Hello together, I'm currently trying to set up a IKEv1 connection with strongswan 5.6.0 on Fedora 27. It uses a local nssdb in /etc/ipsec.d to handle certificates / private keys.
The connection definition loads fine. When I tell the client to connect, it fails to verify the certificate from the right (=server) side: Feb 15 17:20:11.324390: "companyserver" #1: Peer ID is ID_DER_ASN1_DN: 'CN=firewall.company.com, O=Company, OU=HQ' Feb 15 17:20:11.324416: | checking for CERT payloads Feb 15 17:20:11.324426: | found at last one CERT payload, calling pluto_process_certs() Feb 15 17:20:11.324498: | nothing to decode Feb 15 17:20:11.324509: "companyserver" #1: X509: temporary cert import operation failed Feb 15 17:20:11.324524: "companyserver" #1: cert verify failed with internal error Feb 15 17:20:11.324535: "companyserver" #1: X509: Certificate rejected for this connection Feb 15 17:20:11.324547: "companyserver" #1: X509: CERT payload bogus or revoked Feb 15 17:20:11.324558: | Peer ID failed to decode Feb 15 17:20:11.324567: | complete v1 state transition with INVALID_ID_INFORMATION What's puzzles me is the "X509: temporary cert import operation failed" error message. The output is from "plutodebug=all" already. May be that happens because I imported the cert of the right side into the nssdb already? # certutil -d sql:/etc/ipsec.d -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cert.pem CTu,u,u server.pem CT,, The server certificate is a self-signed one, the nickname is the original filename "server.pem". Any idea what might cause the "cert verify failed with internal error" message? Cheers, Thomas