I have a Site to Site VPN between Strongswan and Cisco working over PSK.
Wanted to upgrade it to authenticate via Certificates, but can't get it
done. Receiving following error:
May 9 13:57:20 strongswan charon: 13[CFG] ocsp response correctly
signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go
Daddy Root Validation Authority - G2"
May 9 13:57:20 strongswan charon: 13[CFG] ocsp response is valid:
until May 11 01:05:00 2018
May 9 13:57:20 strongswan charon: 13[CFG] using cached ocsp response
May 9 13:57:20 strongswan charon: 13[CFG] certificate status is good
May 9 13:57:20 strongswan charon: 13[CFG] certificate policy
2.16.840.1.114413.1.7.23.1 for 'OU=Domain Control Validated,
CN=hostname.somedomain.com' not allowed by trustchain, ignored
May 9 13:57:20 strongswan charon: 13[CFG] certificate policy
2.23.140.1.2.1 for 'OU=Domain Control Validated,
CN=hostname.somedomain.com' not allowed by trustchain, ignored
May 9 13:57:20 strongswan charon: 13[CFG] reached self-signed root
ca with a path length of 1
May 9 13:57:20 strongswan charon: 13[IKE] signature validation
failed, looking for another key
The Certificates for both ends are signed by two different CA, but already
exchanged public root and intermediate certs. On cisco side I see the
tunnel goes up for both Phase 1 and 2, so its good. Strongswan has problem
with it and no SA is up.
Configuration:
conn testconn
auto=start
left=%any
leftfirewall=yes
[email protected]
leftid=x.x.x.x
leftcert=strongswan.mydomain.com.pem
right=y.y.y.y
rightid=%any
[email protected]
type=tunnel
ikelifetime=24h
keylife=1h
esp=aes256-sha384-ecp521
ike=aes256-sha384-modp1024
keyingtries=%forever
keyexchange=ikev2
leftsubnet=z.z.z.z/z
rightsubnet=u.u.u.u/u
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
What be wrong here? Any suggestions?
Thanks.
--
Best regards,
MichaĆ
