<div dir="ltr"><div><div><div>Yes Andreas, I had retained authby=secret which I had used to setup tunnels using psk.<br></div>Thanks for pointing that out. I changed it to pubkey<br>Now I am able to setup the tunnels properly.<br>
</div>IKE_AUTH payload contains the chain of certificates now.<br><br></div><div>Thanks for the help.<br><br></div>Regards,<br>Sriram.<br><div><br><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Thu, Mar 6, 2014 at 7:16 PM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Sriram,<br>
<br>
the actual error now is<div class=""><br>
<br>
> authentication of 'CN=ten' (myself) with pre-shared key<br>
> no shared key found for 'CN=ten' - 'CN=eleven'<br>
<br></div>
Did you configure PSK-based authentication by either<br>
setting leftauth=psk, leftauth=secret, or authby=secret?<br>
<br>
For mutual certificate based authentication you should set<br>
<br>
  authby=pubkey<br>
<br>
which is the default or alternatively<br>
<br>
  leftauth=pubkey<br>
  rightauth=pubkey<br>
<br>
Regards<br>
<br>
Andreas<div><div class="h5"><br>
<br>
On <a href="tel:06.03.2014%2014" value="+49603201414" target="_blank">06.03.2014 14</a>:31, Sriram wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
Hi Andreas,<br>
<br>
Now i have added CA:TRUE for intermediate certs<br>
<br>
10.206.1.10<br>
[root@localhost private]# ipsec listcacerts<br>
<br>
List of X.509 CA Certificates:<br>
<br>
   subject:  "CN=DaRoot"<br>
   issuer:   "CN=DaRoot"<br>
   serial:    b6:1b:fb:f4:96:05:f7:18<br>
   validity:  not before Mar 06 18:01:38 2014, ok<br>
              not after  Apr 05 18:01:38 2014, ok (expires in 29 days)<br>
   pubkey:    RSA 1024 bits<br>
   keyid:     eb:12:9a:05:72:2b:bf:89:f0:49:<u></u>91:47:f7:bf:c1:85:9b:0f:66:e8<br>
   subjkey:   55:90:f7:42:41:91:73:a1:fb:84:<u></u>b8:91:8a:2e:32:44:73:97:f9:10<br>
   authkey:   55:90:f7:42:41:91:73:a1:fb:84:<u></u>b8:91:8a:2e:32:44:73:97:f9:10<br>
<br>
   subject:  "CN=Zintermediate"<br>
   issuer:   "CN=DaRoot"<br>
   serial:    02:46:a7:72<br>
   validity:  not before Mar 06 18:05:34 2014, ok<br>
              not after  Mar 26 18:05:34 2014, ok (expires in 19 days)<br>
   pubkey:    RSA 1024 bits<br>
   keyid:     c2:ba:fb:bd:36:0b:bd:32:e7:8e:<u></u>0c:b9:25:82:59:64:6a:f8:b7:46<br>
   subjkey:   f0:2a:8a:a7:55:7f:1b:44:ef:c4:<u></u>18:00:79:c1:d8:7b:be:98:00:cd<br>
<br>
<br>
10.206.1.11<br>
[root@localhost sriram_ikeauth]# ipsec listcacerts<br>
<br>
List of X.509 CA Certificates:<br>
<br>
   subject:  "CN=Zintermediate1"<br>
   issuer:   "CN=DaRoot"<br>
   serial:    02:46:a7:73<br>
   validity:  not before Mar 06 18:09:23 2014, ok<br>
              not after  Mar 26 18:09:23 2014, ok (expires in 19 days)<br>
   pubkey:    RSA 1024 bits<br>
   keyid:     ea:d5:28:42:7e:74:f3:47:53:51:<u></u>5e:28:be:27:ed:8f:2c:dc:05:eb<br>
   subjkey:   ee:3d:fe:ab:11:d4:d9:3c:a2:3c:<u></u>95:cb:42:04:d8:0e:12:35:36:76<br>
<br>
   subject:  "CN=DaRoot"<br>
   issuer:   "CN=DaRoot"<br>
   serial:    b6:1b:fb:f4:96:05:f7:18<br>
   validity:  not before Mar 06 18:01:38 2014, ok<br>
              not after  Apr 05 18:01:38 2014, ok (expires in 29 days)<br>
   pubkey:    RSA 1024 bits<br>
   keyid:     eb:12:9a:05:72:2b:bf:89:f0:49:<u></u>91:47:f7:bf:c1:85:9b:0f:66:e8<br>
   subjkey:   55:90:f7:42:41:91:73:a1:fb:84:<u></u>b8:91:8a:2e:32:44:73:97:f9:10<br>
   authkey:   55:90:f7:42:41:91:73:a1:fb:84:<u></u>b8:91:8a:2e:32:44:73:97:f9:10<br>
<br>
But ipsec tunnel is not getting established<br>
In 10.206.1.10 I am getting the below errors.<br>
<br>
[root@localhost private]# ipsec up home<br>
initiating IKE_SA home[2] to 10.206.1.11<br>
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
sending packet: from 10.206.1.10[500] to 10.206.1.11[500] (268 bytes)<br>
received packet: from 10.206.1.11[500] to 10.206.1.10[500] (321 bytes)<br>
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)<br>
CERTREQ N(MULT_AUTH) ]<br>
received cert request for "CN=DaRoot"<br>
received 1 cert requests for an unknown ca<br>
sending cert request for "CN=DaRoot"<br>
sending cert request for "CN=Zintermediate"<br>
authentication of 'CN=ten' (myself) with pre-shared key<br>
no shared key found for 'CN=ten' - 'CN=eleven'<br>
