Failed to connect with ipsec Client on ubuntu 18.04

[JACKHAHA363]

I can connect with Ipsec with my laptop in Canada as well as my Iphone. But when I copy the same Ipsec generated files to my server in China, it shows the following error.

$ sudo ipsec up algovpn
initiating IKE_SA algovpn[1] to 52.199.163.199
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.10.1.52[500] to 52.199.163.199[500] (294 bytes)
received packet: from 52.199.163.199[500] to 10.10.1.52[500] (321 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
received 1 cert requests for an unknown ca
authentication of 'CN=shanxi2' (myself) with ECDSA_WITH_SHA384_DER successful
sending end entity cert "CN=shanxi2"
establishing CHILD_SA algovpn{1}
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 10.10.1.52[4500] to 52.199.163.199[4500] (968 bytes)
received packet: from 52.199.163.199[4500] to 10.10.1.52[4500] (969 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
received end entity cert "CN=52.199.163.199"
  using certificate "CN=52.199.163.199"
no issuer certificate found for "CN=52.199.163.199"
  issuer is "CN=52.199.163.199"
no trusted ECDSA public key found for '52.199.163.199'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 10.10.1.52[4500] to 52.199.163.199[4500] (65 bytes)
establishing connection 'algovpn' failed

I compare this log with the success connection log of my laptop in Canada, and I find the main difference is

strongman received 1 cert requests for an unknown ca

However I am not sure how to resolve this.

[InsOpDe]

Having the same problem - it works with wireguard, tho.

[jackivanov]

Did you put the CA cert on your client device?

[jackivanov]

See the client role for reference - https://github.com/trailofbits/algo/blob/master/roles/client/tasks/main.yml

[JACKHAHA363]

@jackivanov Yes I did.

[aleks-mariusz]

@jackivanov also have the same issue, any suggestions? seems to be caused by #1758:

output of strongswan rereadcacerts (on client host):

Apr  3 18:07:56 limey charon: 13[CFG] rereading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Apr  3 18:07:56 limey charon: 13[LIB] found unsupported critical X.509 extension: X509v3 Name Constraints
Apr  3 18:07:56 limey charon: 13[LIB] OpenSSL X.509 parsing failed
Apr  3 18:07:56 limey charon: 13[LIB] building CRED_CERTIFICATE - X509 failed, tried 6 builders
Apr  3 18:07:56 limey charon: 13[CFG]   loading ca certificate from '/etc/strongswan/ipsec.d/cacerts/mycertname.pem' failed

[jackivanov]

Yeah, duplicate. let's move to #1758, there's a solution