On Thu, 16 Apr 2020, Madhan Raj wrote:
Hi Paul and others,
version: -libreswan-3.25-4.1.el7.x86_64
I have the attached my policy details.
Apr 16 06:05:09.641313: "71807379470_x509" #1: Peer ID is ID_DER_ASN1_DN:
'C=IN, ST=i, L=i, O=i, OU=i, CN=cucm-142'
Apr 16 06:05:09.641847: "71807379470_x509" #1: X509: no EE-cert in chain!
Apr 16 06:05:09.641884: "71807379470_x509" #1: X509: Certificate rejected
for this connection
Are these self-signed certs ? Based on the below it does not look like
it.
by end server certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
21:00:00:00:06:f3:f5:a4:46:60:5d:83:b2:00:00:00:00:00:06
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=internal, DC=CAPLAB, CN=CAPLAB-BLDR-DEV-201-CA-1
Validity
Not Before: Apr 14 02:18:57 2020 GMT
Not After : Apr 14 02:28:57 2022 GMT
Subject: C=IN, ST=i, L=i, O=i, OU=i, CN=cucm-142
Can you show me: certutil -L -d sql:/etc/ipsec.d
I wonder if you are missing trust bits?
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication, IPSec End System
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
looks ok.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
