Hi, I´m using a strongswan-5.7.2-1.el7.x86_64 on a CentOS 7.7.1908 (Core) to build up a vpn tunnel to a partner site. We are using certificates for the authentication, but I'm running into a problem here and I think it's on my side so I need some help from you.
This is the informationm I get when I start the connection: >>strongswan up game_cmp_test initiating IKE_SA game_cmp_test[18] to 82.xxx.xxx.44 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (464 bytes) received packet: from 82.xxx.xxx.44[500] to 217.xxx.xxx.20[500] (489 bytes) parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(HTTP_CERT_LOOK) ] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 received cert request for "C=de, O=Game Company, CN=GMP-Short CA 2015" received 4 cert requests for an unknown ca sending cert request for "C=de, O=Game Company, CN=GMP-Short CA 2015" authentication of '217.xxx.xxx.20' (myself) with RSA signature successful sending end entity cert "C=DE, ST=Hamburg, L=Hamburg, O=ourCompany OU=section , CN=ourhost.tld" establishing CHILD_SA game_cmp_test{21} generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (1648 bytes) received packet: from 82.xxx.xxx.44[500] to 217.xxx.xxx.20[500] (1520 bytes) parsed IKE_AUTH response 1 [ IDr CERT AUTH N(ESP_TFC_PAD_N) SA TSi TSr ] received end entity cert "CN=pa-otun-xx-xx.GMP-name.tld" using certificate "CN=pa-otun-xx-xx.GMP-name.tld" using trusted ca certificate "C=de, O=Game Company, CN=GMP-Short CA 2015" checking certificate status of "CN=pa-otun-xx-xx.GMP-name.tld" certificate status is not available reached self-signed root ca with a path length of 0 signature validation failed, looking for another key using certificate "CN=pa-otun-xx-xx.GMP-name.tld" using trusted ca certificate "C=de, O=Game Company, CN=GMP-Short CA 2015" checking certificate status of "CN=pa-otun-xx-xx.GMP-name.tld" certificate status is not available reached self-signed root ca with a path length of 0 signature validation failed, looking for another key generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (96 bytes) establishing connection 'game_cmp_test' failed this is the configuration: conn game_cmp_test left=217.xxx.xxx.20 leftsubnet=192.168.170.0/24 leftcert=/etc/strongswan/ipsec.d/certs/GMP-name-cert.pem right=82.xxx.xxx.44 #rightsubnet=192.168.180.0/24 rightsubnet=192.168.14.0/24 rightid="pa-otun-xx-xx.GMP-name.tld" authby=pubkey auto=start ikelifetime=28800s keylife=3600s keyexchange=ikev2 ike=aes256-sha512-modp2048! esp=aes256-sha512-modp2048! Is there something wrong with the certificate ? Any suggestions are really really welcome Kind regards fatcharly