[strongSwan] question regarding multiple CA certificates

Ko, HsuenJu HsuenJu.Ko at stratus.com
Tue May 19 16:34:46 CEST 2015 

Hi,

I am wondering how strongswan deals with multiple CA certificates.  I ran into a problem that strongswan does not allow more than 20 CA certs with the following message:

May 19 09:27:54 16[ENC] payload of type CERTREQ_V1 more than 20 times (21) occurred in current message

I see in the log file with entries like the following for each CA cert in the ipsec.d/cacerts directory.

May 19 09:56:41 05[ENC] added payload of type CERTIFICATE_REQUEST_V1 to message
May 19 09:56:41 05[IKE] sending cert request for "C=US, O=XXX, OU= IPSec Tests, CN=test 2 26 v4 CA"

By looking at code and comments in build_certreqs it looks like it is possible to avoid sending all trusted CA certificates if a specific CA for the peer is found.

     /* check if we require a specific CA for that peer */
     peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
     if (peer_cfg)
     {
          enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, FALSE);
          if (enumerator->enumerate(enumerator, &auth))
          {
               add_certreqs(this, auth, message);
          }
          enumerator->destroy(enumerator);
     }
     if (!message->get_payload(message, CERTIFICATE_REQUEST_V1))
     {
          /* otherwise add all trusted CA certificates */
          enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
                                                            CERT_ANY, KEY_ANY,
+NULL, TRUE);
          while (enumerator->enumerate(enumerator, &cert))
          {
               add_certreq(this, message, cert);
          }
          enumerator->destroy(enumerator);
     }


However, I don't know how to code the config file to cause strongswan to send only the specific CA.  From the debugging it seems like peer_cfg is NULL in the config example I have below.  Can someone give me an example of how to avoid sending all CAs.

Thanks!

conn conn_10_ike2_83
     left=10.2.10.122
     leftcert=test_2.10_cert_ipv4.der
     leftca="C=US, O=XXX, OU=IPSec Tests, CN=test 2 10 v4 CA"
     right=10.2.10.83
     rightid=10.2.10.83
     rightca="C=US, O=XXX, OU= IPSec Tests, CN=test 2 10 v4 CA"
     esp=aes256-sha512-ecp521!
     ike=aes256-sha512-ecp521!
     keyexchange=ikev2
     marginbytes=3400000
     ikelifetime=30m
     lifetime=10m
     lifebytes=68000000

conn conn_14_ike1_122
     left=10.1.14.83
     leftcert=test_1.14_cert_ipv4.der
     leftca="C=US, O=Stratus Tech, OU=VOS IPSec Tests, CN=test 1 14 v4 CA"
     right=10.1.14.122
     rightid=10.1.14.122
     rightca="C=US, O=Stratus Tech, OU=VOS IPSec Tests, CN=test 1 14 v4 CA"
     esp=aes128-sha256-modp2048!
     ike=aes128-sha256-modp2048!
     keyexchange=ikev1
     marginbytes=3400000
     ikelifetime=24h
     lifetime=24h
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150519/514fddbc/attachment.html>

More information about the Users mailing list