Hi Rashid, an endpoint must store either the SubCA certificate locally in /etc/ipsec.d/cacerts or must receive it from the peer together with the user certificate in an IKEv2 CERT payload.
Regards Andreas On 03/09/2013 05:00 PM, Mohammed Rashid wrote: > *Hi All, > > I am using strongswan 5.0.2. I am using the following configuration with > host-host transport mode. > It was working fine when I was using the certificates directly from RootCA. > But when I generated certificates from SUBCA, ipsec starts giving errors > which I mentioned below.. > * > /Mar 9 15:22:13 charon: 15[CFG] received stroke: initiate 'user4' > > Mar 9 15:22:13 charon: 10[IKE] initiating IKE_SA user4[5] to 192.168.20.126 > Mar 9 15:22:13 charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No > N(NATD_S_IP) N(NATD_D_IP) ] > Mar 9 15:22:13 charon: 10[NET] sending packet: from 192.168.20.112[500] to > 192.168.20.126[500] (692 bytes) > > Mar 9 15:22:13 charon: 09[NET] received packet: from 192.168.20.126[500] to > 192.168.20.112[500] (432 bytes) > Mar 9 15:22:13 charon: 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No > N(NATD_S_IP) N(NATD_D_IP) ] > Mar 9 15:22:13 charon: 09[IKE] authentication of 'user5' (myself) with RSA > signature successful > > Mar 9 15:22:13 charon: 09[IKE] establishing CHILD_SA user4 > Mar 9 15:22:13 charon: 09[ENC] generating IKE_AUTH request 1 [ IDi > N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(EAP_ONLY) ] > Mar 9 15:22:13 charon: 09[NET] sending packet: from 192.168.20.112[500] to > 192.168.20.126[500] (684 bytes) > > Mar 9 15:22:13 charon: 07[NET] received packet: from 192.168.20.126[500] to > 192.168.20.112[500] (76 bytes) > *Mar 9 15:22:13 charon: 07[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] > Mar 9 15:22:13 charon: 07[IKE] received AUTHENTICATION_FAILED notify error* > > > > Mar 9 17:28:43 charon: 15[NET] received packet: from 192.168.20.112[500] to > 192.168.20.126[500] (692 bytes) > Mar 9 17:28:43 charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No > N(NATD_S_IP) N(NATD_D_IP) ] > > Mar 9 17:28:43 charon: 15[IKE] 192.168.20.112 is initiating an IKE_SA > Mar 9 17:28:43 charon: 15[IKE] sending cert request for "CN=...." > Mar 9 17:28:43 charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No > N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] > > Mar 9 17:28:43 charon: 15[NET] sending packet: from 192.168.20.126[500] to > 192.168.20.112[500] (457 bytes) > Mar 9 17:28:43 charon: 09[NET] received packet: from 192.168.20.112[500] to > 192.168.20.126[500] (1548 bytes) > > Mar 9 17:28:43 charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT > N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(EAP_ONLY) ] > Mar 9 17:28:43 charon: 09[IKE] received cert request for "CN...." > > Mar 9 17:28:43 charon: 09[IKE] received end entity cert "CN=user5..." > Mar 9 17:28:43 charon: 09[CFG] looking for peer configs matching > 192.168.20.126[user4]...192.168.20.112[user5] > Mar 9 17:28:43 charon: 09[CFG] selected peer config 'user5' > > Mar 9 17:28:43 charon: 09[CFG] using certificate "CN=user5..." > *Mar 9 17:28:43 charon: 09[CFG] no issuer certificate found for > "CN=user5...." > Mar 9 17:28:43 charon: 09[IKE] no trusted RSA public key found for 'user5'* > > Mar 9 17:28:43 charon: 09[ENC] generating IKE_AUTH response 1 [ > N(AUTH_FAILED) ] > Mar 9 17:28:43 charon: 09[NET] sending packet: from 192.168.20.126[500] to > 192.168.20.112[500] (76 bytes)/ > > Regards, > Rashid ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
