Hi Laurens, >> The latter is of course because it does not send any certificate >> requests, whereas 156 of them are sent by the Android app (each a 20 >> byte SHA-1 hash). As I mentioned before, you can avoid that by >> selecting your CA certificate in the VPN profile in the app. This >> should avoid having to fragment the IKE_AUTH message and might improve >> the success rate significantly. > > This last bit brings me to my next problem. From the file > OnePlusOne_20160607_Wifi_Working1_ClientLog, I get this: > > Jul 6 17:26:31 06[IKE] received end entity cert "CN=us.npu.io" > Jul 6 17:26:31 06[CFG] using certificate "CN=us.npu.io" > Jul 6 17:26:31 06[CFG] using trusted intermediate ca certificate > "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" > Jul 6 17:26:31 06[CFG] using trusted ca certificate "O=Digital > Signature Trust Co., CN=DST Root CA X3" > Jul 6 17:26:31 06[CFG] reached self-signed root ca with a path length > of 1 > Jul 6 17:26:31 06[IKE] authentication of 'us.npu.io' with RSA signature > successful > > If I select the certificate "Digital Signature Trust Co., DST Root CA > X3". I get a new error message: > > Jul 14 19:47:22 13[IKE] received end entity cert "CN=us.npu.io" > Jul 14 19:47:22 13[CFG] using certificate "CN=us.npu.io" > Jul 14 19:47:22 13[CFG] no issuer certificate found for "CN=us.npu.io" > Jul 14 19:47:22 13[IKE] no trusted RSA public key found for 'us.npu.io' > Jul 14 19:47:22 13[ENC] generating INFORMATIONAL request 2 [ > N(AUTH_FAILED) ] > > Any idea what I'm missing now?
Looks like the server does not send the intermediate CA certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3". So either install that on the server in /etc/ipsec.d/cacerts so it does send it, or try selecting the intermediate CA certificate as trust anchor on the client. Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