establishing connection 'home' failed<br>
<br>
I have used the below set of commands to generate the certificates of<br>
root CA, SubCA's and End Entities.<br>
<br>
Root ca cert creation<br>
<br>
openssl req -new -x509 -nodes -out ca.crt -keyout ca.key -subj<br>
/CN=DaRoot -newkey rsa:1024 -sha512<br>
<br>
Intermediate CA cert creation signed by RootCA<br>
<br>
openssl req -new -nodes -out ca-int.req -keyout ca-int.key -subj<br>
/CN=Zintermediate -newkey rsa:1024 -sha512<br>
<br>
openssl x509 -req -in ca-int.req -CAkey ca.key -CA ca.crt -days 20<br>
-set_serial 38184818 -sha512 -out ca-int.crt -extfile<br>
../sriram_chaincert1/file.prm<br>
<br>
[root@localhost sriram_chaincert2]# cat ../sriram_chaincert1/file.prm<br>
<br>
basicConstraints=CA:TRUE<br>
<br>
Intermediate1 CA cert creation signed by RootCA<br>
<br>
openssl req -new -nodes -out ca-int1.req -keyout ca-int1.key -subj<br>
/CN=Zintermediate1 -newkey rsa:1024 -sha512<br>
<br>
openssl x509 -req -in ca-int1.req -CAkey ca.key -CA ca.crt -days 20<br>
-set_serial 38184819 -sha512 -out ca-int1.crt -extfile<br>
../sriram_chaincert1/file.prm<br>
<br>
[root@localhost sriram_chaincert2]# cat ../sriram_chaincert1/file.prm<br>
<br>
basicConstraints=CA:TRUE<br>
<br>
End Entity cert creation signed by intermediate CA<br>
<br>
openssl req -new -out ten.req -keyout ten.key -nodes -newkey rsa:1024<br>
-subj /CN=ten<br>
<br>
openssl x509 -req -in ten.req -CAkey ca-int.key -CA ca-int.crt -days 10<br>
-set_serial 38184820 -sha512 -out ten.crt<br>
<br>
End Entity1 cert creation signed by Intermediate1 CA<br>
<br>
openssl req -new -out eleven.req -keyout eleven.key -nodes -newkey<br>
rsa:1024 -subj /CN=eleven<br>
<br>
openssl x509 -req -in eleven.req -CAkey ca-int1.key -CA ca-int1.crt<br>
-days 10 -set_serial 38184821 -sha512 -out eleven.crt<br>
<br>
Please let me know how to resolve this issue.<br>
<br>
<br>
Regards,<br>
<br>
Sriram.<br>
<br>
<br>
<br>
<br>
<br>
<br>
On Tue, Mar 4, 2014 at 8:11 PM, Sriram <<a href="mailto:sriram.ec@gmail.com" target="_blank">sriram.ec@gmail.com</a><br></div></div><div class="">
<mailto:<a href="mailto:sriram.ec@gmail.com" target="_blank">sriram.ec@gmail.com</a>>> wrote:<br>
<br>
    Thanks Andreas, Let me check that and get back to you.<br>
<br>
    Regards,<br>
    Sriram.<br>
<br>
<br>
    On Tue, Mar 4, 2014 at 7:38 PM, Andreas Steffen<br>
    <<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.<u></u>org</a><br></div><div class="">
    <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@<u></u>strongswan.org</a>>> wrote:<br>
<br>
        Hi Siram,<br>
<br>
        in order for an Intermediate CA certificate to be accepted by<br>
        strongSwan, the CA basic constraint in the certificate has<br>
        to be set to TRUE. So if you execute<br>
<br>
           openssl x509 -in ca-int.crt -noout -text<br>
<br>
        the CA flag should show as TRUE:<br>
<br>
                 X509v3 extensions:<br>
                     X509v3 Basic Constraints: critical<br>
                         CA:TRUE<br>
                     X509v3 Key Usage:<br>
                         Certificate Sign, CRL Sign<br>
<br>
        Regards<br>
<br>
        Andreas<br>
<br>
<br></div><div class="">
        On <a href="tel:04.03.2014%2014" value="+49403201414" target="_blank">04.03.2014 14</a> <tel:04.03.2014%2014>:57, Sriram wrote:<br>
<br>
            Hi Andreas,<br>
<br>
            I think it is not loaded.<br>
<br>
            On 10.206.1.11<br>
<br>
            [root@localhost ~]# ipsec listcacerts<br>
<br>
            List of X.509 CA Certificates:<br>
<br>
                subject:  "CN=DaRoot"<br>
                issuer:   "CN=DaRoot"<br>
                serial:    c9:95:0a:00:41:c4:d8:25<br>
                validity:  not before Mar 03 18:10:17 2014, ok<br>
                           not after  Apr 02 18:10:17 2014, ok (expires<br>
            in 28 days)<br>
                pubkey:    RSA 2048 bits<br>
                keyid:<br></div>
            be:25:1a:4a:e6:f8:44:c4:fe:32:<u></u>__a8:d4:7c:9d:75:42:7d:51:19:<u></u>0f<br>
                subjkey:<br>
            c3:59:68:a5:73:e8:b8:76:45:06:<u></u>__3b:c8:a4:62:b3:06:61:7e:9a:<u></u>c0<br>
