Hello, I am trying to establish ipsec tunnel between two linux boxes using certificates. Client is on strongswan-5.1.1 and Server is on strongswan-5.2.0 Also strongswan client is asking for a virutal ip.
There are two levels of certificate Authorities. I have placed both Root Certificate and SubCA certificate in /etc/ipsec.d/cacerts, Device certificate is in /etc/ipsec.d/certs, Device key in /etc/ipsec.d/private This, I have done in both the boxes. In both client and server, /usr/sbin/ipsec listcacerts is listing both Root and SubCA certificate /usr/sbin/ipsec listcerts is listing device certificate properly. When ike session is initiated from client, IKE_SA_INIT and IKE_SA_INIT_RESPONSE happen properly. Later IKE_AUTH from client gets fragmented at ip level, 2 fragments are sent and are received by server. Server authenticates the client and is able to establish the root of trust. But server is sending only one certificate(Device cert) in IKE_AUTH, because of which client fails to establish the root of trust. I see that all packets from server are having DF bit on. Is this the reason why server sends only one certificate in IKE_AUTH ? How to overcome this situation ? Any help in this regard is appreciated. Regards, Sriram
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
