Well, just read what the log tells you: subject certificate invalid (valid from Sep 12 10:47:25 2011 to Sep 11 10:47:25 2012)
The certificate expired on September 11 2012 so you have to generate and install a fresh one. Best regards Andreas On 10/31/2012 04:39 AM, Jun Yin wrote: > Anybody could help to check what's wrong with my config? > > I got below error: > oot@pc150:~# ipsec up forti_working > initiating IKE_SA forti_working[1] to 192.168.6.63 > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > sending packet: from 192.168.6.150[500] to 192.168.6.63[500] > received packet: from 192.168.6.63[500] to 192.168.6.150[500] > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] > received cert request for "C=CA, ST=BC, L=Burnaby, O=Fortinet Inc, > OU=QA, CN=fortinet.local-CA-2, [email protected]" > sending cert request for "C=CA, ST=BC, L=Burnaby, O=Fortinet Inc, > OU=QA, CN=fortinet.local-CA-2, [email protected]" > sending cert request for "C=CA, ST=bc, L=vancouver, O=fortinet, OU=qa, > CN=hans_216_sub2, [email protected]" > authentication of 'C=CA, ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, > CN=pauldef.fortinet.local, [email protected]' (myself) with RSA > signature successful > sending end entity cert "C=CA, ST=BC, L=Burnaby, O=Fortinet Inc, > OU=QA, CN=pauldef.fortinet.local, [email protected]" > establishing CHILD_SA forti_working > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP(ADDR DNS) > SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ] > sending packet: from 192.168.6.150[4500] to 192.168.6.63[4500] > retransmit 1 of request with message ID 1 > sending packet: from 192.168.6.150[4500] to 192.168.6.63[4500] > received packet: from 192.168.6.63[4500] to 192.168.6.150[4500] > parsed IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR) SA TSi TSr ] > received end entity cert "C=CA, ST=bc, L=vancouver, O=fortinet, OU=qa, > CN=dut2_sub2, [email protected]" > using certificate "C=CA, ST=bc, L=vancouver, O=fortinet, OU=qa, > CN=dut2_sub2, [email protected]" > using trusted intermediate ca certificate "C=CA, ST=bc, L=vancouver, > O=fortinet, OU=qa, CN=hans_216_sub2, [email protected]" > subject certificate invalid (valid from Sep 12 10:47:25 2011 to Sep 11 > 10:47:25 2012) > no trusted RSA public key found for 'C=CA, ST=bc, L=vancouver, > O=fortinet, OU=qa, CN=dut2_sub2, [email protected]' > root@pc150:~# > > >>From debug, I got: > > > Oct 30 17:54:41 pc150 charon: 00[DMN] Starting IKEv2 charon daemon > (strongSwan 4.5.0) > Oct 30 17:54:41 pc150 charon: 00[LIB] Padlock not found, CPU is GenuineIntel > Oct 30 17:54:41 pc150 charon: 00[LIB] plugin 'padlock': failed to load > - padlock_plugin_create returned NULL > Oct 30 17:54:41 pc150 charon: 00[KNL] listening on interfaces: > Oct 30 17:54:41 pc150 charon: 00[KNL] eth0 > Oct 30 17:54:41 pc150 charon: 00[KNL] 172.18.7.150 > Oct 30 17:54:41 pc150 charon: 00[KNL] fe80::215:5dff:fe07:5f12 > Oct 30 17:54:41 pc150 charon: 00[KNL] eth1 > Oct 30 17:54:41 pc150 charon: 00[KNL] 192.168.6.150 > Oct 30 17:54:41 pc150 charon: 00[KNL] fe80::215:5dff:fe07:5f19 > Oct 30 17:54:41 pc150 charon: 00[CFG] loading ca certificates from > '/etc/ipsec.d/cacerts' > Oct 30 17:54:41 pc150 charon: 00[CFG] loaded ca certificate "C=CA, > ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=fortinet.local-CA-2, > [email protected]" from > '/etc/ipsec.d/cacerts/fortinet.local-CA-2-cacert.pem' > Oct 30 17:54:41 pc150 charon: 00[CFG] loaded ca certificate "C=CA, > ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216_sub2, > [email protected]" from > '/etc/ipsec.d/cacerts/cacert_sub2.pem' > Oct 30 17:54:41 pc150 charon: 00[CFG] loading aa certificates from > '/etc/ipsec.d/aacerts' > Oct 30 17:54:41 pc150 charon: 00[CFG] loading ocsp signer certificates > from '/etc/ipsec.d/ocspcerts' > Oct 30 17:54:41 pc150 charon: 00[CFG] loading attribute certificates > from '/etc/ipsec.d/acerts' > Oct 30 17:54:41 pc150 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' > Oct 