                authkey:<br>
            c3:59:68:a5:73:e8:b8:76:45:06:<u></u>__3b:c8:a4:62:b3:06:61:7e:9a:<u></u>c0<div class=""><br>
<br>
<br>
            on 10.206.1.10<br>
            [root@localhost ~]# ipsec listcacerts<br>
<br>
            List of X.509 CA Certificates:<br>
<br>
                subject:  "CN=DaRoot"<br>
                issuer:   "CN=DaRoot"<br>
                serial:    c9:95:0a:00:41:c4:d8:25<br>
                validity:  not before Mar 03 18:10:17 2014, ok<br>
                           not after  Apr 02 18:10:17 2014, ok (expires<br>
            in 28 days)<br>
                pubkey:    RSA 2048 bits<br>
                keyid:<br></div>
            be:25:1a:4a:e6:f8:44:c4:fe:32:<u></u>__a8:d4:7c:9d:75:42:7d:51:19:<u></u>0f<br>
                subjkey:<br>
            c3:59:68:a5:73:e8:b8:76:45:06:<u></u>__3b:c8:a4:62:b3:06:61:7e:9a:<u></u>c0<br>
                authkey:<br>
            c3:59:68:a5:73:e8:b8:76:45:06:<u></u>__3b:c8:a4:62:b3:06:61:7e:9a:<u></u>c0<div class=""><br>
<br>
            Regards,<br>
            Sriram.<br>
<br>
<br>
            On Tue, Mar 4, 2014 at 6:49 PM, Andreas Steffen<br></div>
            <andreas.steffen@strongswan.__<u></u>org<br>
            <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@<u></u>strongswan.org</a>><br>
            <mailto:<a href="mailto:andreas.steffen@" target="_blank">andreas.steffen@</a>__<a href="http://strongswan.org" target="_blank">stro<u></u>ngswan.org</a><div><div class="h5"><br>
            <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@<u></u>strongswan.org</a>>>><br>
<br>
            wrote:<br>
<br>
                 Hi Sriram, could you post the output of the command<br>
<br>
                    ipsec listcacerts<br>
<br>
                 both on  10.206.1.10 and 10.206.1.11. This shows if the<br>
            intermediate<br>
                 CA certificates have been successfully loaded.<br>
<br>
                 Regards<br>
<br>
                 Andreas<br>
<br>
<br>
                 On <a href="tel:04.03.2014%2012" value="+49403201412" target="_blank">04.03.2014 12</a> <tel:04.03.2014%2012><br>
            <tel:04.03.2014%2012>:45, Sriram wrote:<br>
<br>
                     Hi Everyone,<br>
<br>
                     I have host –to-host ipsec setup between 2 ips<br>
            10.206.1.10 and<br>
                     10.206.1.11<br>
<br>
                     Tunnel is established using certificates. Tunnel is<br>
            established<br>
                     properly, when the certificates are generated using<br>
            rootca.<br>
<br>
                     But when the certificates are generated using<br>
            intermediate CA’s,<br>
                     tunnel<br>
                     is not getting established.<br>
<br>
                     In 10.206.1.10<br>
<br>
                     Under /etc/ipsec.d/cacerts/ I have copied<br>
            ca.crt(root ca),<br>
                     *ca-int.crt(Intermediate ca)*<br>
<br>
<br>
                     In /etc/ipsec.d/certs/ I have copied end entity<br>
            cert issued by<br>
                     ca-int.crt<br>
<br>
                     In 10.206.1.11<br>
<br>
                     Under /etc/ipsec.d/cacerts/ I have copied<br>
            ca.crt(root ca),<br>
                     *ca-int1.crt(Intermediate ca)*<br>
<br>
<br>
                     In /etc/ipsec.d/certs/ I have copied end entity<br>
            cert issued by<br>
                     ca-int1.crt<br>
<br>
                     I am getting below errors<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[ENC] parsed<br>
            IKE_AUTH request<br>
                     1 [ IDi<br>
<br>
                     CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR) SA<br>
            TSi TSr<br>
                     N(MULT_AUTH)<br>
                     N(EAP_ONLY) ]<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE] received<br>
            cert request for<br>
                     "CN=DaRoot"<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE] received<br>
            end entity cert<br>
