Here is some additional debugging from pluto.log from bwimail03 where this is failing:
Jan 29 20:36:53.923864: | checking keyid '@arcade' for match with '@arcade' Jan 29 20:36:53.923867: | key issuer CA is '%any' Jan 29 20:36:53.923870: | checking keyid '@bwimail03' for match with '@arcade' Jan 29 20:36:53.923873: "bwimail03-arcade" #5: Signature check (on @arcade) failed (wrong key?); tried *AwEAAfVyj Jan 29 20:36:53.923902: | public key for @arcade failed: decrypted SIG payload into a malformed ECB (SIG length does not match public key le ngth) Jan 29 20:36:53.923905: "bwimail03-arcade" #5: RSA authentication failed Jan 29 20:36:53.923921: | processing: [RE]START state #5 connection "bwimail03-arcade" 107.155.66.2 (in complete_v2_state_transition() at ik ev2.c:2788) Jan 29 20:36:53.923924: | #5 complete v2 state transition from STATE_PARENT_I2 with STF_FATAL Jan 29 20:36:53.923951: | release_pending_whacks: state #5 fd@23 .st_dev=9 .st_ino=7497694 It's also interesting to note that on the remote system (arcade), it seems to think the link is up: 000 #5: "bwimail03-arcade":500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 1940s; idle; 000 #6: "bwimail03-arcade":500 STATE_V2_IPSEC_R (IPsec SA established); EVENT_SA_REPLACE in 27140s; isakmp#5; idle; 000 #6: "bwimail03-arcade" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B 000 #7: "bwimail03-arcade":500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 1988s; newest ISAKMP; idle; 000 #8: "bwimail03-arcade":500 STATE_V2_IPSEC_R (IPsec SA established); EVENT_SA_REPLACE in 27188s; newest IPSEC; eroute owner; isakmp#7; idle; 000 #8: "bwimail03-arcade" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=1KB! ESPmax=0B _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
