With the existing ipsec setup, it is not possible to configure multiple certs and connection does not establish.
"no trusted RSA public key found for ..." error received and authentication fails.
Sep 20 10:03:20 charon-systemd[2376]: received 1 cert requests for an unknown ca Sep 20 10:03:20 charon[2376]: 11[IKE] <1> received end entity cert "C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=server" Sep 20 10:03:20 charon-systemd[2376]: received end entity cert "C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=server" Sep 20 10:03:20 charon[2376]: 11[CFG] <1> looking for peer configs matching 10.0.182.5[C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=client]...10.0.182.6[C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=server] Sep 20 10:03:20 charon-systemd[2376]: looking for peer configs matching 10.0.182.5[C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=client]...10.0.182.6[C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=server] Sep 20 10:03:20 charon[2376]: 11[CFG] <host1|1> selected peer config 'host1' Sep 20 10:03:20 charon-systemd[2376]: selected peer config 'host1' Sep 20 10:03:20 charon[2376]: 11[CFG] <host1|1> using certificate "C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=server" Sep 20 10:03:20 charon-systemd[2376]: using certificate "C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=server" Sep 20 10:03:20 charon[2376]: 11[CFG] <host1|1> no issuer certificate found for "C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=server" Sep 20 10:03:20 charon-systemd[2376]: no issuer certificate found for "C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=server" Sep 20 10:03:20 charon[2376]: 11[CFG] <host1|1> issuer is "C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=interim-CA" Sep 20 10:03:20 charon-systemd[2376]: issuer is "C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=interim-CA" Sep 20 10:03:20 charon[2376]: 11[IKE] <host1|1> no trusted RSA public key found for 'C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=server' Sep 20 10:03:20 charon-systemd[2376]: no trusted RSA public key found for 'C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=server'
Configuration commands:
set vpn ipsec site-to-site peer peer_10-0-182-5 authentication local-id 'C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=server' set vpn ipsec site-to-site peer peer_10-0-182-5 authentication mode 'x509' set vpn ipsec site-to-site peer peer_10-0-182-5 authentication remote-id 'C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=client' set vpn ipsec site-to-site peer peer_10-0-182-5 authentication x509 ca-certificate 'interim-CA' set vpn ipsec site-to-site peer peer_10-0-182-5 authentication x509 certificate 'server-entity' set vpn ipsec site-to-site peer peer_10-0-182-5 connection-type 'initiate' set vpn ipsec site-to-site peer peer_10-0-182-5 ike-group 'ike-azure' set vpn ipsec site-to-site peer peer_10-0-182-5 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer peer_10-0-182-5 local-address '10.0.182.6' set vpn ipsec site-to-site peer peer_10-0-182-5 remote-address '10.0.182.5' set vpn ipsec site-to-site peer peer_10-0-182-5 tunnel 0 esp-group 'esp-azure' set vpn ipsec site-to-site peer peer_10-0-182-5 tunnel 0 local prefix '10.76.38.96/28' set vpn ipsec site-to-site peer peer_10-0-182-5 tunnel 0 remote prefix '172.16.0.0/24'
Workaround:
Adding the certs in this path /etc/swanctl/x509ca and restarting the ipsec service helps the issue. But the file deletes after restart of the device
vyos@vyos# pwd /etc/swanctl/x509ca [edit] vyos@vyos# ls -ltr total 8 -rw-r--r-- 1 root root 1311 Sep 20 14:00 root-CA.pem -rw-r--r-- 1 root root 1367 Sep 20 14:11 interim-CA.pem
O/P:
vyos@vyos# run sh vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 10.0.182.6 C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=server 10.0.182.5 C=GB, ST=Some-State, L=Some-City, O=GlobalSign, CN=client State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv2 AES_CBC_256 HMAC_SHA2_256_128 MODP_2048 no 22 0
Reference url:
https://docs.strongswan.org/docs/5.9/support/faq.html#_no_trusted_rsa_public_key_found_for