Hello Mugur, this should work because the sub-CAy certificate is stored locally on the client, so there is no need for the SEG to send it via the CERT payload. See also our example scenario
https://www.strongswan.org/uml/testresults/ikev2/multi-level-ca-cr-resp Regards Andreas On 03/26/2013 10:59 AM, ABULIUS, MUGUR (MUGUR) wrote: > Hello, > Our IKEv2 strongSwan Linux client systems should interoperate with a SEG > having limited capabilities > for building up the CERT payload of the IKE-SA-AUTH response. The SEG's > CERT includes only the subject > certificate (no other ancestor certificates are sent within its CERT). > Under which client configuration strongSwan is able to validate the > remote SEG? > More details on a specific use case: > Trust anchor “RootX” configured on client and SEG > Client cert chain : “RootX / sub-CAy / client” (all certificates stored > on client) > Client sends “sub-CAy/client” certificates in IKEv2 CERT payload (RootX > cert. not sent) > SEG cert chain : “RootX/sub-CAy/SEG” (same hierarchy, different end > entities) > SEG sends only the “SEG” certificate in CERT payload (instead of > sub-CAy/SEG”) > > Does authentication work? > > Best Regards > Mugur > ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
