<div dir="ltr">Thanks Tobias!! For a Quick clarification.<div>Looks like i need to raise the issue with Juniper.</div><div><br></div><div>BR</div><div>Sajal<br><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 13, 2015 at 4:44 PM, Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Sajal,<br>
<span class=""><br>
> Why SA negotiation is failing between Strongswan and Juniper. Juniper<br>
> had already shared its Issuer Certificate(SubCA2) in IKE_INIT Message.<br>
<br>
</span>No, what it sends in the CERTREQ payload during IKE_SA_INIT is a<br>
certificate request for certificates issued by SubCA2. This payload<br>
contains a SHA-1 hash of the issuer certificate's public key, not the<br>
certificate. The intermediate CA certificate should be sent as CERT<br>
payload during the IKE_AUTH exchange.<br>
<br>
Regards,<br>
Tobias<br>
<br>
</blockquote></div><br></div>