30 17:54:41 pc150 charon: 00[CFG] loading secrets from > '/etc/ipsec.secrets' > Oct 30 17:54:41 pc150 charon: 00[CFG] loaded IKE secret for > 192.168.111.221 192.168.111.111 > Oct 30 17:54:41 pc150 charon: 00[CFG] loaded IKE secret for > 192.168.2.221 192.168.2.236 > Oct 30 17:54:41 pc150 charon: 00[CFG] loaded IKE secret for > 192.168.2.162 192.168.2.100 > > > > > > > > Oct 30 17:54:42 pc150 charon: 00[CFG] loaded RSA private key from > '/etc/ipsec.d/private/[email protected]' > Oct 30 17:54:42 pc150 charon: 00[CFG] sql plugin: database URI not set > Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'sql': failed to load - > sql_plugin_create returned NULL > Oct 30 17:54:42 pc150 charon: 00[CFG] no valid RADIUS server configuration > found > Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'eap-radius': failed to > load - eap_radius_plugin_create returned NULL > Oct 30 17:54:42 pc150 charon: 00[CFG] mediation database URI not > defined, skipped > Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'medsrv': failed to load > - medsrv_plugin_create returned NULL > Oct 30 17:54:42 pc150 charon: 00[CFG] mediation client database URI > not defined, skipped > Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'medcli': failed to load > - medcli_plugin_create returned NULL > Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'nm' failed to load: > /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object > file: No such file or directory > Oct 30 17:54:42 pc150 charon: 00[CFG] HA config misses local/remote address > Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'ha': failed to load - > ha_plugin_create returned NULL > Oct 30 17:54:42 pc150 charon: 00[DMN] loaded plugins: test-vectors > curl ldap aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1 > pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr > kernel-netlink resolve socket-raw farp stroke updown eap-identity > eap-aka eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-tnc dhcp led > addrblock > Oct 30 17:54:42 pc150 charon: 00[JOB] spawning 16 worker threads > Oct 30 17:54:42 pc150 charon: 09[CFG] received stroke: add connection > 'forti_notworking' > Oct 30 17:54:42 pc150 charon: 09[CFG] loaded certificate "C=CA, > ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=pauldef.fortinet.local, > [email protected]" from '[email protected]' > Oct 30 17:54:42 pc150 charon: 09[CFG] id 'pdef' not confirmed by > certificate, defaulting to 'C=CA, ST=BC, L=Burnaby, O=Fortinet Inc, > OU=QA, CN=pauldef.fortinet.local, [email protected]' > Oct 30 17:54:42 pc150 charon: 09[CFG] added configuration 'forti_notworking' > Oct 30 17:54:42 pc150 charon: 13[CFG] received stroke: add connection > 'forti_working' > Oct 30 17:54:42 pc150 charon: 13[CFG] loaded certificate "C=CA, > ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=pauldef.fortinet.local, > [email protected]" from '[email protected]' > Oct 30 17:54:42 pc150 charon: 13[CFG] id 'pdef' not confirmed by > certificate, defaulting to 'C=CA, ST=BC, L=Burnaby, O=Fortinet Inc, > OU=QA, CN=pauldef.fortinet.local, [email protected]' > Oct 30 17:54:42 pc150 charon: 13[CFG] added configuration 'forti_working' > > > > > > Oct 30 17:58:53 pc150 charon: 10[CFG] received stroke: initiate > 'forti_working' > Oct 30 17:58:53 pc150 charon: 01[IKE] initiating IKE_SA > forti_working[1] to 192.168.6.63 > Oct 30 17:58:53 pc150 charon: 01[ENC] generating IKE_SA_INIT request 0 > [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > Oct 30 17:58:53 pc150 charon: 01[NET] sending packet: from > 192.168.6.150[500] to 192.168.6.63[500] > Oct 30 17:58:53 pc150 charon: 16[NET] received packet: from > 192.168.6.63[500] to 192.168.6.150[500] > Oct 30 17:58:53 pc150 charon: 16[ENC] parsed IKE_SA_INIT response 0 [ > SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] > Oct 30 17:58:54 pc150 charon: 16[IKE] received cert request for "C=CA, > ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=fortinet.local-CA-2, > [email