                     "CN=1234abcd"<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[CFG] looking for<br>
            peer configs<br>
<br>
                     matching<br></div></div>
            10.206.1.11[CN=12345abcde]..._<u></u>___10.206.1.10[CN=1234abcd]<div class=""><br>
<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[CFG] peer config<br>
            match local: 20<br>
<br>
                     (ID_DER_ASN1_DN -><br>
<br></div>
            30:15:31:13:30:11:06:03:55:04:<u></u>____03:13:0a:31:32:33:34:35:<u></u>61:__62:__63:64:65)<div class=""><br>
<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[CFG] peer config<br>
            match remote: 20<br>
<br>
                     (ID_DER_ASN1_DN -><br>
<br></div>
            30:13:31:11:30:0f:06:03:55:04:<u></u>____03:13:08:31:32:33:34:61:<u></u>62:__63:__64)<div class=""><br>
<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[CFG] ike config<br>
            match: 3100<br>
                     (10.206.1.11 10.206.1.10 IKEv2)<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[CFG]candidate<br>
            "home1", match:<br>
                     20/20/3100 (me/other/ike)<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[CFG] selected<br>
            peer config 'home1'<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE] IDx' => 25<br>
            bytes @<br>
                     0xb4d82fe0<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]0: 09 00 00<br>
            00 30 13 31<br>
                     11 30 0F<br>
<br>
            <a href="tel:06%2003%2055%2004%2003%2013....0.1.0" value="+4960355040313010" target="_blank">06 03 55 04 03 13....0.1.0</a><br>
            <tel:06%2003%2055%2004%2003%<u></u>2013....0.1.0><br></div>
                     <tel:06%2003%2055%2004%2003%__<u></u>2013....0.1.0>...U...<div><div class="h5"><br>
<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]16: 08 31 32<br>
            33 34 61 62 63<br>
                     64.1234abcd<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE] SK_p => 16<br>
            bytes @ 0x91c5340<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]0: 43 85 1F<br>
            D8 CA 8B BD<br>
                     27 A0 58<br>
<br>
                     B8 9F 18 5C E7 C0C......'.X...\..<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE] octets =<br>
            message + nonce +<br>
<br>
                     prf(Sk_px, IDx') => 316 bytes @ 0x91c6d88<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]0: 95 B5 C1<br>
            A2 8D 13 C3<br>
                     77 00 00<br>
<br>
                     00 00 00 00 00 00.......w........<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]16: 21 20 22<br>
            08 00 00 00<br>
                     00 00 00<br>
<br>
                     01 0C 22 00 00 2C! "........."..,<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]32: 00 00 00<br>
            28 01 01 00<br>
                     04 03 00<br>
<br>
                     00 08 01 00 00 03...(............<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]48: <a href="tel:03%2000%2000" value="+4930000" target="_blank">03 00 00</a><br>
            <tel:03%2000%2000><br>
                     <tel:03%2000%2000> <tel:03%2000%2000><br>
<br>
<br>
                     08 03 00 00 01 03 00 00 08 02 00 00 01................<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]64: 00 00 00<br>
            <a href="tel:08%2004%2000%2000" value="+498040000" target="_blank">08 04 00 00</a><br>
                     01 28 00<br>
<br>
                     00 68 00 01 00 00........(..h....<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]80: 23 F4 AC<br>
            E7 E8 4E 55<br>
                     80 54 B7<br>
<br>
                     14 C8 48 B9 98 AE#....NU.T...H...<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]96: 15 DB CA<br>
            F8 93 BF 31<br>
                     2D 59 89<br>
<br>
                     77 52 32 A8 0A 2D......1-Y.wR2..-<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]112: 78 3E<br>
            6F EB 6D 33 5A<br>
                     E6 A5<br>
<br>
                     B7 0F 9A 3C DA 4E D8x>o.m3Z.....<.N.<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]128: E6 71<br>
