[strongSwan] Small Problems with 5.2

Martin Willi martin at strongswan.org
Tue Jul 15 11:24:04 CEST 2014


> was there a change in 5.2 about charon asking for the certificate of
> the peer? I can establish a connection when I add leftsendcert=yes to
> the configuration of my roadwarrior.

None that I'm aware of. leftsendcert=ifasked was the policy ever since.

> If I don't add it I get a connection with 5.1.3 but on 5.2 I get:
> [IKE] no trusted RSA public key found for 'C=DE, O=xxxx'
> in the log of the server.

As the default policy is "ifasked", this most likely implies that your
server does not send a certificate request. By default certificate
requests are sent; what is your rightsendcert setting on the server?

charon logs the certificates and certificate requests sent/received
during the exchange, that should help in analyzing what is missing.


More information about the Users mailing list