[strongSwan] strongswan gateway does not send hash-link of its own certificate

Mike.Ettrich at bertelsmann.de Mike.Ettrich at bertelsmann.de
Wed Feb 28 16:19:39 CET 2018 

Hi!

We have confirued a strongswan roadwarrior client and a strongswan gateway to use Hash_and_Url.
We found that the gateway is always sending its certificate instead of sending the hash-link to its certificate, but the roadwarrior does.

Unfortunally I can't find such an behavior in the user-mailing-list nor in the documentation, so I have to ask what could be the reason for that?

How can I force the gateway to send a cert-hash instaed a certificate in the ike-handshake.


Kind regards,
Mike.


Configurations:

gateway ipsec.conf:

ca %default
  certuribase=http://hashandurl.my-server.de/
  auto=add

conn RU1-TI
           keyexchange=ikev2
           left=vpn1. my-server.de
           leftcert=vpn1. my-server Cert.pem
           leftid="C=DE, O=Arvato Systems GmbH TEST-ONLY - NOT-VALID, CN=vpn1. my-server.de"
           leftfirewall=yes
           right=%any
           rightsourceip=10.23.0.0/20
           auto=add

gateway strongswan.conf:

charon {
        hash_and_url = yes
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

gateway statusall:
Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.103-6.38-default, x86_64):
  uptime: 5 hours, since Feb 28 10:34:02 2018
  malloc: sbrk 2822144, mmap 0, used 534240, free 2287904
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink socket-default stroke vici updown xauth-generic


roadwarrior ipsec.conf:

ca KOMP_CA3
            certuribase=http://146.185.113.20/
            auto=add

# Sample VPN connections

conn %default
        keyexchange=ikev2
        ike=aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024
        esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1
               leftcert=my.C_NK_VPN.pem
               leftsourceip=%config
               rightid=%any
           dpdaction=none
           dpdaction=clear
           dpddelay=300s
               compress = yes
               leftfirewall=yes
               auto=add


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180228/7809e521/attachment.html>

More information about the Users mailing list