I have a Site to Site VPN between Strongswan and Cisco working over PSK.
Wanted to upgrade it to authenticate via Certificates, but can't get it
done. Receiving following error:


May 9 13:57:20 strongswan charon: 13[CFG] ocsp response correctly
signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go
Daddy Root Validation Authority - G2"

May 9 13:57:20 strongswan charon: 13[CFG] ocsp response is valid:
until May 11 01:05:00 2018

May 9 13:57:20 strongswan charon: 13[CFG] using cached ocsp response

May 9 13:57:20 strongswan charon: 13[CFG] certificate status is good

May 9 13:57:20 strongswan charon: 13[CFG] certificate policy
2.16.840.1.114413.1.7.23.1 for 'OU=Domain Control Validated,
CN=hostname.somedomain.com' not allowed by trustchain, ignored

May 9 13:57:20 strongswan charon: 13[CFG] certificate policy
2.23.140.1.2.1 for 'OU=Domain Control Validated,
CN=hostname.somedomain.com' not allowed by trustchain, ignored

May 9 13:57:20 strongswan charon: 13[CFG] reached self-signed root
ca with a path length of 1

May 9 13:57:20 strongswan charon: 13[IKE] signature validation
failed, looking for another key

The Certificates for both ends are signed by two different CA, but already
exchanged public root and intermediate certs. On cisco side I see the
tunnel goes up for both Phase 1 and 2, so its good. Strongswan has problem
with it and no SA is up.

Configuration:

conn testconn
auto=start
left=%any
leftfirewall=yes
leftid=@strongswan.mydomain.com
leftid=x.x.x.x
leftcert=strongswan.mydomain.com.pem
right=y.y.y.y
rightid=%any
rightid=@hostname.somedomain.com
type=tunnel
ikelifetime=24h
keylife=1h
esp=aes256-sha384-ecp521
ike=aes256-sha384-modp1024
keyingtries=%forever
keyexchange=ikev2
leftsubnet=z.z.z.z/z
rightsubnet=u.u.u.u/u
dpddelay=10s
dpdtimeout=30s
dpdaction=restart

What be wrong here? Any suggestions?
Thanks.