Hello Nikolay, the problem is that Juniper expects strongSwan to send its certificate[s] in CERT_PKCS7_WRAPPED_X509 format which is quite unusual:
> 003 "juniper" #1: > ignoring CERT_PKCS7_WRAPPED_X509 certificate request payload strongSwan can parse such payloads (e.g. Windows XP sends them if there is a multi-level certificate chain) but currently cannot construct them since there was never a need. We have full PKCS#7 functionality in our scepclient tool but it hasn't be integrated into the pluto daemon. Are you using a multi-level certificate hierarchy and if yes could you import the root and all intermediate CA certificates statically on your Juniper box? Or just use a simple certificate hierarchy with path length 0? Best regards Andreas Nikolay Gar wrote: > Hello list > > I'm try to set up VPN between Ubuntu Linux Server with compiled > strongswan-4.3.6d2 and Juniper SRX 240, based on certificates > authentications method. > I can't pass Phase-1 in PKI > > Here is my output from "ipsec up juniper" > ################################### > ipsec up juniper > 002 "juniper" #1: initiating Main Mode > 104 "juniper" #1: STATE_MAIN_I1: initiate > 003 "juniper" #1: received Vendor ID payload [Dead Peer Detection] > 003 "juniper" #1: ignoring Vendor ID payload > [699369228741c6d4ca094c93e242c9de19e7b7c60000000500000500] > 003 "juniper" #1: ignoring Vendor ID payload > [draft-stenberg-ipsec-nat-traversal-01] > 003 "juniper" #1: ignoring Vendor ID payload > [draft-stenberg-ipsec-nat-traversal-02] > 003 "juniper" #1: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] > 003 "juniper" #1: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] > 003 "juniper" #1: ignoring Vendor ID payload > [draft-ietf-ipsec-nat-t-ike-02_n] > 003 "juniper" #1: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] > 106 "juniper" #1: STATE_MAIN_I2: sent MI2, expecting MR2 > 003 "juniper" #1: ignoring CERT_PKCS7_WRAPPED_X509 certificate request > payload > 002 "juniper" #1: we have a cert and are sending it > 108 "juniper" #1: STATE_MAIN_I3: sent MI3, expecting MR3 > 010 "juniper" #1: STATE_MAIN_I3: retransmission; will wait 20s for response > 010 "juniper" #1: STATE_MAIN_I3: retransmission; will wait 40s for response > 031 "juniper" #1: max number of retransmissions (2) reached STATE_MAIN_I3. > Possible authentication failure: no acceptable response to our first > encrypted message > ################################### > > I need your help, please. Spend on this almost 2 weeks. > > Linux-to-Linux with same CA cert and same localcert - work fine. > > Linux-to SRX240 based on PSK - work fine > > But I must set-up authentication method based on certificates!!! > > If this is requred I may allow remote connections to Linux and Juniper > Srx240 boxes > > Thank a lot > > You are my last hope ... > > Nikolay ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
