[strongSwan] The option "rightca=ca-dn-here" in v5.5.1 seems to have no effect for IKEv1, cert requests for all CAs in cacerts are still sent to peer

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Fri Sep 22 01:46:08 CEST 2017


I have used the <rightca="ca-dn"> option in a IKEv1 gateway to gateway
tunnel on GW1 running strongswan 5.5.1. And i have about 100+
trusted-root-ca certs in the /ipsec.d/cacerts folder of GW1

GW1 is still sending Cert Requests for all 100+ rootCAs (including the one
for the cert given in leftcert option for GW1)

Thought of using rightsendcert=never (alongwith leftsendcert=always)...but
i dont think this should be used if the peer-gw is Non-Strongswan, such as
a Cisco-IOS-router...

and i need to use IKEv1 tunnel...

Can you please advice?

thanks & regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170922/f39fee76/attachment.html>

More information about the Users mailing list