[strongSwan] IPSEC/l2TP Chrome OS
ilan.caspi at gmail.com
Tue Feb 17 19:14:38 CET 2015
I've submitted a bug to the chromium project
On Fri, Feb 13, 2015 at 1:17 AM, Tobias Brunner <tobias at strongswan.org>
> Hi Ilan,
> Thanks for the log. Here we see the reason for that INFORMATIONAL request:
> > 2015-02-12T10:22:25.578064-08:00 charon: 09[ENC] payload of type
> CERTIFICATE_V1 more than 2 times (3) occurred in current message
> > 2015-02-12T10:22:25.578096-08:00 charon: 09[IKE] message
> verification failed
> > 2015-02-12T10:22:25.578114-08:00 charon: 09[ENC] generating
> INFORMATIONAL_V1 request 4041721436 [ HASH N(PLD_MAL) ]
> > 2015-02-12T10:22:25.578130-08:00 charon: 09[NET] sending packet:
> from 10.0.1.186 to 188.8.131.52 (68 bytes)
> > 2015-02-12T10:22:25.578147-08:00 charon: 09[IKE] ID_PROT response
> with message ID 0 processing failed
> So the client doesn't like the three certificates (two intermediate CAs
> and server) sent by the server, as seen here:
> > 09[IKE] sending end entity cert "CN=
> do-c6176704.san-francisco-1.pertinoipsec.dev.pertino.com, OU=DEV, O=
> pertino.com, C=US"
> > 09[IKE] sending issuer cert "CN=Pertino Dev Issuing CA G1, O=Pertino,
> > 09[IKE] sending issuer cert "CN=Pertino Dev Intermediate CA G1,
> O=Pertino, C=US"
> > 09[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ]
> We actually changed this limit a while ago with , which was included
> in 5.1.1. Apparently, Chrome OS still uses an older version of
> strongSwan. You might want to file a bug report at .
> If the client allows you to configure the server certificate instead of
> a CA certificate you could do so and then use `leftsendcert=never` on
> the sever to avoid any certificate getting sent to the client.
> It that's not the case you could try to use one of the intermediate CA
> certificates as trust anchor and install that on the client instead of
> the root CA certificate. Then remove the root certificate and/or the
> intermediate certificate closer to the root from ipsec.d/cacert on the
> server. That should reduce the number of CERT payloads sent to the
> client to one or two.
>  http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d489e7557
>  https://code.google.com/p/chromium/issues/list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users