On Thu, Jan 16, 2020 at 09:55:55AM +0100, csszep wrote:
> Hi!
>
> Some more information:
>
> If i add "rightsendcert=never" to the strongswan config, it works with PSK.
>
> This is good workaround for Strongswan, but the same problem exist with
> Cisco ASA vs Iked, but in Cisco ASA there is no "knob" for this
> workaround.
Hi,
i am trying to reproduce your problem but this may take some time.
Looking at your logs I think I may have found one cause for
your problem. Below is a diff that might help.
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 842e8da110f..b99fd3888da 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -2873,7 +2873,9 @@ ikev2_handle_certreq(struct iked* env, struct
iked_message *msg)
while ((cr = SLIST_FIRST(&msg->msg_certreqs))) {
/* Optional certreq for PSK */
- if (sa->sa_hdr.sh_initiator)
+ if (sa->sa_hdr.sh_initiator &&
+ (msg->msg_policy->pol_auth.auth_method !=
+ IKEV2_AUTH_SHARED_KEY_MIC))
sa->sa_stateinit |= IKED_REQ_CERT;
else
sa->sa_statevalid |= IKED_REQ_CERT;
