Hi everyone,

I am trying to configure a host-to-host transport IPsec tunnel. Each
host uses the other host's self-signed certificate to do
authentication. But I encountered some "X509: temporary cert import
operation failed" error.

Here is my configuration file:
----------------------------------------
config setup
    uniqueids=yes

conn %default
    keyingtries=%forever
    type=transport
    auto=route
    ike=aes_gcm256-sha2_256
    esp=aes_gcm256
    ikev2=insist

conn tun-in-1
    left=10.33.79.92
    right=10.33.79.149
    leftid=@host_2
    rightid=@host_1
    leftcert="host_2"
    rightcert="host_1"
    leftrsasigkey=%cert
    leftprotoport=udp/6081
    rightprotoport=udp

conn tun-out-1
    left=10.33.79.92
    right=10.33.79.149
    leftid=@host_2
    rightid=@host_1
    leftcert="host_2"
    rightcert="host_1"
    leftrsasigkey=%cert
    leftprotoport=udp
    rightprotoport=udp/6081

Here is the error message:
------------------------------------
002 "tun-in-1" #5: initiating v2 parent SA
133 "tun-in-1" #5: STATE_PARENT_I1: initiate
133 "tun-in-1" #5: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "tun-in-1" #5: tun-in-1 ESP/AH proposals for initiator:
        1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED
        134 "tun-in-1" #6: STATE_PARENT_I2: sent v2I2, expected v2R2
{auth=IKEv2
        cipher=aes_gcm_16_256 integ=n/a prf=sha2_256 group=MODP2048}
002 "tun-in-1" #6: X509: temporary cert import operation failed
002 "tun-in-1" #6: cert verify failed with internal error
002 "tun-in-1" #6: X509: Certificate rejected for this connection
002 "tun-in-1" #6: X509: CERT payload bogus or revoked
224 "tun-in-1" #6: STATE_PARENT_I2: v2N_AUTHENTICATION_FAILED

After this, I did some further investigation. When I change each
host's certificate to CA-signed certificate (signed by the same CA),
everything works.

What is exactly my problem? Is the self-signed certificate not allowed?

I really appreciate it if anyone can give me some clue.

-Qiuyu
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to