[strongSwan] CA certificate in response to certificate request payload in x509 authentication
Sameer Agrawal
agrawalsameer at gmail.com
Thu Apr 21 22:37:01 CEST 2016
Hi
I am trying to establish an ipsec tunnel using x509 authentication between
a Linux device (running strongswan) and another device that supports IKEv2.
Both peers are using the same CA certificate to generate the local
certificates.
The issue I am facing is the peer is request CA certificate in its
certificate request payload in the message. However, strongswan currently
is not sending the CA information because of which the authentication
between the 2 peer is failing.
Is there a way to send the CA certificate if the peer is requesting that in
the certificate request payload? If yes, how can I do that?
I tried leftsendcert=always or ifasked option but that did not seem to work.
The config that I have on strongswan side is as follows:
conn peer-192.0.72.2-tunnel-vti
left=192.0.71.1
leftid="C=US, ST=CA, L=SJ, O=BR, OU=QA, CN=QA, emailAddress=
peer1 at br.com"
right=192.0.72.2
rightid="C=US, ST=CA, L=SD, O=BR, OU=SQA, CN=SQA, emailAddress=
peer2 at br.com"
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
keyexchange=ikev2
ike=aes256-sha2_384-ecp384!
ikelifetime=86400s
esp=aes256gcm128-ecp384!
keylife=28800s
rekeymargin=540s
type=tunnel
compress=no
leftauth=pubkey
rightauth=pubkey
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/Peer1.crt
mark=2415919105
leftupdown="/usr/lib/ipsec/vti-up-down.sh vti0"
auto=start
keyingtries=%forever
replay_window=0
leftsendcert=ifasked
<users at lists.strongswan.org>
Thanks
Sameer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160421/ccdaa18f/attachment.html>
More information about the Users
mailing list