protected]" > Oct 30 17:58:54 pc150 charon: 16[IKE] sending cert request for "C=CA, > ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=fortinet.local-CA-2, > [email protected]" > Oct 30 17:58:54 pc150 charon: 16[IKE] sending cert request for "C=CA, > ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216_sub2, > [email protected]" > Oct 30 17:58:54 pc150 charon: 16[IKE] authentication of 'C=CA, ST=BC, > L=Burnaby, O=Fortinet Inc, OU=QA, CN=pauldef.fortinet.local, > [email protected]' (myself) with RSA signature successful > Oct 30 17:58:54 pc150 charon: 16[IKE] sending end entity cert "C=CA, > ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=pauldef.fortinet.local, > [email protected]" > Oct 30 17:58:54 pc150 charon: 16[IKE] establishing CHILD_SA forti_working > Oct 30 17:58:54 pc150 charon: 16[ENC] generating IKE_AUTH request 1 [ > IDi CERT CERTREQ IDr AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) > N(ADD_4_ADDR) N(EAP_ONLY) ] > Oct 30 17:58:54 pc150 charon: 16[NET] sending packet: from > 192.168.6.150[4500] to 192.168.6.63[4500] > Oct 30 17:58:58 pc150 charon: 12[IKE] retransmit 1 of request with message ID > 1 > Oct 30 17:58:58 pc150 charon: 12[NET] sending packet: from > 192.168.6.150[4500] to 192.168.6.63[4500] > Oct 30 17:58:59 pc150 charon: 09[NET] received packet: from > 192.168.6.63[4500] to 192.168.6.150[4500] > Oct 30 17:58:59 pc150 charon: 09[ENC] parsed IKE_AUTH response 1 [ IDr > CERT AUTH CP(ADDR) SA TSi TSr ] > Oct 30 17:58:59 pc150 charon: 09[IKE] received end entity cert "C=CA, > ST=bc, L=vancouver, O=fortinet, OU=qa, CN=dut2_sub2, > [email protected]" > Oct 30 17:58:59 pc150 charon: 09[CFG] using certificate "C=CA, > ST=bc, L=vancouver, O=fortinet, OU=qa, CN=dut2_sub2, > [email protected]" > Oct 30 17:58:59 pc150 charon: 09[CFG] using trusted intermediate ca > certificate "C=CA, ST=bc, L=vancouver, O=fortinet, OU=qa, > CN=hans_216_sub2, [email protected]" > Oct 30 17:58:59 pc150 charon: 09[CFG] subject certificate invalid > (valid from Sep 12 10:47:25 2011 to Sep 11 10:47:25 2012) > Oct 30 17:58:59 pc150 charon: 09[IKE] no trusted RSA public key found > for 'C=CA, ST=bc, L=vancouver, O=fortinet, OU=qa, CN=dut2_sub2, > [email protected]' > Oct 30 18:17:02 > > > > My config files: > > oot@pc150:~# cat /etc/ipsec.conf > config setup > #charondebug="dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 5, knl 1, > net 5, enc 4, lib 4" > charondebug=all > dumpdir=/var/crash > hidetos=yes > nat_traversal=yes > plutostart=no > conn %default > auto=add > # ike=aes128-3des-sha256-modp2048! > ike=aes128-3des-sha-modp2048! > ikelifetime=24h > keyexchange=ikev2 > keyingtries=1 > keylife=4h > left= 192.168.6.150 > leftnexthop=192.168.6.63 > leftsourceip=%config > reauth=no > rekey=yes > rekeyfuzz=10% > rekeymargin=10m > #[email protected] > rightauth=pubkey > leftauth=pubkey > right=192.168.6.63 > leftcert="[email protected]" > leftid=@pdef > > > conn forti_notworking > rightid=@dut1fqdn > rightsubnet=0.0.0.0/0 > leftsubnet=0.0.0.0/0 > > conn forti_working > #rightid="C=GB, ST=Wiltshire, L=Swindon, O=Example Operator, > OU=PKI, CN=fortinet.sha1.example.com, [email protected]" > #rightid="CN=paul.fortinet.local" > rightid="C=CA, ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, > CN=paul.fortinet.local, [email protected]" > #rightsubnet=192.168.2.0/24 > #rightsubnet=135.86.206.154/32 > #works rightsubnet=10.4.0.0/24 > leftsubnet=0.0.0.0/0 > rightsubnet=0.0.0.0/0 > #rightsubnet=135.1.1.1/32 > #leftsubnet=135.1.1.2/32 > #leftsubnet=10.244.243.4/32 > #leftsubnet=192.168.2.201/32 > #leftsubnet=10.244.243.0/24 > #forceencaps=yes > > > > root@pc150:~# cat /etc/ipsec.secrets > 192.168.111.221 192.168.111.111 : PSK "123456" > 192.168.2.221 192.168.2.236 : PSK "123456" > 192.168.2.162 192.168.2.100 : PSK "123456" > 192.168.6.150 192.168.6.63 : RSA "[email protected]" 111111 > > > > Thanks a lot! > -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
