Thanks Tobias, I've submitted a bug to the chromium project https://code.google.com/p/chromium/issues/detail?id=459261
Cheers, Ilan On Fri, Feb 13, 2015 at 1:17 AM, Tobias Brunner <[email protected]> wrote: > Hi Ilan, > > Thanks for the log. Here we see the reason for that INFORMATIONAL request: > > > 2015-02-12T10:22:25.578064-08:00 charon[2428]: 09[ENC] payload of type > CERTIFICATE_V1 more than 2 times (3) occurred in current message > > 2015-02-12T10:22:25.578096-08:00 charon[2428]: 09[IKE] message > verification failed > > 2015-02-12T10:22:25.578114-08:00 charon[2428]: 09[ENC] generating > INFORMATIONAL_V1 request 4041721436 [ HASH N(PLD_MAL) ] > > 2015-02-12T10:22:25.578130-08:00 charon[2428]: 09[NET] sending packet: > from 10.0.1.186[4500] to 162.243.137.92[4500] (68 bytes) > > 2015-02-12T10:22:25.578147-08:00 charon[2428]: 09[IKE] ID_PROT response > with message ID 0 processing failed > > So the client doesn't like the three certificates (two intermediate CAs > and server) sent by the server, as seen here: > > > 09[IKE] sending end entity cert "CN= > do-c6176704.san-francisco-1.pertinoipsec.dev.pertino.com, OU=DEV, O= > pertino.com, C=US" > > 09[IKE] sending issuer cert "CN=Pertino Dev Issuing CA G1, O=Pertino, > C=US" > > 09[IKE] sending issuer cert "CN=Pertino Dev Intermediate CA G1, > O=Pertino, C=US" > > 09[ENC] generating ID_PROT response 0 [ ID CERT CERT CERT SIG ] > > We actually changed this limit a while ago with [1], which was included > in 5.1.1. Apparently, Chrome OS still uses an older version of > strongSwan. You might want to file a bug report at [2]. > > If the client allows you to configure the server certificate instead of > a CA certificate you could do so and then use `leftsendcert=never` on > the sever to avoid any certificate getting sent to the client. > > It that's not the case you could try to use one of the intermediate CA > certificates as trust anchor and install that on the client instead of > the root CA certificate. Then remove the root certificate and/or the > intermediate certificate closer to the root from ipsec.d/cacert on the > server. That should reduce the number of CERT payloads sent to the > client to one or two. > > Regards, > Tobias > > [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d489e7557 > [2] https://code.google.com/p/chromium/issues/list > > -- Ilan
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
