<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
Andreas, <BR>
Thanks for your clarification. <BR>
I found the root cause about the error report. Before sending out the Authentication Payload, the implementation in my part always do one round check to see if the public key could create the same Auth Payload. Unfortunately, the OpenSSL modified the input Auth Payload after the check, so the wrong Auth Payload was sent out.<BR>
Now the issue has fixed. <BR>
<BR>
Thanks<BR>
Michalle<BR> <BR>
> Date: Wed, 3 Nov 2010 08:25:50 +0100<BR>> From: andreas.steffen@strongswan.org<BR>> To: michalle_oy@hotmail.com<BR>> CC: users@lists.strongswan.org<BR>> Subject: Re: [strongSwan] Does Strongswan support PEM format<BR>> <BR>> Hello Michalle,<BR>> <BR>> Section 3.6 of RFC 5996 on the IKEv2 Certificate Payload<BR>> <BR>> http://tools.ietf.org/html/rfc5996#section-3.6<BR>> <BR>> clearly states<BR>> <BR>> "X.509 Certificate - Signature" contains a DER-encoded X.509<BR>> certificate whose public key is used to validate the sender's AUTH<BR>> payload.<BR>> <BR>> This means that even if the certificate is loaded as a file in<BR>> PEM format it will always be transmitted in binary DER format.<BR>> And this is what strongSwan does.<BR>> <BR>> Concerning your authentication error it can be caused either by<BR>> a certificate with a wrong public key or a wrong subject Distinguished<BR>> Name or a flawed signature contained the AUTH payload.<BR>> <BR>> Regards<BR>> <BR>> Andreas<BR>> <BR>> On 11/03/2010 07:17 AM, michalle OY wrote:<BR>> > Hi, all<BR>> > I met a problem when did interoperability test between Strongswan and my <BR>> > IPsec implementation.<BR>> > I try to send a certificate with PEM format to Strongswan point, but it <BR>> > reports that doesn't support. I found that the Strongswan uses the DER <BR>> > "X.509 Certificate - Signature" format in Certificate Payload even if in <BR>> > the Ipsec.conf file the "leftcert" point to a PEM file.<BR>> > The other issue is that after I changed the Certificate from PEM to DER <BR>> > and try again, the strongswan reported "Authentication of 'CN=**, ST=**, <BR>> > E=***, OU=SSG, O=SGG' with RSA signature failed."<BR>> > <BR>> > My questions are: 1. Does Strongswan support PEM format? 2. The <BR>> > authentication failed means the Certificate has problem or the <BR>> > authentication Payload has problem?<BR>> > <BR>> > Your answer are appreciated.<BR>> > <BR>> > Thanks<BR>> > Michalle<BR>> <BR>> ======================================================================<BR>> Andreas Steffen andreas.steffen@strongswan.org<BR>> strongSwan - the Linux VPN Solution! www.strongswan.org<BR>> Institute for Internet Technologies and Applications<BR>> University of Applied Sciences Rapperswil<BR>> CH-8640 Rapperswil (Switzerland)<BR>> ===========================================================[ITA-HSR]==<BR> </body>
</html>