[Swan] my ipsec connection is failing after upgrade to libreswan from openswan
Paul Wouters
paul at nohats.ca
Thu Apr 23 12:58:02 UTC 2020
On Thu, 16 Apr 2020, Madhan Raj wrote:
> Hi Paul and others,
>
> version: -libreswan-3.25-4.1.el7.x86_64
>
> I have the attached my policy details.
>
> Apr 16 06:05:09.641313: "71807379470_x509" #1: Peer ID is ID_DER_ASN1_DN: 'C=IN, ST=i, L=i, O=i, OU=i, CN=cucm-142'
> Apr 16 06:05:09.641847: "71807379470_x509" #1: X509: no EE-cert in chain!
> Apr 16 06:05:09.641884: "71807379470_x509" #1: X509: Certificate rejected for this connection
Are these self-signed certs ? Based on the below it does not look like
it.
> by end server certificate
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 21:00:00:00:06:f3:f5:a4:46:60:5d:83:b2:00:00:00:00:00:06
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: DC=internal, DC=CAPLAB, CN=CAPLAB-BLDR-DEV-201-CA-1
> Validity
> Not Before: Apr 14 02:18:57 2020 GMT
> Not After : Apr 14 02:28:57 2022 GMT
> Subject: C=IN, ST=i, L=i, O=i, OU=i, CN=cucm-142
Can you show me: certutil -L -d sql:/etc/ipsec.d
I wonder if you are missing trust bits?
> X509v3 extensions:
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System
> X509v3 Key Usage: critical
> Digital Signature, Certificate Sign, CRL Sign
looks ok.
Paul
More information about the Swan
mailing list