[strongSwan] SA Establishment with Juniper Fails when Trust Chains are used on both Ends.
tobias at strongswan.org
Fri Feb 13 12:14:38 CET 2015
> Why SA negotiation is failing between Strongswan and Juniper. Juniper
> had already shared its Issuer Certificate(SubCA2) in IKE_INIT Message.
No, what it sends in the CERTREQ payload during IKE_SA_INIT is a
certificate request for certificates issued by SubCA2. This payload
contains a SHA-1 hash of the issuer certificate's public key, not the
certificate. The intermediate CA certificate should be sent as CERT
payload during the IKE_AUTH exchange.
More information about the Users