>> Questions about cert for roadwarrior and more? Why 192.168.1.79? i was >> expecting 10.0.5.x please. > > Why did you expect that?
Desperate idea! It is the problem i think: Jul 10 01:15:59 agroena iked[79159]: ca_sslerror: ca_validate_pubkey: error:09FFF06C:PEM routines:CRYPTO_internal:no start line Jul 10 01:15:59 agroena iked[79159]: ca_sslerror: ca_validate_pubkey: error:09FFF06C:PEM routines:CRYPTO_internal:no start line Jul 10 01:15:59 agroena iked[31968]: spi=0xeff602411ad464ff: ikev2_dispatch_cert: peer certificate is invalid > > >> spi=0xc166e8f236679cc9: recv IKE_SA_INIT res 0 peer 45.77.223.7:500 >> local >> 192.168.1.79:500, 255 bytes, policy 'roadwarrior' > > 192.168.1.79 is your local IP, which is on the interface with a link to > the default gateway. > > $ route -n show -inet > > > If you have multiple IPs and you want to force iked to use a specific > one, you have to use "local": > > local 10.0.5.x peer 45.77.223.7 \ > > >> spi=0xaf891eb37dd8f4cc: ca_getreq: no valid local certificate found for >> FQDN/roadwarrior >> spi=0xaf891eb37dd8f4cc: ca_getreq: using local public key of type >> RSA_KEY >> spi=0xaf891eb37dd8f4cc: send IKE_AUTH req 1 peer 45.77.223.7:4500 local >> 192.168.1.79:4500, 947 bytes, NAT-T >> spi=0xaf891eb37dd8f4cc: recv IKE_AUTH res 1 peer 45.77.223.7:4500 local >> 192.168.1.79:4500, 65 bytes, policy 'roadwarrior' >> spi=0xaf891eb37dd8f4cc: sa_free: authentication failed notification from >> peer > > Just a guess, since I have never worked with trusted public keys, but > maybe you have to copy the clients local.pub it into > /etc/iked/pubkeys/fqdn/roadwarrior > (not /etc/iked/pubkeys/fqdn/roadwarrior/local.pub) > or > /etc/iked/pubkeys/ipv4/A.B.C.D > on the server. >
