Now I understand, the peer id MUST be the full subject line from the peer certificate, not only the CN from the subject line. When I replaced that in the ipsec.conf, the line pointing to the local peer certificate is not needed.
On Fri, Aug 31, 2012 at 1:11 PM, Jorge Ventura < [email protected]> wrote: > I have a linux box configured to authenticate by RSA signature using x509 > certificate self-signed. My peer is a cisco router ASA-5505. > Both sides have the CA (self signed) certificate authority and they are > using IKEv2 and everything is working but I have one question: > > Why do I need to have the certificate from the peer installed locally in > the directory /etc/ipsec.d/certs ??? It's weird to me because the ASA-5505 > doesn't have any information about the certificate from the linux box, > it's negotiated at the time of connection. If I remove the directive at > ipsec.conf > pointing to a local certificate copy from the peer, a receive a message: > > constraint check failed: identity '10.15.1.1' required > > and the connection does not succeed. > > I think that my configuration is incomplete. > > > Thanks, > Ventura >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