            B4 C4 5A D7 20<br>
                     48 61<br>
<br>
                     B2 34 14 99 0A F6 AF.q..Z. Ha.4.....<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]144: F8 DB<br>
            6D 82 B2 55 6C<br>
                     1B 84<br>
<br>
                     CA 37 8E C3 7F 50 8A..m..Ul...7...P.<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]160: 5C 2A<br>
            39 E4 27 FC 8D<br>
                     23 38<br>
<br>
                     95 E2 B2 F3 F9 8E CA\*9.'..#8.......<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]176: 29 00<br>
            00 24 03 8D 56<br>
                     09 5D<br>
<br>
                     B1 17 D2 BA 29 D6 8B)..$..V.]....)..<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]192: 7E 0B<br>
            A5 2D 42 4C 1D<br>
                     37 D9<br>
<br>
                     EA 17 4A 0D 0C 77 67~..-BL.7...J..wg<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]208: E6 51<br>
            40 1D 29 00 00<br>
                     1C 00<br>
<br>
                     00 40 04 D5 2F E3 7F.Q@.).....@../..<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]224: 13 80<br>
            F3 7A 91 9D F2<br>
                     7A 0A<br>
<br>
                     6E C0 A9 E7 B2 72 63...z...z.n....rc<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]240: 00 00<br>
            00 1C 00 00 40<br>
                     05 BD<br>
<br>
                     B4 3E 98 F1 EB F4 10......@...>.....<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]256: 44 06<br>
            6B 25 90 C4 30<br>
                     CF BB<br>
<br>
                     FB FE 4C 00 9B 1E ADD.k%..0....L....<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]272: 19 7A<br>
            F6 43 23 A9 8A<br>
                     C4 3C<br>
<br>
                     EF 98 57 13 69 07 0E.z.C#...<..W.i..<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]288: 9A E4<br>
            34 F1 A6 9B 48<br>
                     65 E8<br>
<br>
                     06 8A 6C 6D 30 6B C1..4...He...lm0k.<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE]304: F2 2C<br>
            6E 19 39 37 C1<br>
                     C6 2F<br>
                     48 D2 18.,n.97../H..<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[CFG]using<br>
            certificate<br>
                     "CN=1234abcd"<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[CFG]certificate<br>
            "CN=1234abcd"<br>
                     key:<br>
                     2048 bit RSA<br>
<br>
                     *Mar3 19:34:45 localhost charon: 06[CFG] no issuer<br>
            certificate<br>
                     found for<br>
                     "CN=1234abcd"*<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE] no trusted<br>
            RSA public<br>
                     key found<br>
                     for 'CN=1234abcd'<br>
<br>
                     Mar3 19:34:45 localhost charon: 06[IKE] processing<br>
                     INTERNAL_IP4_ADDRESS<br>
<br>
                     attribute<br>
<br>
                     Please let me know, how to resolve this issue.<br>
<br>
                     Below post suggests that the intermediate certs<br>
            need to be sent<br>
                     along<br>
                     with the end-entity certificates in ike_auth message.<br>
<br>
                     If that can solve the issue, how can I achieve that.<br>
<br></div></div>
            <a href="https://lists.strongswan.org/____pipermail/users/2013-March/____008956.html" target="_blank">https://lists.strongswan.org/_<u></u>___pipermail/users/2013-March/<u></u>____008956.html</a><br>
            <<a href="https://lists.strongswan.org/__pipermail/users/2013-March/__008956.html" target="_blank">https://lists.strongswan.org/<u></u>__pipermail/users/2013-March/_<u></u>_008956.html</a>><div class="">
<br>
<br>
<br>
            <<a href="https://lists.strongswan.org/__pipermail/users/2013-March/__008956.html" target="_blank">https://lists.strongswan.org/<u></u>__pipermail/users/2013-March/_<u></u>_008956.html</a><br>
