It doesn't appear you've configured strongswan to trust any CAs anywhere. See /etc/ipsec.d/cacerts, the "CA SECTIONS" section in ipsec.conf(5), and the leftca and rightca options.
On Wed, May 16, 2018 at 9:40 AM Michal Grzelak <[email protected]> wrote: > I have a Site to Site VPN between Strongswan and Cisco working over PSK. > Wanted to upgrade it to authenticate via Certificates, but can't get it > done. Receiving following error: > > > May 9 13:57:20 strongswan charon: 13[CFG] ocsp response correctly signed > by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root > Validation Authority - G2" > > May 9 13:57:20 strongswan charon: 13[CFG] ocsp response is valid: until > May 11 01:05:00 2018 > > May 9 13:57:20 strongswan charon: 13[CFG] using cached ocsp response > > May 9 13:57:20 strongswan charon: 13[CFG] certificate status is good > > May 9 13:57:20 strongswan charon: 13[CFG] certificate policy > 2.16.840.1.114413.1.7.23.1 for 'OU=Domain Control Validated, > CN=hostname.somedomain.com' not allowed by trustchain, ignored > > May 9 13:57:20 strongswan charon: 13[CFG] certificate policy 2.23.140.1.2.1 > for 'OU=Domain Control Validated, CN=hostname.somedomain.com' not allowed by > trustchain, ignored > > May 9 13:57:20 strongswan charon: 13[CFG] reached self-signed root ca with > a path length of 1 > > May 9 13:57:20 strongswan charon: 13[IKE] signature validation failed, > looking for another key > > The Certificates for both ends are signed by two different CA, but already > exchanged public root and intermediate certs. On cisco side I see the > tunnel goes up for both Phase 1 and 2, so its good. Strongswan has problem > with it and no SA is up. > > Configuration: > > conn testconn > auto=start > left=%any > leftfirewall=yes > [email protected] > leftid=x.x.x.x > leftcert=strongswan.mydomain.com.pem > right=y.y.y.y > rightid=%any > [email protected] > type=tunnel > ikelifetime=24h > keylife=1h > esp=aes256-sha384-ecp521 > ike=aes256-sha384-modp1024 > keyingtries=%forever > keyexchange=ikev2 > leftsubnet=z.z.z.z/z > rightsubnet=u.u.u.u/u > dpddelay=10s > dpdtimeout=30s > dpdaction=restart > > What be wrong here? Any suggestions? > Thanks. > > > -- > Best regards, > MichaĆ > >
