[strongSwan] IPSEC/l2TP Chrome OS

Tobias Brunner tobias at strongswan.org
Fri Feb 13 10:17:36 CET 2015


Hi Ilan,

Thanks for the log. Here we see the reason for that INFORMATIONAL request:

> 2015-02-12T10:22:25.578064-08:00 charon[2428]: 09[ENC] payload of type CERTIFICATE_V1 more than 2 times (3) occurred in current message
> 2015-02-12T10:22:25.578096-08:00 charon[2428]: 09[IKE] message verification failed
> 2015-02-12T10:22:25.578114-08:00 charon[2428]: 09[ENC] generating INFORMATIONAL_V1 request 4041721436 [ HASH N(PLD_MAL) ]
> 2015-02-12T10:22:25.578130-08:00 charon[2428]: 09[NET] sending packet: from 10.0.1.186[4500] to 162.243.137.92[4500] (68 bytes)
> 2015-02-12T10:22:25.578147-08:00 charon[2428]: 09[IKE] ID_PROT response with message ID 0 processing failed

So the client doesn't like the three certificates (two intermediate CAs
and server) sent by the server, as seen here:

> 09[IKE] sending end entity cert "CN=do-c6176704.san-francisco-1.pertinoipsec.dev.pertino.com, OU=DEV, O=pertino.com, C=US"
> 09[IKE] sending issuer cert "CN=Pertino Dev Issuing CA G1, O=Pertino, C=US"
> 09[IKE] sending issuer cert "CN=Pertino Dev Intermediate CA G1, O=Pertino, C=US"
> 09[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]

We actually changed this limit a while ago with [1], which was included
in 5.1.1.  Apparently, Chrome OS still uses an older version of
strongSwan.  You might want to file a bug report at [2].

If the client allows you to configure the server certificate instead of
a CA certificate you could do so and then use `leftsendcert=never` on
the sever to avoid any certificate getting sent to the client.

It that's not the case you could try to use one of the intermediate CA
certificates as trust anchor and install that on the client instead of
the root CA certificate.  Then remove the root certificate and/or the
intermediate certificate closer to the root from ipsec.d/cacert on the
server.  That should reduce the number of CERT payloads sent to the
client to one or two.

Regards,
Tobias

[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d489e7557
[2] https://code.google.com/p/chromium/issues/list



More information about the Users mailing list