Hi Harri, >>> I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem >>> would help, but apparently it doesn't. >> >> strongSwan reads only the first certificate from PEM encoded files. So >> put them in separate files. >> > > This is unusual, is it?
What is? > If I do, will charon send or request the whole chain? Depends on the settings (send_certreq, send_cert in swanctl.conf, left|rightsendcert in ipsec.conf). With the default settings the client will send certificate requests for all trusted CA certificates it has loaded (root or intermediate), or if a CA is assigned in the config only for that CA. As responder, if any certificate requests are received (no matter for what CA) the end entity certificate along with the intermediate CA certificates will be sent to the client. > I would suggest to improve logging here. asn = 1 doesn't list the subject > and authority key IDs, for example. asn = 2 overwhelms you with unwanted > details. Something inbetween would be nice. Logging of what? When? Regards, Tobias