IKE Authentication Failed while using certificates in Libreswan(Ipsec tunnel)

Question

I am using Libreswan to create IPSec tunnels between VM's. I am using certificates to authenticate(for phase 1 of IPSec). However the IKE tunnel is not getting established and the authentication is failing.

I have been trying to establish IPSec connections between two Local VMs (installed on my Mac) using certificates. I followed the steps mentioned in this link (https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan#Configuring_certificates_in_ipsec.conf_and_ipsec.secrets)

I created a Certificate Authority on one of the machine and created a user certificate signed with this CA.

certutil -S -k rsa -n "MyCA" -s "CN=localhost.localdomain" -v 12 
-t "CT,C,C" -x -d sql:/etc/ipsec.d

certutil -S -k rsa -c "MyCA" -n "user1" -s "CN=localhost.localdomain" 
-v 12 -t "u,u,u" -d sql:/etc/ipsec.d'

To load the CA to the other machine, I exported the CA using

pk12util -o CACert.p12 -n MyCA -d sql:/etc/ipsec.d

Copied this CACert.p12 file to another machine. Imported it into NSS DB.


ipsec import CACert.p12


certutil -M -n MyCA -t "CT,," -d sql:/etc/ipsec.d

Created another user certificate signed by the same CA

certutil -S -k rsa -c "MyCA" -n "user2" -s "CN=localhost.localdomain" 
-v 12 -t "u,u,u" -d sql:/etc/ipsec.d

Here is the configuration parameters of the tunnel.

Machine 1:

conn mytunnel24

    type=transport

    left=192.168.244.132

    leftrsasigkey=%cert
    leftcert=user1

    right=192.168.244.130

    rightrsasigkey=%cert

    # load and initiate automatically
auto=start

Machine 2:
conn mytunnel24
    
type=transport

    left=192.168.244.130
    
leftrsasigkey=%cert
    
leftcert=user2

    right=192.168.244.132
    
rightrsasigkey=%cert

    # load and initiate automatically
    
auto=start

I also tried with FQDNS for leftid and rightid of the tunnel. I am getting the same errors.

The following are the errors :-

002 "mytunnel24" #5: initiating v2 parent SA

133 "mytunnel24" #5: initiate

133 "mytunnel24" #5: STATE_PARENT_I1: sent v2I1, expected v2R1

002 | constructed local ESP/AH proposals for mytunnel24 (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=CHACHA20_POLY1305;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA1_96,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED

134 "mytunnel24" #6: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}

002 "mytunnel24" #6: IKE SA authentication request rejected: AUTHENTICATION_FAILED
000 "mytunnel24" #6: scheduling retry attempt 1 of an unlimited number, but releasing whack