[strongSwan-dev] What triggers StrongSwan to include CERTREQ in the SA_INIT response?

Tobias Brunner tobias at strongswan.org
Fri Sep 8 11:53:34 CEST 2017


Hi Alan,

> If the conn section immediately follows the default section then it 
> works as expected, the server includes the CERTREQ in the SA_INIT response.
> if, however, there are other conn sections in between then it fails, the 
> server does *not* include the CERTREQ in the SA_INIT response.
> 
> All I did I was move the conn section. It feels like a bug to me.

When processing an IKE_SA_INIT a preliminary config is selected based on
the IP addresses.  If there are multiple configs that match equally well
the first one is used.  And if requesting certificates is disabled in
that config no CERTREQs will be sent.

Regards,
Tobias


More information about the Dev mailing list