[strongSwan] IKE_SA getting established even without CA cert being present

Martin Willi martin at strongswan.org
Mon Jun 18 08:56:27 CEST 2012


> I have copied the End Entity certificate and key; but I have not copied
> the CA certificate.

It looks like you are using the same certificate and key for the two
peers. Is this correct?

> I was expecting the connection to fail, as authentication should fail
> in this case.

> leftcert="/etc/ipsec/certs/ipsec.d//certs/defaultCertificate.pem"

If you define a left/rightcert in your configuration, this explicitly
loaded certificate is marked as "trusted":

> 14[CFG] no issuer certificate found for "C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate"
> 14[CFG]   using trusted certificate "C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate"

Since you're using the same certificate on both ends, we have a locally
valid and trusted certificate to verify the signature. No need to
validate the trustchain using the CA.

If you run a CA and want to validate the certificates, please consider
using distinct certificates for each peer.


More information about the Users mailing list