Hi Andreas, I am putting both RootCA & SubCA locally in /etc/ipsec.d/cacerts but still its giving the same error.. Even when I do "ipsec listall" its only showing the RootCA..
Regards, Rashid On Sat, Mar 9, 2013 at 8:03 PM, Andreas Steffen < [email protected]> wrote: > Hi Rashid, > > an endpoint must store either the SubCA certificate locally in > /etc/ipsec.d/cacerts or must receive it from the peer together > with the user certificate in an IKEv2 CERT payload. > > Regards > > Andreas > > On 03/09/2013 05:00 PM, Mohammed Rashid wrote: > > *Hi All, > > > > I am using strongswan 5.0.2. I am using the following configuration with > > host-host transport mode. > > It was working fine when I was using the certificates directly from > RootCA. But when I generated certificates from SUBCA, ipsec starts giving > errors which I mentioned below.. > > * > > /Mar 9 15:22:13 charon: 15[CFG] received stroke: initiate 'user4' > > > > Mar 9 15:22:13 charon: 10[IKE] initiating IKE_SA user4[5] to > 192.168.20.126 > > Mar 9 15:22:13 charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE > No N(NATD_S_IP) N(NATD_D_IP) ] > > Mar 9 15:22:13 charon: 10[NET] sending packet: from 192.168.20.112[500] > to 192.168.20.126[500] (692 bytes) > > > > Mar 9 15:22:13 charon: 09[NET] received packet: from > 192.168.20.126[500] to 192.168.20.112[500] (432 bytes) > > Mar 9 15:22:13 charon: 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No > N(NATD_S_IP) N(NATD_D_IP) ] > > Mar 9 15:22:13 charon: 09[IKE] authentication of 'user5' (myself) with > RSA signature successful > > > > Mar 9 15:22:13 charon: 09[IKE] establishing CHILD_SA user4 > > Mar 9 15:22:13 charon: 09[ENC] generating IKE_AUTH request 1 [ IDi > N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(EAP_ONLY) ] > > Mar 9 15:22:13 charon: 09[NET] sending packet: from 192.168.20.112[500] > to 192.168.20.126[500] (684 bytes) > > > > Mar 9 15:22:13 charon: 07[NET] received packet: from > 192.168.20.126[500] to 192.168.20.112[500] (76 bytes) > > *Mar 9 15:22:13 charon: 07[ENC] parsed IKE_AUTH response 1 [ > N(AUTH_FAILED) ] > > Mar 9 15:22:13 charon: 07[IKE] received AUTHENTICATION_FAILED notify > error* > > > > > > > > Mar 9 17:28:43 charon: 15[NET] received packet: from > 192.168.20.112[500] to 192.168.20.126[500] (692 bytes) > > Mar 9 17:28:43 charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No > N(NATD_S_IP) N(NATD_D_IP) ] > > > > Mar 9 17:28:43 charon: 15[IKE] 192.168.20.112 is initiating an IKE_SA > > Mar 9 17:28:43 charon: 15[IKE] sending cert request for "CN=...." > > Mar 9 17:28:43 charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA > KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] > > > > Mar 9 17:28:43 charon: 15[NET] sending packet: from 192.168.20.126[500] > to 192.168.20.112[500] (457 bytes) > > Mar 9 17:28:43 charon: 09[NET] received packet: from > 192.168.20.112[500] to 192.168.20.126[500] (1548 bytes) > > > > Mar 9 17:28:43 charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT > N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(EAP_ONLY) ] > > Mar 9 17:28:43 charon: 09[IKE] received cert request for "CN...." > > > > Mar 9 17:28:43 charon: 09[IKE] received end entity cert "CN=user5..." > > Mar 9 17:28:43 charon: 09[CFG] looking for peer configs matching > 192.168.20.126[user4]...192.168.20.112[user5] > > Mar 9 17:28:43 charon: 09[CFG] selected peer config 'user5' > > > > Mar 9 17:28:43 charon: 09[CFG] using certificate "CN=user5..." > > *Mar 9 17:28:43 charon: 09[CFG] no issuer certificate found for > "CN=user5...." > > Mar 9 17:28:43 charon: 09[IKE] no trusted RSA public key found for > 'user5'* > > > > Mar 9 17:28:43 charon: 09[ENC] generating IKE_AUTH response 1 [ > N(AUTH_FAILED) ] > > Mar 9 17:28:43 charon: 09[NET] sending packet: from 192.168.20.126[500] > to 192.168.20.112[500] (76 bytes)/ > > > > Regards, > > Rashid > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
