[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: [strongSwan] [Strongswan] - IKE_AUTH failure in case of cert Authentication
From: Sriram <sriram.ec () gmail ! com>
Date: 2014-08-09 12:48:49
Message-ID: CAMvdjuq_PEtQSzOHJ92W4CJbzsJF83DO8bK1e_CH+aORQ5CoGQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello,
I am trying to establish ipsec tunnel between two linux boxes using
certificates.
Client is on strongswan-5.1.1 and Server is on strongswan-5.2.0
Also strongswan client is asking for a virutal ip.
There are two levels of certificate Authorities.
I have placed both Root Certificate and SubCA certificate in
/etc/ipsec.d/cacerts,
Device certificate is in /etc/ipsec.d/certs, Device key in
/etc/ipsec.d/private
This, I have done in both the boxes.
In both client and server,
/usr/sbin/ipsec listcacerts
is listing both Root and SubCA certificate
/usr/sbin/ipsec listcerts
is listing device certificate properly.
When ike session is initiated from client,
IKE_SA_INIT and IKE_SA_INIT_RESPONSE happen properly.
Later IKE_AUTH from client gets fragmented at ip level, 2 fragments are
sent and are received by server. Server authenticates the client and is
able to establish the root of trust.
But server is sending only one certificate(Device cert) in IKE_AUTH,
because of which client fails to establish the root of trust.
I see that all packets from server are having DF bit on. Is this the reason
why server sends only one certificate in IKE_AUTH ?
How to overcome this situation ?
Any help in this regard is appreciated.
Regards,
Sriram
[Attachment #5 (text/html)]
<div dir="ltr"><div><div><div><div><div><div><div><div><div><div><div><div><div><div>Hello,<br><br></div>I \
am trying to establish ipsec tunnel between two linux boxes using \
certificates.<br></div><div>Client is on strongswan-5.1.1 and Server is on \
strongswan-5.2.0<br> </div>Also strongswan client is asking for a virutal \
ip.<br><br>There are two levels of certificate Authorities. <br></div>I have placed \
both Root Certificate and SubCA certificate in /etc/ipsec.d/cacerts,<br></div>Device \
certificate is in /etc/ipsec.d/certs, Device key in /etc/ipsec.d/private<br> \
</div>This, I have done in both the boxes.<br><br></div><div>In both client and \
server,<br></div>/usr/sbin/ipsec listcacerts <br></div>is listing both Root and SubCA \
certificate<br><br></div>/usr/sbin/ipsec listcerts<br></div> is listing device \
certificate properly.<br><br><br></div>When ike session is initiated from \
client,<br><br></div>IKE_SA_INIT and IKE_SA_INIT_RESPONSE happen \
properly.<br><br></div>Later IKE_AUTH from client gets fragmented at ip level, 2 \
fragments are sent and are received by server. Server authenticates the client and is \
able to establish the root of trust.<br> <br></div>But server is sending only one \
certificate(Device cert) in IKE_AUTH, because of which client fails to establish the \
root of trust. <br>I see that all packets from server are having DF bit on. Is this \
the reason why server sends only one certificate in IKE_AUTH ?<br> <br></div>How to \
overcome this situation ?<br><div><div><div><div><br><div><div><div><div><div>Any \
help in this regard is \
appreciated.<br><br>Regards,<br>Sriram<br></div><div><div><div><div><div><div><div><br><br></div></div>
</div></div></div></div></div></div></div></div></div></div></div></div></div></div>
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic