[strongSwan] Send CA certificates during the ISAKMP phase

Andreas Steffen andreas.steffen at strongswan.org
Mon May 21 22:54:08 CEST 2012

Hi Joern,

no, pluto cannot send intermediate certificates but the forthcoming
strongSwan 5.0 charon daemon with combined IKEv1/IKEv2 functionality
will be able to send them.



On 05/21/2012 08:34 PM, Joern Mewes wrote:
> Hi,
> Not sure if the below email went trough. Can someone please tell me if
> its possible to configure pluto so send intermediate certificates during
> the isakmp phase?
> Thanks,
> Joern
>> Hello,
>> Is there any way to configure pluto to send its intermediate (ca) 
>> certificate during the IKE phase? We are using a certificate chain 
>> (root-ca, sub1-ca, sub2-ca) and I observed that VPN peers having the 
>> certificates from sub1-ca cannot verify the strongswan certs issued by 
>> sub2-ca as strongswan sends the client certificate only.
>> I read in https://lists.strongswan.org/pipermail/users/2011-January/005842.html
>> that charon can do this but I am wondering if this is possible with 
>> pluto as well as we have to stick with IKEv1.
>> Can you give a short hint how to configure this?
>> Thanks and regards,
>> Joern

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list