Hi everyone, I am trying to configure a host-to-host transport IPsec tunnel. Each host uses the other host's self-signed certificate to do authentication. But I encountered some "X509: temporary cert import operation failed" error.
Here is my configuration file: ---------------------------------------- config setup uniqueids=yes conn %default keyingtries=%forever type=transport auto=route ike=aes_gcm256-sha2_256 esp=aes_gcm256 ikev2=insist conn tun-in-1 left=10.33.79.92 right=10.33.79.149 leftid=@host_2 rightid=@host_1 leftcert="host_2" rightcert="host_1" leftrsasigkey=%cert leftprotoport=udp/6081 rightprotoport=udp conn tun-out-1 left=10.33.79.92 right=10.33.79.149 leftid=@host_2 rightid=@host_1 leftcert="host_2" rightcert="host_1" leftrsasigkey=%cert leftprotoport=udp rightprotoport=udp/6081 Here is the error message: ------------------------------------ 002 "tun-in-1" #5: initiating v2 parent SA 133 "tun-in-1" #5: STATE_PARENT_I1: initiate 133 "tun-in-1" #5: STATE_PARENT_I1: sent v2I1, expected v2R1 002 "tun-in-1" #5: tun-in-1 ESP/AH proposals for initiator: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 134 "tun-in-1" #6: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_256 group=MODP2048} 002 "tun-in-1" #6: X509: temporary cert import operation failed 002 "tun-in-1" #6: cert verify failed with internal error 002 "tun-in-1" #6: X509: Certificate rejected for this connection 002 "tun-in-1" #6: X509: CERT payload bogus or revoked 224 "tun-in-1" #6: STATE_PARENT_I2: v2N_AUTHENTICATION_FAILED After this, I did some further investigation. When I change each host's certificate to CA-signed certificate (signed by the same CA), everything works. What is exactly my problem? Is the self-signed certificate not allowed? I really appreciate it if anyone can give me some clue. -Qiuyu _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan