I am attempting to use a letsencrypt certificate on my strong swan server; but I also see this behaviour with my own internal CA.
When trying to connect from a windows 10 host to a strong swan instance, the Windows host displays one of it's oh-so-helpful error messages that the "IKE Authentication credentials are not acceptable".
When I install the intermediate certificate authority certificate onto the windows host, everything connects just fine. When I do not have the intermediate present on the client, (but it is in the cacerts folder on the strong swan server), I receive the error.
So it seems to me that strong swan is not sending the intermediate certificate, but having spent several hours chasing this around I'm at a loss as to how to force the sending of the intermediate cert. I can see that it is sending the end entity cert in the logs, but there is no mention of the intermediate.
Any guidance much appreciated.
So it turns out that, at least for the version of strongswan I have installed on Debian Buster, that Strongswan refuses to load the intermediate certificate into it's store without the whole certificate chain being present; that is to say I had to download the root certificate and also add that under the cacerts folder, and now everything works as expected.