[strongSwan] SA Establishment with Juniper Fails when Trust Chains are used on both Ends.

Sajal Malhotra sajalmalhotra at gmail.com
Fri Feb 13 12:08:05 CET 2015


We are facing issue while establishing SA between a Linux Device running
Strongswan v5.0.2 and Juniper Netscreen SGW.

*We are using Trust Chains on both Ends with a common Root CA. *

- Trust chain installed on strongswan(Linux) :- RootCA -> SubCA1->Stronswan
Device Certificate

- Trust chain installed on Juniper :- RootCA -> SubCA2->Juniper Device

*Procedure Executed:-*

1.      -  SA negotiation started By Linux Device (Running Strongswan

- J  - Juniper Responds with IKE_INIT in which in [CERTREQ] payload it
provides it's Issuer's Certificate (SubCA2)

- L  - Linux Responds with IKE_AUTH Message.

2.       - SA establishment Successful at Juniper (it Accepts IKE_AUTH from
Linux). Juniper then replies with IKE_AUTH with its own Device Certificate
in [CERT] Payload.

- 3.   - But SA negotiation failed at Linux device.

       We see below mention error[Please find log file attached].

*Feb 12 00:11:15 localhost charon: 12[CFG] no issuer certificate found for
"C=sd, ST=amit_13, L=amit_13, O=amit_13, OU=amit_13, CN=0047092009000003,
CN=amit_13, CN=rsa-key, CN=ns54030.juniper.net
<http://ns54030.juniper.net>, CN=amit_13"*


Why SA negotiation is failing between Strongswan and Juniper. Juniper had
already shared its Issuer Certificate(SubCA2) in IKE_INIT Message. This
Certificate could be validated by RootCA cert already present on Linux.
Thereafter when Juniper Sends it Device Certificate in IKE_AUTH, it should
have been possible for Strongswan to Validate the complete Trust Chain.

Thanks and Regards

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150213/c942d6e4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 5_0_2.zip
Type: application/zip
Size: 10186 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150213/c942d6e4/attachment.zip>

More information about the Users mailing list