Hi all, I am unable to establish a host-to-host IPsec tunnel using pubkey authentication initiated by a Windows 7 system (Windows native IPsec software) to a Red Hat 6.6 system with strongSwan 5.3.5. I see the following in the charon logs:
charon: 16[CFG] reached self-signed root ca with a path length of 0 charon: 16[CFG] using trusted certificate "C=US, O=Org, OU=Unit, CN=QdCertSaIke2P384" charon: 16[IKE] signature validation failed, looking for another key charon: 16[IKE] no trusted ECDSA public key found for 'C=US, O=Org, OU=Unit, CN=QdCertSaIke2P384' charon: 16[CFG] no alternative config found I know that I have the correct trusted root certificate installed and available (it shows up earlier in the log and in the output of "ipsec stroke listcacerts"). Even more strange, using the exact same certificates (both trusted root and end-entity) and the same configuration, I can establish a tunnel between two Red Hat 6.6 strongSwan systems. In this Linux to Linux case, "ipsec stroke listcacerts" shows that the same trusted root cert is configured as in the Windows to Linux case. In fact, the entire charon trace looks almost identical except that I see "authentication successful" messages: charon: 13[CFG] reached self-signed root ca with a path length of 0 charon: 13[CFG] using trusted certificate "C=US, O=Org, OU=Unit, CN=QdCertSaIke2P384" charon: 13[IKE] authentication of 'C=US, O=Org, OU=Unit, CN=QdCertSaIke2P384' with ECDSA successful charon: 13[IKE] authentication of 'C=US, O=Org, OU=Unit, CN=QdCertSaIke2P384' (myself) successful Why might there be a difference in the result of pubkey authentication between Windows and Linux versus two Linux systems? Even with IKE, CFG, and NET logging turned up to the highest level, I don't see anything to indicate why the same certificates / signatures are validated in one case but not the other. I have attached my ipsec.conf files and syslog files for both the Linux to Linux and Windows to Windows cases. The IP addresses were as follows: Windows to Linux: Windows (192.168.9.2) --> Red Hat 6.6 (192.168.9.12) Linux to Linux: Red Hat 6.6 (192.168.9.11) --> Red Hat 6.6 (192.168.9.12) I also attached the output of 'ipsec stroke listcacerts', which was identical in both cases. Thank you, Quinn Detweiler
windows-to-linux-syslog
Description: windows-to-linux-syslog
windows-to-linux-ipsec.conf
Description: windows-to-linux-ipsec.conf
listcacerts-output
Description: listcacerts-output
linux-to-linux-syslog
Description: linux-to-linux-syslog
linux-to-linux-ipsec.conf
Description: linux-to-linux-ipsec.conf
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
