[strongSwan] The option "rightca=ca-dn-here" in v5.5.1 seems to have no effect for IKEv1, cert requests for all CAs in cacerts are still sent to peer

Tobias Brunner tobias at strongswan.org
Mon Sep 25 13:35:34 CEST 2017

Hi Rajiv,

> On further narrowing down the issue...i believe the issue with
> "rightca=<xxxxxxxx-xxxx>" is ONLY when the ipsec-gw acts as a responder...
> As a responder to incoming connections, it simply ignores the
> "rightca=xxxx" option and sends cert-requests for all the 100+ CAs to
> the remote-iniitator

I see.  Yes, as responder the CA constraints currently only apply during
authentication but not when processing the initial IKE messages where
certificate requests are exchanged.  The reason is how configs are split
up into configuration objects in the daemon.  When processing the
initial messages we only have an ike-cfg available that's selected based
on the IP addresses.  However, these constraints are stored on the
peer-cfg that's selected later according to the identities used during
authentication.  The initiator has both connection objects available
right away so it is able to limit the certificate requests to the
configured CAs.


More information about the Users mailing list