[strongSwan] Question about strongSwan configuration using RSA signature

Jorge Ventura jorge.araujo.ventura at gmail.com
Fri Aug 31 20:36:41 CEST 2012


Now I understand, the peer id MUST be the full subject line from the peer
certificate, not only the CN from the subject line. When I replaced that in
the ipsec.conf, the line pointing to the local peer certificate is not
needed.



On Fri, Aug 31, 2012 at 1:11 PM, Jorge Ventura <
jorge.araujo.ventura at gmail.com> wrote:

> I have a linux box configured to authenticate by RSA signature using x509
> certificate self-signed. My peer is a cisco router ASA-5505.
> Both sides have the CA (self signed) certificate authority and they are
> using IKEv2 and everything is working but I have one question:
>
> Why do I need to have the certificate from the peer installed locally in
> the directory /etc/ipsec.d/certs ??? It's weird to me because the ASA-5505
> doesn't have any information about the certificate from the linux box,
> it's negotiated at the time of connection. If I remove the directive at
> ipsec.conf
> pointing to a local certificate copy from the peer, a receive a message:
>
> constraint check failed: identity '10.15.1.1' required
>
> and the connection does not succeed.
>
> I think that my configuration is incomplete.
>
>
> Thanks,
> Ventura
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120831/fbc8f919/attachment.html>


More information about the Users mailing list