[Swan] Policy not coming up
paul at nohats.ca
Thu Jun 13 16:45:11 UTC 2019
On Mon, 10 Jun 2019, Madhan Raj wrote:
> when i try to bring up my policy failing with below error any idea why this is happening?
> [root at ccm-87 ~]# ipsec auto --up 71772488137_x509
> 002 "71772488137_x509" #306: initiating Main Mode
> 104 "71772488137_x509" #306: STATE_MAIN_I1: initiate
> 003 "71772488137_x509" #306: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12
The other end rejected your IKE proposal. Check their logs to see what
they did not like or compare IKE settings between the two endpoints and
fix those to match.
> [root at ccm-87 ~]# certutil -L -d /usr/local/platform/.security/ipsec/
> Certificate Nickname Trust Attributes
> DODParent-INTERMEDIATECA-CA-4 c,c,c
> DODParent-ROOTCA-CA-2 c,c,c
> ipsec-db u,u,u
> ccm-88 c,c,c
Note your CA's are missing the trust bits. Normally running "ipsec checknss" should
fix those. You should see "CT,," for the CA's.
More information about the Swan