[strongSwan] SA Establishment with Juniper Fails when Trust Chains are used on both Ends.

Sajal Malhotra sajalmalhotra at gmail.com
Fri Feb 13 15:15:46 CET 2015


Thanks Tobias!! For a Quick clarification.
Looks like i need to raise the issue with Juniper.

BR
Sajal


On Fri, Feb 13, 2015 at 4:44 PM, Tobias Brunner <tobias at strongswan.org>
wrote:

> Hi Sajal,
>
> > Why SA negotiation is failing between Strongswan and Juniper. Juniper
> > had already shared its Issuer Certificate(SubCA2) in IKE_INIT Message.
>
> No, what it sends in the CERTREQ payload during IKE_SA_INIT is a
> certificate request for certificates issued by SubCA2.  This payload
> contains a SHA-1 hash of the issuer certificate's public key, not the
> certificate.  The intermediate CA certificate should be sent as CERT
> payload during the IKE_AUTH exchange.
>
> Regards,
> Tobias
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150213/aa9da80d/attachment.html>


More information about the Users mailing list