Hello,

After retry several times, now it seemed that two VPN gateways could begin with IKE_SA_INIT exchange but fail in IKE_AUTH exchange. Because when PC 192.168.100.2 ping  192.168.132.2, it failed(( 192.168.100.2)----sg158<======>sg164----(192.168.132.2)).Here is the syslog info:

Feb 22 21:12:15 SG164 iked: [PROTO_ERR]: crypto_openssl.c:351:cb_check_cert(): unable  to get local i
ssuer certificate(20) at depth:0 SubjectName:/C=CN/ST=JS/L=SZ/O=SUDA/OU=CSTS/CN=DCY/emailAddress=210
313041@suda.edu.cn
Feb 22 21:12:15 SG164 iked: [INTERNAL_ERR]: crypto_openssl.c:304:eay_check_x509cert():
Feb 22 21:12:15 SG164 iked: [INTERNAL_ERR]: ike_conf.c:399:ikev2_public_key(): failed verifying certificate authrotiy of cert (/usr/local/racoon2/etc/cert/sg158_cert.pem)
Feb 22 21:12:15 SG164 iked: [PROTO_ERR]: ike_conf.c:446:ikev2_public_key(): no matching public key
Feb 22 21:12:15 SG164 iked: [INTERNAL_ERR]: ikev2_auth.c:437:ikev2_auth_verify(): 4:210.29.174.164[5
00] - 210.29.174.159[500]:(nil):failed to get public key
Feb 22 21:12:15 SG164 iked: [PROTO_ERR]: ikev2.c:2052:responder_ike_sa_auth_recv(): 4:210.29.174.164
[500] - 210.29.174.159[500]:0x85f0718:authentication failure
Feb 22 21:12:15 SG164 iked: [INFO]: ike_sa.c:229:ikev2_abort(): 4:210.29.174.164[500] - 210.29.174.1
59[500]:(nil):aborting ike_sa


The /usr/local/racoon2/etc/cert/ of PC 210.29.174.164 includes:
3ff121bd.0 ------  The result of typing " ln -s cacert.pem `openssl x509 -noout -hash -cacert.pem`.0" (Meaning? and Why do that?)
cacert.pem ------ The CA certificate
demoCA 
sg158_cert.pem  ------- The peer's certificate
sg164_cert.pem  sg164_key.pem ------ My certificate and private key

Is there anything wrong with the configuration of cert/ ?  Could anyone  who  has successfully configured racoon2 give me some help and/or advice?
Thanks for ahead.




--
Regards,

Du Chun-yan
running.dcy@gmail.com