[strongSwan] IKE_SA getting established even without CA cert being present

Andreas Steffen andreas.steffen at strongswan.org
Mon Jun 18 09:01:41 CEST 2012


each endpoint loads its own certificate  with


from a local file and has explicit trust in it
even if the CA certificate is not present. Since
the peer uses the identical defaultCertificate,
trust is also put into the peer.

You need a CA only if your peer has a certificate
different from the defaultCertificate.



On 18.06.2012 07:08, divya mohan wrote:
> Hi,
> I have set up an IPsec connection using certificates. I have copied
> the End Entity certificate and key; but I have not copied the CA
> certificate.
> I was expecting the connection to fail, as authentication should fail
> in this case. However, the connection seems to be working fine.
> I am attaching logs and ipsec.conf from Host1(initiator) and Host2(responder).
> Is this because of any issue in my configuration? Shouldn't
> authentication fail if issuer certificate is not found?
> Regards,
> Divya Mohan M

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120618/1a173ce7/attachment.bin>

More information about the Users mailing list