[strongSwan] [Strongswan] - IKE_AUTH failure in case of cert Authentication

Sriram sriram.ec at gmail.com
Sat Aug 9 14:48:41 CEST 2014


Hello,

I am trying to establish ipsec tunnel between two linux boxes using
certificates.
Client is on strongswan-5.1.1 and Server is on strongswan-5.2.0
Also strongswan client is asking for a virutal ip.

There are two levels of certificate Authorities.
I have placed both Root Certificate and SubCA certificate in
/etc/ipsec.d/cacerts,
Device certificate is in /etc/ipsec.d/certs, Device key in
/etc/ipsec.d/private
This, I have done in both the boxes.

In both client and server,
/usr/sbin/ipsec listcacerts
is listing both Root and SubCA certificate

/usr/sbin/ipsec listcerts
is listing device certificate properly.


When ike session is initiated from client,

IKE_SA_INIT and IKE_SA_INIT_RESPONSE happen properly.

Later IKE_AUTH from client gets fragmented at ip level, 2 fragments are
sent and are received by server. Server authenticates the client and is
able to establish the root of trust.

But server is sending only one certificate(Device cert) in IKE_AUTH,
because of which client fails to establish the root of trust.
I see that all packets from server are having DF bit on. Is this the reason
why server sends only one certificate in IKE_AUTH ?

How to overcome this situation ?

Any help in this regard is appreciated.

Regards,
Sriram
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140809/ed36330b/attachment.html>


More information about the Users mailing list