[strongSwan] IKE_SA getting established even without CA cert being present
Andreas Steffen
andreas.steffen at strongswan.org
Mon Jun 18 09:01:41 CEST 2012
Hi,
each endpoint loads its own certificate with
leftcert=defaultCertificate.pem
from a local file and has explicit trust in it
even if the CA certificate is not present. Since
the peer uses the identical defaultCertificate,
trust is also put into the peer.
You need a CA only if your peer has a certificate
different from the defaultCertificate.
Regards
Andreas
On 18.06.2012 07:08, divya mohan wrote:
> Hi,
>
> I have set up an IPsec connection using certificates. I have copied
> the End Entity certificate and key; but I have not copied the CA
> certificate.
>
> I was expecting the connection to fail, as authentication should fail
> in this case. However, the connection seems to be working fine.
> I am attaching logs and ipsec.conf from Host1(initiator) and Host2(responder).
>
> Is this because of any issue in my configuration? Shouldn't
> authentication fail if issuer certificate is not found?
>
>
> Regards,
> Divya Mohan M
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120618/1a173ce7/attachment.bin>
More information about the Users
mailing list