[strongSwan-dev] What triggers StrongSwan to include CERTREQ in the SA_INIT response?

Alan Evans alanrevans at gmail.com
Fri Sep 8 11:16:06 CEST 2017

Hi Tobias,
> Hi Alan,
>> Any ideas what tiggers the GW to include the CERTREQ? I've been playing
>> with the sendcert attributes but it doesn't seem to help.
> Yep, that's the one.

I've fixed the problem and the solution was very surprising, for me at 
The problem was due to the location of the conn section in the 
ipsec.conf file.

If the conn section immediately follows the default section then it 
works as expected, the server includes the CERTREQ in the SA_INIT response.
if, however, there are other conn sections in between then it fails, the 
server does *not* include the CERTREQ in the SA_INIT response.

All I did I was move the conn section. It feels like a bug to me.


This email has been checked for viruses by Avast antivirus software.

More information about the Dev mailing list