[strongSwan] SA Establishment with Juniper Fails when Trust Chains are used on both Ends.
Sajal Malhotra
sajalmalhotra at gmail.com
Fri Feb 13 12:08:05 CET 2015
Hi
We are facing issue while establishing SA between a Linux Device running
Strongswan v5.0.2 and Juniper Netscreen SGW.
*We are using Trust Chains on both Ends with a common Root CA. *
- Trust chain installed on strongswan(Linux) :- RootCA -> SubCA1->Stronswan
Device Certificate
- Trust chain installed on Juniper :- RootCA -> SubCA2->Juniper Device
Certificate.
*Procedure Executed:-*
1. - SA negotiation started By Linux Device (Running Strongswan
v5.0.2).
- J - Juniper Responds with IKE_INIT in which in [CERTREQ] payload it
provides it's Issuer's Certificate (SubCA2)
- L - Linux Responds with IKE_AUTH Message.
2. - SA establishment Successful at Juniper (it Accepts IKE_AUTH from
Linux). Juniper then replies with IKE_AUTH with its own Device Certificate
in [CERT] Payload.
- 3. - But SA negotiation failed at Linux device.
We see below mention error[Please find log file attached].
*Feb 12 00:11:15 localhost charon: 12[CFG] no issuer certificate found for
"C=sd, ST=amit_13, L=amit_13, O=amit_13, OU=amit_13, CN=0047092009000003,
CN=amit_13, CN=rsa-key, CN=ns54030.juniper.net
<http://ns54030.juniper.net>, CN=amit_13"*
*Query:-*
Why SA negotiation is failing between Strongswan and Juniper. Juniper had
already shared its Issuer Certificate(SubCA2) in IKE_INIT Message. This
Certificate could be validated by RootCA cert already present on Linux.
Thereafter when Juniper Sends it Device Certificate in IKE_AUTH, it should
have been possible for Strongswan to Validate the complete Trust Chain.
Thanks and Regards
Sajal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150213/c942d6e4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 5_0_2.zip
Type: application/zip
Size: 10186 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150213/c942d6e4/attachment.zip>
More information about the Users
mailing list