<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div>Hi,</div>
<div> </div>
<div>Can someone explain below behavior in charon (Strongswan version 4.4.0).</div>
<div> </div>
<div> Peer1 configured with PSK authentication and Peer2 configured with RSA authentication.</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>Peer1 and Peer2 both have the common root CA certificate installed.</div>
<div>Peer1 has End entity certificate and private key installed too, but peer2 does not have End Entity or private key cert installed.</div>
<div> </div>
<div>Logs at Peer1</div>
<div> </div>
<div>13[IKE] initiating IKE_SA r1~v1[1] to 89.0.0.2</div>
<div>14[IKE] received cert request for "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=CA"</div>
<div>14[IKE] sending cert request for "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=CA"</div>
<div>14[IKE] authentication of 'C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1' (myself) with RSA signature successful</div>
<div>14[IKE] sending end entity cert "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1"</div>
<div>14[IKE] establishing CHILD_SA r1~v1{1}</div>
<div>15[IKE] no shared key found for 'C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1' - '(vr*)89.0.0.2'</div>
<div> </div>
<div> </div>
<div> </div>
<div>Logs at Peer2</div>
<div> </div>
<div>13[IKE] 89.0.0.1 is initiating an IKE_SA</div>
<div>13[IKE] sending cert request for "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=CA"</div>
<div>14[IKE] received cert request for "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=CA"</div>
<div>14[IKE] received end entity cert "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1"</div>
<div>14[CFG] looking for peer configs matching 89.0.0.2[(vr*)%any]...89.0.0.1[C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1]</div>
<div>14[CFG] selected peer config 'r1~v1'</div>
<div>14[CFG] using certificate "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1"</div>
<div>14[CFG] using trusted ca certificate "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=CA"</div>
<div>14[CFG] checking certificate status of "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1"</div>
<div>14[CFG] certificate status is not available</div>
<div>14[CFG] reached self-signed root ca with a path length of 0</div>
<div>14[IKE] authentication of 'C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1' with RSA signature successful</div>
<div>14[IKE] authentication of '(vr*)89.0.0.2' (myself) with pre-shared key</div>
<div>14[IKE] IKE_SA r1~v1[1] established between 89.0.0.2[(vr*)89.0.0.2]...89.0.0.1[C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1]</div>
<div>14[IKE] scheduling rekeying in 852s</div>
<div>14[IKE] maximum IKE_SA lifetime 942s</div>
<div>14[IKE] CHILD_SA r1~v1{2} established with SPIs cad444bf_i cdc9a1b3_o and TS 89.0.0.2/32 === 89.0.0.1/32</div>
<div> </div>
<div> </div>
<div>Peer2 successfully establishes IKE and CHILD SAs which gets cleared only after DPD/Rekey. </div>
<div> </div>
<div>Why does Peer2 successfully authenticates Peer1 when Peer1 does not share the PSK key of Peer2?</div>
<div> </div>
<div>Thanks</div>
<div>Suhas</div>
<div> </div>
</span></font>
</body>
</html>