[strongSwan] IPSEC/l2TP Chrome OS

Ilan Caspi ilan.caspi at gmail.com
Tue Feb 17 19:14:38 CET 2015


Thanks Tobias,

I've submitted a bug to the chromium project
https://code.google.com/p/chromium/issues/detail?id=459261

Cheers,
Ilan

On Fri, Feb 13, 2015 at 1:17 AM, Tobias Brunner <tobias at strongswan.org>
wrote:

> Hi Ilan,
>
> Thanks for the log. Here we see the reason for that INFORMATIONAL request:
>
> > 2015-02-12T10:22:25.578064-08:00 charon[2428]: 09[ENC] payload of type
> CERTIFICATE_V1 more than 2 times (3) occurred in current message
> > 2015-02-12T10:22:25.578096-08:00 charon[2428]: 09[IKE] message
> verification failed
> > 2015-02-12T10:22:25.578114-08:00 charon[2428]: 09[ENC] generating
> INFORMATIONAL_V1 request 4041721436 [ HASH N(PLD_MAL) ]
> > 2015-02-12T10:22:25.578130-08:00 charon[2428]: 09[NET] sending packet:
> from 10.0.1.186[4500] to 162.243.137.92[4500] (68 bytes)
> > 2015-02-12T10:22:25.578147-08:00 charon[2428]: 09[IKE] ID_PROT response
> with message ID 0 processing failed
>
> So the client doesn't like the three certificates (two intermediate CAs
> and server) sent by the server, as seen here:
>
> > 09[IKE] sending end entity cert "CN=
> do-c6176704.san-francisco-1.pertinoipsec.dev.pertino.com, OU=DEV, O=
> pertino.com, C=US"
> > 09[IKE] sending issuer cert "CN=Pertino Dev Issuing CA G1, O=Pertino,
> C=US"
> > 09[IKE] sending issuer cert "CN=Pertino Dev Intermediate CA G1,
> O=Pertino, C=US"
> > 09[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]
>
> We actually changed this limit a while ago with [1], which was included
> in 5.1.1.  Apparently, Chrome OS still uses an older version of
> strongSwan.  You might want to file a bug report at [2].
>
> If the client allows you to configure the server certificate instead of
> a CA certificate you could do so and then use `leftsendcert=never` on
> the sever to avoid any certificate getting sent to the client.
>
> It that's not the case you could try to use one of the intermediate CA
> certificates as trust anchor and install that on the client instead of
> the root CA certificate.  Then remove the root certificate and/or the
> intermediate certificate closer to the root from ipsec.d/cacert on the
> server.  That should reduce the number of CERT payloads sent to the
> client to one or two.
>
> Regards,
> Tobias
>
> [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d489e7557
> [2] https://code.google.com/p/chromium/issues/list
>
>


-- 
Ilan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150217/91af0ca2/attachment.html>


More information about the Users mailing list