[Swan] L2TP/IPsec with certificates: INVALID_KEY_INFORMATION
Paul Wouters
paul at nohats.ca
Wed Apr 27 00:09:44 UTC 2016
On Tue, 26 Apr 2016, Sergio Belkin wrote:
> abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1: Main mode peer ID is ID_DER_ASN1_DN:
> 'CN=server.example.com'
> abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1: no RSA public key known for
> 'CN=server.example.com'
> abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1: sending encrypted notification
> INVALID_KEY_INFORMATION to 190.0.2.236:4500
You seem to reject the remote certificate. Looks like a missing CA cert
on your end?
> leftcert=le-3dbfb38a-2a4d-42a2-8830-0f2711db9df9
> rightid="CN=server.example.com"
> Certificates list:
>
> certutil -L -d sql:/etc/ipsec.d/
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> le-3dbfb38a-2a4d-42a2-8830-0f2711db9df9 u,u,u
This lists only your EE-cert. I do not see the CA cert in there.
If you create a PKCS#12 file, it should include the CAcert, EEcert and
EEprivkey, and you can import that using "ipsec import file.p12"
Paul
More information about the Swan
mailing list