PS: Alternatively, the signature the other peer sent with the message is incorrect. Maybe Tobias or Andreas can explain what exactly is the problem here.
On 16.05.2018 14:20, Noel Kuntze wrote: > Hello Phil, > > No, that's not the problem. It's because the CA screwed up the settings of > the X509 policy mapping extension. I don't quite know the details of /what/ > they got wrong, but as far as I can tell, > the CA certificate is either missing the extension value that allows any > policy or has INHIBIT_ANY_POLICY set. > > Kind regards > > Noel > > On 16.05.2018 14:10, Phil Frost wrote: >> It doesn't appear you've configured strongswan to trust any CAs anywhere. >> See /etc/ipsec.d/cacerts, the "CA SECTIONS" section in ipsec.conf(5), and >> the leftca and rightca options. >> >> On Wed, May 16, 2018 at 9:40 AM Michal Grzelak <[email protected] >> <mailto:[email protected]>> wrote: >> >> I have a Site to Site VPN between Strongswan and Cisco working over PSK. >> Wanted to upgrade it to authenticate via Certificates, but can't get it >> done. Receiving following error: >> >> >> |May 9 13:57:20 strongswan charon: 13[CFG] ocsp response correctly >> signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy >> Root Validation Authority - G2" May 9 13:57:20 strongswan charon: 13[CFG] >> ocsp response is valid: until May 11 01:05:00 2018 May 9 13:57:20 strongswan >> charon: 13[CFG] using cached ocsp response May 9 13:57:20 strongswan charon: >> 13[CFG] certificate status is good May 9 13:57:20 strongswan charon: 13[CFG] >> certificate policy 2.16.840.1.114413.1.7.23.1 for 'OU=Domain Control >> Validated, CN=hostname.somedomain.com <http://hostname.somedomain.com>' not >> allowed by trustchain, ignored May 9 13:57:20 strongswan charon: 13[CFG] >> certificate policy 2.23.140.1.2.1 for 'OU=Domain Control Validated, >> CN=hostname.somedomain.com <http://hostname.somedomain.com>' not allowed by >> trustchain, ignored May 9 13:57:20 strongswan charon: 13[CFG] reached >> self-signed root ca with a path length of 1 May 9 13:57:20 strongswan >> charon: 13[IKE] signature >> validation failed, looking for another key | >> >> The Certificates for both ends are signed by two different CA, but >> already exchanged public root and intermediate certs. On cisco side I see >> the tunnel goes up for both Phase 1 and 2, so its good. Strongswan has >> problem with it and no SA is up. >> >> Configuration: >> >> |conn testconn auto=start left=%any leftfirewall=yes >> [email protected] <http://strongswan.mydomain.com> >> leftid=x.x.x.x leftcert=strongswan.mydomain.com.pem right=y.y.y.y >> rightid=%any [email protected] >> <http://hostname.somedomain.com> type=tunnel ikelifetime=24h keylife=1h >> esp=aes256-sha384-ecp521 ike=aes256-sha384-modp1024 keyingtries=%forever >> keyexchange=ikev2 leftsubnet=z.z.z.z/z rightsubnet=u.u.u.u/u dpddelay=10s >> dpdtimeout=30s dpdaction=restart | >> >> What be wrong here? Any suggestions? >> >> Thanks. >> >> >> -- >> Best regards, >> MichaĆ >>
signature.asc
Description: OpenPGP digital signature
