Hi, > Our PKI guys are incredulous about this situation. They wonder "how > have the IPsec standards managed to get into this situation ?".
Yes, this is a well known problem. > Can anyone suggest any solutions ? One option is to use shorter certificates, e.g. by using ECDSA. I don't know if this is an option for you, but you might hit the MTU limit even with ECDSA certificates with this über-chain. > I see that hash-and-url is one proposed solution, and although it is > implemented by strongSwan, does anyone have a feel for how widespread > that is among other IPsec SeGW implementations ? RFC4306 says > MUST be capable of being configured to send and accept the > first two Hash and URL formats (with HTTP URLs), but I won't be this optimistic. Not many implementations supported Hash and URL during our last interoperability workshop. If your SeGW claims to support RFC4306, maybe you can insist on this method? > Another solution would be to preload the intermediate CAs onto the > SeGW (as well as our root CA). This works in our lab, when we also use > strongSwan as a test SeGW, but I've been informed that most of our > customers would NOT be interested in this solution. They want to load > ONE root CA onto their SeGW and nothing else. You're limited to what your SeGW actually supports. Maybe a single container with the full chain is an option, but this requires support by the SeGW. Even other out-of-bound mechanism might be possible, you're limited to the different SeGW capabilities. > Are there any options left ? Probably not. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
