Hi
I am trying to establish an ipsec tunnel using x509 authentication between
a Linux device (running strongswan) and another device that supports IKEv2.
Both peers are using the same CA certificate to generate the local
certificates.
The issue I am facing is the peer is request CA certificate in its
certificate request payload in the message. However, strongswan currently
is not sending the CA information because of which the authentication
between the 2 peer is failing.
Is there a way to send the CA certificate if the peer is requesting that in
the certificate request payload? If yes, how can I do that?
I tried leftsendcert=always or ifasked option but that did not seem to work.
The config that I have on strongswan side is as follows:
conn peer-192.0.72.2-tunnel-vti
left=192.0.71.1
leftid="C=US, ST=CA, L=SJ, O=BR, OU=QA, CN=QA, emailAddress=
[email protected]"
right=192.0.72.2
rightid="C=US, ST=CA, L=SD, O=BR, OU=SQA, CN=SQA, emailAddress=
[email protected]"
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
keyexchange=ikev2
ike=aes256-sha2_384-ecp384!
ikelifetime=86400s
esp=aes256gcm128-ecp384!
keylife=28800s
rekeymargin=540s
type=tunnel
compress=no
leftauth=pubkey
rightauth=pubkey
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/Peer1.crt
mark=2415919105
leftupdown="/usr/lib/ipsec/vti-up-down.sh vti0"
auto=start
keyingtries=%forever
replay_window=0
leftsendcert=ifasked
<[email protected]>
Thanks
Sameer
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
