Feb 15 17:20:11.324509: "companyserver" #1: X509: temporary cert import
> operation failed Feb 15 17:20:11.324524: "companyserver" #1: cert verify
> failed with internal error Feb 15 17:20:11.324535: "companyserver" #1:
> X509: Certificate rejected for this connection Feb 15 17:20:11.324547:
> "companyserver" #1: X509: CERT payload bogus or revoked Feb 15
> 17:20:11.324558: | Peer ID failed to decode
> Feb 15 17:20:11.324567: | complete v1 state transition with
> INVALID_ID_INFORMATION
> 
> What's puzzles me is the "X509: temporary cert import operation failed"
> error message. The output is from "plutodebug=all" already.

problem solved in the morning: Using the "ipsec" systemd service
was wrong and actually belonged to the libreswan package.

I confused these two as a few strongswan versions back the initscript
for strongswan was in fact /etc/rc.d/init.d/ipsec :)

After using the "strongswan" systemd service everything went smooth.
That also explains why it was suddenly using the nssdb
instead of the certificates from disk as I was used to it.

Cheers,
Thomas