[Swan] Policy not coming up

Thu Jun 13 16:45:11 UTC 2019

On Mon, 10 Jun 2019, Madhan Raj wrote:

> when i try to bring up my policy failing with below error any idea why this is happening?
> 
> [root at ccm-87 ~]# ipsec auto --up 71772488137_x509
> 002 "71772488137_x509" #306: initiating Main Mode
> 104 "71772488137_x509" #306: STATE_MAIN_I1: initiate
> 003 "71772488137_x509" #306: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12

The other end rejected your IKE proposal. Check their logs to see what
they did not like or compare IKE settings between the two endpoints and
fix those to match.

> [root at ccm-87 ~]# certutil -L -d /usr/local/platform/.security/ipsec/
> 
> Certificate Nickname                                         Trust Attributes
>                                                              SSL,S/MIME,JAR/XPI
> 
> DODParent-INTERMEDIATECA-CA-4                                c,c,c
> DODParent-ROOTCA-CA-2                                        c,c,c
> ipsec-db                                                     u,u,u
> ccm-88                                                       c,c,c

Note your CA's are missing the trust bits. Normally running "ipsec checknss" should
fix those. You should see "CT,," for the CA's.

Paul