[strongSwan] Small Problems with 5.2

Dirk Hartmann dha at heise.de
Tue Jul 15 12:02:57 CEST 2014

Hi Martin,

--On Tuesday, July 15, 2014 11:24:04 AM +0200 Martin Willi 
<martin at strongswan.org> wrote:

>> was there a change in 5.2 about charon asking for the certificate of
>> the peer? I can establish a connection when I add leftsendcert=yes to
>> the configuration of my roadwarrior.
> None that I'm aware of. leftsendcert=ifasked was the policy ever
> since.
>> If I don't add it I get a connection with 5.1.3 but on 5.2 I get:
>> [IKE] no trusted RSA public key found for 'C=DE, O=xxxx'
>> in the log of the server.
> As the default policy is "ifasked", this most likely implies that your
> server does not send a certificate request. By default certificate
> requests are sent; what is your rightsendcert setting on the server?


I don't have a setting in the default section.
But I have a special conn for windows 7 Users with eap in which section 
I set rightsendcert = never as mentioned in the wiki page 

With this connection active it doesn't matter if I set rightsendcert to 
ifasked or yes in the default section or the specific connection 
section of my linux roadwarrior. I can't connect because charon doesn't 
send a certificate request.

If I remove the conn section for win 7 eap, I can connect.

> charon logs the certificates and certificate requests sent/received
> during the exchange, that should help in analyzing what is missing.

Yes charon doesn't send certificate requests as long as there is a 
single connection setting with rightsendcert=never

Best Regards

More information about the Users mailing list