            <<a href="https://lists.strongswan.org/pipermail/users/2013-March/008956.html" target="_blank">https://lists.strongswan.org/<u></u>pipermail/users/2013-March/<u></u>008956.html</a>>><br>
<br>
                     Any help in this regard is appreciated.<br>
<br>
                     Regards,<br>
<br>
                     Sriram.<br>
<br>
<br>
<br>
<br>
<br>
<br></div>
                     ______________________________<u></u>_____________________<div class=""><br>
                     Users mailing list<br>
            <a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
            <mailto:<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.<u></u>strongswan.org</a>><br></div>
            <mailto:<a href="mailto:Users@lists." target="_blank">Users@lists.</a>__<a href="http://strongswan.org" target="_blank">strongsw<u></u>an.org</a><br>
            <mailto:<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.<u></u>strongswan.org</a>>><br>
            <a href="https://lists.strongswan.org/____mailman/listinfo/users" target="_blank">https://lists.strongswan.org/_<u></u>___mailman/listinfo/users</a><br>
            <<a href="https://lists.strongswan.org/__mailman/listinfo/users" target="_blank">https://lists.strongswan.org/<u></u>__mailman/listinfo/users</a>><div class=""><br>
<br>
            <<a href="https://lists.strongswan.org/__mailman/listinfo/users" target="_blank">https://lists.strongswan.org/<u></u>__mailman/listinfo/users</a><br>
            <<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/<u></u>mailman/listinfo/users</a>>><br>
<br>
<br>
                 --<br>
<br></div>
            ==============================<u></u>____==========================<u></u>==__==__==========<div class=""><br>
                 Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br>
            <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@<u></u>strongswan.org</a>><br></div>
                 <mailto:<a href="mailto:andreas.steffen@" target="_blank">andreas.steffen@</a>__<a href="http://strongswan.org" target="_blank">stro<u></u>ngswan.org</a><div class=""><br>
            <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@<u></u>strongswan.org</a>>><br>
<br>
                 strongSwan - the Open Source VPN Solution!<br>
            <a href="http://www.strongswan.org" target="_blank">www.strongswan.org</a> <<a href="http://www.strongswan.org" target="_blank">http://www.strongswan.org</a>><br>
                 <<a href="http://www.strongswan.org" target="_blank">http://www.strongswan.org</a>><br>
<br>
                 Institute for Internet Technologies and Applications<br>
                 University of Applied Sciences Rapperswil<br>
                 CH-8640 Rapperswil (Switzerland)<br>
<br></div>
            ==============================<u></u>____==========================<u></u>==__=[__ITA-HSR]==<div class=""><br>
<br>
<br>
<br>
        --<br>
        ==============================<u></u>__============================<u></u>==__==========<br>
        Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br>
        <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@<u></u>strongswan.org</a>><br>
        strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" target="_blank">www.strongswan.org</a><br>
        <<a href="http://www.strongswan.org" target="_blank">http://www.strongswan.org</a>><br>
        Institute for Internet Technologies and Applications<br>
        University of Applied Sciences Rapperswil<br>
        CH-8640 Rapperswil (Switzerland)<br>
        ==============================<u></u>__============================<u></u>=[__ITA-HSR]==<br>
<br>
<br>
<br>
</div></blockquote><div class="HOEnZb"><div class="h5">
<br>
-- <br>
==============================<u></u>==============================<u></u>==========<br>
Andreas Steffen                         <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br>
strongSwan - the Open Source VPN Solution!          <a href="http://www.strongswan.org" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
==============================<u></u>=============================[<u></u>ITA-HSR]==<br>
<br>
</div></div></blockquote></div><br></div>