[strongSwan] strongswan how to check certreq and how to build certreq field
Jun Yin
hansyin at gmail.com
Wed Nov 21 20:47:03 CET 2012
Hi,
I know certreq should be filled by part of hash of certificate
authority, but I don't know an easy way to calculate it by myself.
>From my debug:
Nov 20 18:09:15 pc161 charon: 16[IKE] local host is behind NAT,
sending keep alives
Nov 20 18:09:15 pc161 charon: 16[IKE] received 1 cert requests for an unknown ca
Nov 20 18:09:15 pc161 charon: 16[IKE] sending cert request for "C=CA,
ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216,
E=hans_216 at stress.com"
Nov 20 18:09:15 pc161 charon: 16[IKE] sending cert request for "C=CA,
ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216_sub2,
E=hans_216_sub2 at stress.com"
Nov 20 18:09:16 pc161 charon: 16[IKE] authentication of 'C=CA, ST=bc,
L=vancouver, O=fortinet, OU=qa, CN=dut2_sub3_alt,
E=dut2_sub3 at stress.com' (myself) with RSA signature successful
1. The second line said "requests for an unknown ca". I don't know
why, I suppose I have all relevant cacert in directory
/etc/ipsec.d/cacert. So, is that means my peer sending a wrong value
in certreq field?
2. The third and fourth line said we're building our certreq field and
sending it. My questions is how do strongswan choose cacert to send? I
actually have 4 cacert in my directory /etc/ipsec.d/cacert. Why do
strongswan choose two of them? which kind of rule?
3. To confirm if strongswan are sending correct certreq, is there a
way to calculate certreq field value by ourself? like an openssl
command?
Thanks!
--
Rgds,
Hans Yin
Web: http://sourceforge.net/projects/autotestnet/
Email: hansyin at gmail.com
MSN: hansyin at hotmail.com
Skype: hans_yin_vancouver
More information about the Users
mailing list