[strongSwan-dev] What triggers StrongSwan to include CERTREQ in the SA_INIT response?
Alan Evans
alanrevans at gmail.com
Thu Sep 7 16:43:49 CEST 2017
Hello Devs,
Can anyone shed some light on my problem?
I have 2 StrongSwan VPN gateways both running very similar software and
very similar configuration. (I've tried 5.0.1 and 5.5.0)
One GW includes a CERTREQ in the SA_INIT response whilst the other one
does not.
If the GW includes the CERTREQ then the client provides the CERT in the
subsequent AUTH and the client is successfully authenticated.
If th GW does not include the CERTREQ then the client does *not* provide
the CERT and the authentication fails with the error: "no trusted RSA
public key found "
Not Working:
parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N((16430)) N((16431)) N(REDIR_SUP) ]
generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) N(MULT_AUTH) ]
parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ AUTH
CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Working:
parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N((16430)) N((16431)) N(REDIR_SUP) ]
generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
*CERTREQ *N(MULT_AUTH) ]
parsed IKE_AUTH request 1 [ IDi *CERT *N(INIT_CONTACT) CERTREQ AUTH
CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Any ideas what tiggers the GW to include the CERTREQ? I've been playing
with the sendcert attributes but it doesn't seem to help.
Many thanks for reading
Alan.
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20170907/2c7af437/attachment.html>
More information about the Dev
mailing list