Hi Tobias, On 02/23/18 14:25, Tobias Brunner wrote: > Hi Harri, > >> I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem >> would help, but apparently it doesn't. > > strongSwan reads only the first certificate from PEM encoded files. So > put them in separate files. >
This is unusual, is it? If I do, will charon send or request the whole chain? IMHO certificate handling is a major pitfall, making IPsec configuration hard to manage. This is surely not an issue with Strongswan alone. I would suggest to improve logging here. asn = 1 doesn't list the subject and authority key IDs, for example. asn = 2 overwhelms you with unwanted details. Something inbetween would be nice. Thanx for your help Harri
signature.asc
Description: OpenPGP digital signature