Hi Andreas, thanks for pointing this out, there is indeed a StrongSwan test case for this (http://www.strongswan.org/uml/testresults43/ikev1/multi-level-ca-ldap/moon.auth.log) but there it is done by multiple messages being exchanged after an IKE Key failure and then the Intermediate CAs being sent one after the other.
So I am a bit worried what's correct... Holger Am 2010-06-15 20:18, schrieb Andreas Steffen: > Hi Holger, > > as far as I remember pluto supports the import of intermediate CA > certificates received via IKEv1 only if the are embedded together > with the end entity certificate in a PKCS#7 envelope. This is what > Microsoft Windows clients are typically doing. Since over the last > 10 years no one requested the inclusion of intermediate CA certs in > separate X.509 payloads I did not implement it. > > We plan to port the X.509 trust chain verification of the IKEv2 > charon daemon back to pluto thus the inclusion of separate CA certs > might become feasible in the not too distant future. > > Regards > > Andreas > > On 06/15/2010 06:35 PM, Holger Metschulat wrote: >> > Hi all, >> > >> > I am trying to configure a certificate based VPN between a Juniper SRX >> > and StrongSwan 4.3.6. >> > >> > There are two CAs, CN=root-ca and CN=sub-ca. As the names indicate, >> > root-ca is self-signed and sub-ca is a CA signed by root-ca. >> > >> > The SRX's certificate is certified by sub-ca, StrongSwan's certificate >> > is signed by root-ca. >> > >> > SRX has installed the root-ca and sub-ca certificates; StrongSwan only >> > has root-ca's certificate configured as the CA cert. >> > >> > This means that the SRX has to send not only its own certificate, but >> > also sub-ca's certificate as the intermediate CA. >> > >> > This all works fine, however, I am ending up with "no public key known" >> > on the StrongSwan side for the SRX public key. >> > >> > I have observed that the order of the certificates received by >> > StrongSwan is SRX cert, sub-ca cert and then root-ca cert. After >> > reception of the SRX cert, it seems that StrongSwan drops that cert >> > because it can't verify the issuer and then never recovers when it >> > afterwards receives the intermediate CA: >> > >> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: issuer cacert not found >> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: X.509 certificate rejected >> > >> > Can anyone confirm? Thanks! >> > >> > Here are the detailed logs: >> > >> > Jun 15 13:20:19 debian pluto[27490]: | ICOOKIE: e8 0a 9f ce 96 52 a3 d6 >> > Jun 15 13:20:19 debian pluto[27490]: | RCOOKIE: fb e9 79 82 92 62 7f 46 >> > Jun 15 13:20:19 debian pluto[27490]: | peer: 0a 00 51 52 >> > Jun 15 13:20:19 debian pluto[27490]: | state hash entry 15 >> > Jun 15 13:20:19 debian pluto[27490]: | state object #5 found, in >> > STATE_MAIN_I3 >> > Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Identification >> > Payload: >> > Jun 15 13:20:19 debian pluto[27490]: | next payload type: >> > ISAKMP_NEXT_CERT >> > Jun 15 13:20:19 debian pluto[27490]: | length: 12 >> > Jun 15 13:20:19 debian pluto[27490]: | ID type: ID_IPV4_ADDR >> > Jun 15 13:20:19 debian pluto[27490]: | DOI specific A: 17 >> > Jun 15 13:20:19 debian pluto[27490]: | DOI specific B: 0 >> > Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload: >> > Jun 15 13:20:19 debian pluto[27490]: | next payload type: >> > ISAKMP_NEXT_CERT >> > Jun 15 13:20:19 debian pluto[27490]: | length: 784 >> > Jun 15 13:20:19 debian pluto[27490]: | cert encoding: >> > CERT_X509_SIGNATURE >> > Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload: >> > Jun 15 13:20:19 debian pluto[27490]: | next payload type: >> > ISAKMP_NEXT_CERT >> > Jun 15 13:20:19 debian pluto[27490]: | length: 700 >> > Jun 15 13:20:19 debian pluto[27490]: | cert encoding: >> > CERT_X509_SIGNATURE >> > Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Certificate Payload: >> > Jun 15 13:20:19 debian pluto[27490]: | next payload type: >> > ISAKMP_NEXT_SIG >> > Jun 15 13:20:19 debian pluto[27490]: | length: 762 >> > Jun 15 13:20:19 debian pluto[27490]: | cert encoding: >> > CERT_X509_SIGNATURE >> > Jun 15 13:20:19 debian pluto[27490]: | ***parse ISAKMP Signature Payload: >> > Jun 15 13:20:19 debian pluto[27490]: | next payload type: >> > ISAKMP_NEXT_NONE >> > Jun 15 13:20:19 debian pluto[27490]: | length: 260 >> > Jun 15 13:20:19 debian pluto[27490]: | removing 10 bytes of padding >> > Jun 15 13:20:19 debian pluto[27490]: | protocol/port in Phase 1 ID >> > Payload is 17/0. accepted with port_floating NAT-T >> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: Peer ID is ID_IPV4_ADDR: >> > '10.0.81.82' >> > Jun 15 13:20:19 debian pluto[27490]: | L0 - x509: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate: >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - version: >> > Jun 15 13:20:19 debian pluto[27490]: | X.509v3 >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber: >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - signature: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption' >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer: >> > Jun 15 13:20:19 debian pluto[27490]: | 'C=DE, ST=Bavaria, L=Munich, >> > O=Org, OU=org-unit, CN=sub-ca' >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - validity: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime: >> > Jun 15 13:20:19 debian pluto[27490]: | 'Jun 15 13:10:56 UTC 2010' >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime: >> > Jun 15 13:20:19 debian pluto[27490]: | 'Jun 15 13:10:56 UTC 2011' >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - subject: >> > Jun 15 13:20:19 debian pluto[27490]: | 'CN=srx5600' >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo: >> > Jun 15 13:20:19 debian pluto[27490]: | -- > -- >> > Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | 'rsaEncryption' >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey: >> > Jun 15 13:20:19 debian pluto[27490]: | -- > -- >> > Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent: >> > Jun 15 13:20:19 debian pluto[27490]: | -- < -- >> > Jun 15 13:20:19 debian pluto[27490]: | -- < -- >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension: >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID: >> > Jun 15 13:20:19 debian pluto[27490]: | 'basicConstraints' >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical: >> > Jun 15 13:20:19 debian pluto[27490]: | FALSE >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue: >> > Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints: >> > Jun 15 13:20:19 debian pluto[27490]: | L7 - CA: >> > Jun 15 13:20:19 debian pluto[27490]: | FALSE >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension: >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID: >> > Jun 15 13:20:19 debian pluto[27490]: | 'nsComment' >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical: >> > Jun 15 13:20:19 debian pluto[27490]: | FALSE >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue: >> > Jun 15 13:20:19 debian pluto[27490]: | L6 - nsComment: >> > Jun 15 13:20:19 debian pluto[27490]: | 'OpenSSL Generated Certificate' >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension: >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID: >> > Jun 15 13:20:19 debian pluto[27490]: | 'subjectKeyIdentifier' >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical: >> > Jun 15 13:20:19 debian pluto[27490]: | FALSE >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue: >> > Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension: >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID: >> > Jun 15 13:20:19 debian pluto[27490]: | 'authorityKeyIdentifier' >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical: >> > Jun 15 13:20:19 debian pluto[27490]: | FALSE >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue: >> > Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension: >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID: >> > Jun 15 13:20:19 debian pluto[27490]: | 'subjectAltName' >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical: >> > Jun 15 13:20:19 debian pluto[27490]: | FALSE >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue: >> > Jun 15 13:20:19 debian pluto[27490]: | L6 - generalNames: >> > Jun 15 13:20:19 debian pluto[27490]: | L7 - generalName: >> > Jun 15 13:20:19 debian pluto[27490]: | L8 - ipAddress: >> > Jun 15 13:20:19 debian pluto[27490]: | '10.0.81.82' >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption' >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue: >> > Jun 15 13:20:19 debian pluto[27490]: | subject: 'CN=srx5600' >> > Jun 15 13:20:19 debian pluto[27490]: | issuer: 'C=DE, ST=Bavaria, >> > L=Munich, O=Org, OU=org-unit, CN=sub-ca' >> > Jun 15 13:20:19 debian pluto[27490]: | authkey: >> > 99:c8:85:a1:a1:4f:60:9a:1c:3a:6d:9e:f0:0f:3d:aa:d9:53:ef:71 >> > Jun 15 13:20:19 debian pluto[27490]: | certificate is valid >> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: issuer cacert not found >> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: X.509 certificate rejected >> > Jun 15 13:20:19 debian pluto[27490]: | L0 - x509: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate: >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - version: >> > Jun 15 13:20:19 debian pluto[27490]: | X.509v3 >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber: >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - signature: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption' >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer: >> > Jun 15 13:20:19 debian pluto[27490]: | 'C=DE, ST=Bavaria, O=Org, >> > OU=org-unit, CN=root-ca' >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - validity: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime: >> > Jun 15 13:20:19 debian pluto[27490]: | 'Jun 15 11:30:22 UTC 2010' >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime: >> > Jun 15 13:20:19 debian pluto[27490]: | 'Jun 15 11:30:22 UTC 2011' >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - subject: >> > Jun 15 13:20:19 debian pluto[27490]: | 'C=DE, ST=Bavaria, L=Munich, >> > O=Org, OU=org-unit, CN=sub-ca' >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo: >> > Jun 15 13:20:19 debian pluto[27490]: | -- > -- >> > Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | 'rsaEncryption' >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey: >> > Jun 15 13:20:19 debian pluto[27490]: | -- > -- >> > Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent: >> > Jun 15 13:20:19 debian pluto[27490]: | -- < -- >> > Jun 15 13:20:19 debian pluto[27490]: | -- < -- >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension: >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID: >> > Jun 15 13:20:19 debian pluto[27490]: | 'basicConstraints' >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical: >> > Jun 15 13:20:19 debian pluto[27490]: | FALSE >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue: >> > Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints: >> > Jun 15 13:20:19 debian pluto[27490]: | L7 - CA: >> > Jun 15 13:20:19 debian pluto[27490]: | FALSE >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension: >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID: >> > Jun 15 13:20:19 debian pluto[27490]: | 'nsComment' >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical: >> > Jun 15 13:20:19 debian pluto[27490]: | FALSE >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue: >> > Jun 15 13:20:19 debian pluto[27490]: | L6 - nsComment: >> > Jun 15 13:20:19 debian pluto[27490]: | 'OpenSSL Generated Certificate' >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension: >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID: >> > Jun 15 13:20:19 debian pluto[27490]: | 'subjectKeyIdentifier' >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical: >> > Jun 15 13:20:19 debian pluto[27490]: | FALSE >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue: >> > Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension: >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID: >> > Jun 15 13:20:19 debian pluto[27490]: | 'authorityKeyIdentifier' >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical: >> > Jun 15 13:20:19 debian pluto[27490]: | FALSE >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue: >> > Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption' >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue: >> > Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria, >> > L=Munich, O=Org, OU=org-unit, CN=sub-ca' >> > Jun 15 13:20:19 debian pluto[27490]: | issuer: 'C=DE, ST=Bavaria, >> > O=Org, OU=org-unit, CN=root-ca' >> > Jun 15 13:20:19 debian pluto[27490]: | authkey: >> > 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe >> > Jun 15 13:20:19 debian pluto[27490]: | certificate is valid >> > Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found >> > Jun 15 13:20:19 debian pluto[27490]: | signature verification: >> > Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | 'sha-1' >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - digest: >> > Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid >> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: crl not found >> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: certificate status unknown >> > Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria, >> > O=Org, OU=org-unit, CN=root-ca' >> > Jun 15 13:20:19 debian pluto[27490]: | issuer: 'C=DE, ST=Bavaria, >> > O=Org, OU=org-unit, CN=root-ca' >> > Jun 15 13:20:19 debian pluto[27490]: | authkey: >> > 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe >> > Jun 15 13:20:19 debian pluto[27490]: | certificate is valid >> > Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found >> > Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid >> > Jun 15 13:20:19 debian pluto[27490]: | reached self-signed root ca with >> > a path length of 0 >> > Jun 15 13:20:19 debian pluto[27490]: | Public key validated >> > Jun 15 13:20:19 debian pluto[27490]: | L0 - x509: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - tbsCertificate: >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - DEFAULT v1: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - version: >> > Jun 15 13:20:19 debian pluto[27490]: | X.509v3 >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - serialNumber: >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - signature: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithmIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - algorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption' >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - issuer: >> > Jun 15 13:20:19 debian pluto[27490]: | 'C=DE, ST=Bavaria, O=Org, >> > OU=org-unit, CN=root-ca' >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - validity: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - notBefore: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime: >> > Jun 15 13:20:19 debian pluto[27490]: | 'Jun 14 19:42:33 UTC 2010' >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - notAfter: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - utcTime: >> > Jun 15 13:20:19 debian pluto[27490]: | 'Jun 13 19:42:33 UTC 2013' >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - subject: >> > Jun 15 13:20:19 debian pluto[27490]: | 'C=DE, ST=Bavaria, O=Org, >> > OU=org-unit, CN=root-ca' >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - subjectPublicKeyInfo: >> > Jun 15 13:20:19 debian pluto[27490]: | -- > -- >> > Jun 15 13:20:19 debian pluto[27490]: | L0 - subjectPublicKeyInfo: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - algorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | 'rsaEncryption' >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - subjectPublicKey: >> > Jun 15 13:20:19 debian pluto[27490]: | -- > -- >> > Jun 15 13:20:19 debian pluto[27490]: | L0 - RSAPublicKey: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - modulus: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - publicExponent: >> > Jun 15 13:20:19 debian pluto[27490]: | -- < -- >> > Jun 15 13:20:19 debian pluto[27490]: | -- < -- >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - optional extensions: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - extensions: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension: >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID: >> > Jun 15 13:20:19 debian pluto[27490]: | 'subjectKeyIdentifier' >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical: >> > Jun 15 13:20:19 debian pluto[27490]: | FALSE >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue: >> > Jun 15 13:20:19 debian pluto[27490]: | L6 - keyIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension: >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID: >> > Jun 15 13:20:19 debian pluto[27490]: | 'authorityKeyIdentifier' >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical: >> > Jun 15 13:20:19 debian pluto[27490]: | FALSE >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue: >> > Jun 15 13:20:19 debian pluto[27490]: | L6 - authorityKeyIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L7 - keyIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L7 - authorityCertIssuer: >> > Jun 15 13:20:19 debian pluto[27490]: | L7 - authorityCertSerialNumber: >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension: >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID: >> > Jun 15 13:20:19 debian pluto[27490]: | 'basicConstraints' >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical: >> > Jun 15 13:20:19 debian pluto[27490]: | TRUE >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue: >> > Jun 15 13:20:19 debian pluto[27490]: | L6 - basicConstraints: >> > Jun 15 13:20:19 debian pluto[27490]: | L7 - CA: >> > Jun 15 13:20:19 debian pluto[27490]: | TRUE >> > Jun 15 13:20:19 debian pluto[27490]: | L4 - extension: >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnID: >> > Jun 15 13:20:19 debian pluto[27490]: | 'keyUsage' >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - critical: >> > Jun 15 13:20:19 debian pluto[27490]: | FALSE >> > Jun 15 13:20:19 debian pluto[27490]: | L5 - extnValue: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureAlgorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | 'sha-1WithRSAEncryption' >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - signatureValue: >> > Jun 15 13:20:19 debian pluto[27490]: | signature verification: >> > Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | 'sha-1' >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - digest: >> > Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria, >> > O=Org, OU=org-unit, CN=root-ca' >> > Jun 15 13:20:19 debian pluto[27490]: | issuer: 'C=DE, ST=Bavaria, >> > O=Org, OU=org-unit, CN=root-ca' >> > Jun 15 13:20:19 debian pluto[27490]: | authkey: >> > 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe >> > Jun 15 13:20:19 debian pluto[27490]: | certificate is valid >> > Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found >> > Jun 15 13:20:19 debian pluto[27490]: | signature verification: >> > Jun 15 13:20:19 debian pluto[27490]: | L0 - digestInfo: >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - digestAlgorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | L2 - algorithmIdentifier: >> > Jun 15 13:20:19 debian pluto[27490]: | L3 - algorithm: >> > Jun 15 13:20:19 debian pluto[27490]: | 'sha-1' >> > Jun 15 13:20:19 debian pluto[27490]: | L1 - digest: >> > Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid >> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: crl not found >> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: certificate status unknown >> > Jun 15 13:20:19 debian pluto[27490]: | subject: 'C=DE, ST=Bavaria, >> > O=Org, OU=org-unit, CN=root-ca' >> > Jun 15 13:20:19 debian pluto[27490]: | issuer: 'C=DE, ST=Bavaria, >> > O=Org, OU=org-unit, CN=root-ca' >> > Jun 15 13:20:19 debian pluto[27490]: | authkey: >> > 9b:d6:5a:04:bb:e6:22:83:e4:d2:38:15:50:d8:57:a4:da:07:8d:fe >> > Jun 15 13:20:19 debian pluto[27490]: | certificate is valid >> > Jun 15 13:20:19 debian pluto[27490]: | issuer cacert found >> > Jun 15 13:20:19 debian pluto[27490]: | certificate signature is valid >> > Jun 15 13:20:19 debian pluto[27490]: | reached self-signed root ca with >> > a path length of 0 >> > Jun 15 13:20:19 debian pluto[27490]: | Public key validated >> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: no public key known for >> > '10.0.81.82' >> > Jun 15 13:20:19 debian pluto[27490]: "srx" #5: sending encrypted >> > notification INVALID_KEY_INFORMATION to 10.0.81.82:500 > > -- > ====================================================================== > Andreas Steffen [email protected] strongSwan - the Linux > VPN Solution! www.strongswan.org Institute for Internet Technologies and > Applications University of Applied Sciences Rapperswil CH-8640 > Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== -- Gruss * Holger Metschulat Holger * e-mail: [email protected], http://home.arcor.de/estw "Internet-Nutzung ist ein Privileg und kein Recht." (Rechnerraum-Ordnung an der Uni von 1994) _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
