<div dir="ltr"><div class="gmail_extra"><p class="MsoNormal">Hi </p><p class="MsoNormal"><br></p><p class="MsoNormal">We are facing issue while establishing SA between a Linux Device
running Strongswan v5.0.2 and Juniper Netscreen SGW.</p><p class="MsoNormal"><br></p>
<br><p class="MsoNormal"><b>We are using Trust Chains on both Ends with a common Root CA. </b></p><p class=""><span style="font-size:10pt;font-family:Cambria,serif">- Trust
chain installed on strongswan(Linux) :- RootCA -> SubCA1->Stronswan Device Certificate</span></p><p class=""><span style="font-size:10pt;font-family:Cambria,serif">- Trust
chain installed on Juniper :- RootCA -> SubCA2->Juniper Device Certificate.</span></p><p class=""><b>Procedure Executed:-</b><br></p><p class="MsoNormal"></p><p class="" style>1.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'"> - </span>SA negotiation started By Linux Device (Running Strongswan v5.0.2). </p><p class="" style>- J - Juniper Responds with IKE_INIT in which in [CERTREQ] payload it provides it's Issuer's Certificate (SubCA2)</p><p class="" style>- L - Linux Responds with IKE_AUTH Message.</p><p class="" style>2.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'"> - </span>SA establishment Successful at Juniper (it Accepts IKE_AUTH from Linux). Juniper then replies with IKE_AUTH with its own Device Certificate in [CERT] Payload.</p><p class="" style>- 3.<span style="font-stretch:normal;font-size:7pt;font-family:'Times New Roman'"> - </span>But SA negotiation failed at Linux device. </p><p class="" style> We see below mention error[Please find log file attached].</p><p class=""><b><span style="color:red">Feb 12 00:11:15 localhost
charon: 12[CFG] no issuer certificate found for "C=sd, ST=amit_13,
L=amit_13, O=amit_13, OU=amit_13, CN=0047092009000003, CN=amit_13, CN=rsa-key,
CN=<a href="http://ns54030.juniper.net">ns54030.juniper.net</a>, CN=amit_13"</span></b></p><p class="MsoNormal"><b>Query:-</b></p><p class="">
<span style="font-size:11pt;font-family:Calibri,sans-serif">Why
SA negotiation is failing between Strongswan and Juniper. Juniper had already shared its Issuer Certificate(SubCA2) in IKE_INIT Message. This Certificate could be validated by RootCA cert already present on Linux. Thereafter when Juniper Sends it Device Certificate in IKE_AUTH, it should have been possible for Strongswan to Validate the complete Trust Chain.</span></p><p class=""><br></p><p class="">Thanks and Regards </p><p class=""><span style="font-size:10pt;font-family:Cambria,serif">Sajal</span></p></div></div>