Hi, according to your log, the initiator and responder create their own Root CA certificate and store it locally in /usr/local/etc/swanctl/x509ca. Therefore it is not surprising that no trust into the received host certificate can be established because it has been signed with the private key of a different root CA (although the Distinguished Name of the issuer is the same).
Fix: Generate only one private key and matching self-signed Root CA certificate. Use the private Root CA key to sign both initiator and responder host certificates and deploy the Root CA certificate on both hosts. Best regards Andreas On 01.08.2016 21:24, rajeev nohria wrote: > > I was able to establish IKE connection using PSK but when using pubkey I > am not able to able to establish the IKE connection. > > When I issue sudo swanctl --initiate --child net > > > At receptor, it returns the Auth_failed. Please see the swanctl.conf, > strongswan.conf and charon.log. > > Aug 1 12:09:21 12[CFG] <rw|1> no issuer certificate found for "C=US, > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185" > Aug 1 12:09:21 12[IKE] <rw|1> no trusted RSA public key found for > '10.13.199.185' > Aug 1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message > Aug 1 12:09:21 12[ENC] <rw|1> order payloads in message > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message > Aug 1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH response 1 [ > N(AUTH_FAILED) ] > > I used following commands to create certificates. > > *Initiator:* > ----------- > > sudo ipsec pki --gen --type rsa --size 4096 --outform pem > > /usr/local/etc/swanctl/rsa/strongswanKey.pem > > > sudo chmod 600 /usr/local/etc/swanctl/rsa/strongswanKey.pem > > > sudo ipsec pki --self --ca --in > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US, > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem > > > sudo ipsec pki --print --in /usr/local/etc/swanctl/x509ca/strongswanCert.pem > > > sudo ipsec pki --gen --type rsa --size 4096 --outform pem > > /usr/local/etc/swanctl/rsa/hostKey.pem > > > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem > > > > sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type > rsa | ipsec pki --issue --digest sha256 --cacert > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA, > L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185 pem > > /usr/local/etc/swanctl/x509/hostCert.pem > > > Receptor: > -------------- > * > * > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem > > /usr/local/etc/swanctl/rsa/strongswanKey.pem* > * > * > *sudo chmod 600 /usr/local/etc/swanctl/rsa/strongswanKey.pem* > * > * > *sudo ipsec pki --self --ca --in > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US, > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem* > * > * > *sudo ipsec pki --print --in > /usr/local/etc/swanctl/x509ca/strongswanCert.pem* > * > * > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem > > /usr/local/etc/swanctl/rsa/hostKey.pem* > * > * > *sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem* > > *sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type > rsa | ipsec pki --issue --digest sha256 --cacert > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA, > L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130 --outform pem > > /usr/local/etc/swanctl/x509/hostCert.pem* > > > > > > > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users