<div dir="ltr">
<p class="MsoNormal">Hi Everyone,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I have host –to-host ipsec setup between 2 ips 10.206.1.10
and 10.206.1.11</p>
<p class="MsoNormal">Tunnel is established using certificates. Tunnel is
established properly, when the certificates are generated using rootca.</p>
<p class="MsoNormal">But when the certificates are generated using intermediate
CA’s, tunnel is not getting established.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">In 10.206.1.10</p>
<p class="MsoNormal">Under /etc/ipsec.d/cacerts/ I have copied ca.crt(root ca), <b style>ca-int.crt(Intermediate ca)</b></p>
<p class="MsoNormal">In /etc/ipsec.d/certs/ I have copied end entity cert issued
by ca-int.crt</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">In 10.206.1.11</p>
<p class="MsoNormal">Under /etc/ipsec.d/cacerts/ I have copied ca.crt(root ca), <b style>ca-int1.crt(Intermediate ca)</b></p>
<p class="MsoNormal">In /etc/ipsec.d/certs/ I have copied end entity cert issued
by ca-int1.crt</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I am getting below errors </p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT)
CERTREQ IDr AUTH CPRQ(ADDR) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE] received cert request for "CN=DaRoot"</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE] received end entity cert "CN=1234abcd"</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[CFG] looking for peer configs matching
10.206.1.11[CN=12345abcde]...10.206.1.10[CN=1234abcd]</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[CFG] peer config match local: 20 (ID_DER_ASN1_DN ->
30:15:31:13:30:11:06:03:55:04:03:13:0a:31:32:33:34:35:61:62:63:64:65)</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[CFG] peer config match remote: 20 (ID_DER_ASN1_DN ->
30:13:31:11:30:0f:06:03:55:04:03:13:08:31:32:33:34:61:62:63:64)</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[CFG] ike config match: 3100 (10.206.1.11 10.206.1.10
IKEv2)</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[CFG]<span style> </span>candidate
"home1", match: 20/20/3100 (me/other/ike)</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[CFG] selected peer config 'home1'</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE] IDx' => 25 bytes @ 0xb4d82fe0</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>0: 09 00 00
00 30 13 31 11 30 0F 06 03 55 04 03 13<span style>
</span>....0.1.0...U...</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>16: 08 31 32
33 34 61 62 63 64<span style>
</span>.1234abcd</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE] SK_p => 16 bytes @ 0x91c5340</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>0: 43 85 1F
D8 CA 8B BD 27 A0 58 B8 9F 18 5C E7 C0<span style>
</span>C......'.X...\..</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45 localhost
charon: 06[IKE] octets = message + nonce + prf(Sk_px, IDx') => 316 bytes @
0x91c6d88</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>0: 95 B5 C1
A2 8D 13 C3 77 00 00 00 00 00 00 00 00<span style>
</span>.......w........</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>16: 21 20 22
08 00 00 00 00 00 00 01 0C 22 00 00 2C<span style> </span>!
"........."..,</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>32: 00 00 00
28 01 01 00 04 03 00 00 08 01 00 00 03<span style>
</span>...(............</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>48: 03 00 00
08 03 00 00 01 03 00 00 08 02 00 00 01<span style>
</span>................</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>64: 00 00 00
08 04 00 00 01 28 00 00 68 00 01 00 00<span style>
</span>........(..h....</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>80: 23 F4 AC
E7 E8 4E 55 80 54 B7 14 C8 48 B9 98 AE<span style>
</span>#....NU.T...H...</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>96: 15 DB CA
F8 93 BF 31 2D 59 89 77 52 32 A8 0A 2D<span style>
</span>......1-Y.wR2..-</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>112: 78 3E 6F
EB 6D 33 5A E6 A5 B7 0F 9A 3C DA 4E D8<span style>
</span>x>o.m3Z.....<.N.</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45 localhost
charon: 06[IKE]<span style> </span>128: E6 71 B4 C4 5A D7
20 48 61 B2 34 14 99 0A F6 AF<span style> </span>.q..Z.
Ha.4.....</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>144: F8 DB 6D
82 B2 55 6C 1B 84 CA 37 8E C3 7F 50 8A<span style>
</span>..m..Ul...7...P.</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>160: 5C 2A 39
E4 27 FC 8D 23 38 95 E2 B2 F3 F9 8E CA<span style>
</span>\*9.'..#8.......</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>176: 29 00 00
24 03 8D 56 09 5D B1 17 D2 BA 29 D6 8B<span style>
</span>)..$..V.]....)..</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>192: 7E 0B A5
2D 42 4C 1D 37 D9 EA 17 4A 0D 0C 77 67<span style>
</span>~..-BL.7...J..wg</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>208: E6 51 40
1D 29 00 00 1C 00 00 40 04 D5 2F E3 7F<span style>
</span>.Q@.).....@../..</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>224: 13 80 F3
7A 91 9D F2 7A 0A 6E C0 A9 E7 B2 72 63<span style>
</span>...z...z.n....rc</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>240: 00 00 00
1C 00 00 40 05 BD B4 3E 98 F1 EB F4 10<span style>
</span>......@...>.....</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>256: 44 06 6B
25 90 C4 30 CF BB FB FE 4C 00 9B 1E AD<span style>
</span>D.k%..0....L....</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>272: 19 7A F6
43 23 A9 8A C4 3C EF 98 57 13 69 07 0E<span style>
</span>.z.C#...<..W.i..</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>288: 9A E4 34
F1 A6 9B 48 65 E8 06 8A 6C 6D 30 6B C1<span style>
</span>..4...He...lm0k.</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE]<span style> </span>304: F2 2C 6E
19 39 37 C1 C6 2F 48 D2 18<span style>
</span>.,n.97../H..</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[CFG]<span style> </span>using
certificate "CN=1234abcd"</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[CFG]<span style> </span>certificate
"CN=1234abcd" key: 2048 bit RSA</p>
<p class="MsoNormal"><b style>Mar<span style> </span>3 19:34:45 localhost charon: 06[CFG] no
issuer certificate found for "CN=1234abcd"</b></p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE] no trusted RSA public key found for 'CN=1234abcd'</p>
<p class="MsoNormal">Mar<span style> </span>3 19:34:45
localhost charon: 06[IKE] processing INTERNAL_IP4_ADDRESS attribute</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Please let me know, how to resolve this issue.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Below post suggests that the intermediate certs need to be
sent along with the end-entity certificates in ike_auth message.</p>
<p class="MsoNormal">If that can solve the issue, how can I achieve that.</p>
<p class="MsoNormal"><a href="https://lists.strongswan.org/pipermail/users/2013-March/008956.html">https://lists.strongswan.org/pipermail/users/2013-March/008956.html</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Any help in this regard is appreciated.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Regards,</p>
<p class="MsoNormal">Sriram.</p>
</div>