[strongSwan] SA Establishment with Juniper Fails when Trust Chains are used on both Ends.

Tobias Brunner tobias at strongswan.org
Fri Feb 13 12:14:38 CET 2015

Hi Sajal,

> Why SA negotiation is failing between Strongswan and Juniper. Juniper
> had already shared its Issuer Certificate(SubCA2) in IKE_INIT Message.

No, what it sends in the CERTREQ payload during IKE_SA_INIT is a
certificate request for certificates issued by SubCA2.  This payload
contains a SHA-1 hash of the issuer certificate's public key, not the
certificate.  The intermediate CA certificate should be sent as CERT
payload during the IKE_AUTH exchange.


More information about the Users mailing list