Hi! We have confirued a strongswan roadwarrior client and a strongswan gateway to use Hash_and_Url. We found that the gateway is always sending its certificate instead of sending the hash-link to its certificate, but the roadwarrior does.
Unfortunally I can't find such an behavior in the user-mailing-list nor in the documentation, so I have to ask what could be the reason for that? How can I force the gateway to send a cert-hash instaed a certificate in the ike-handshake. Kind regards, Mike. Configurations: gateway ipsec.conf: ca %default certuribase=http://hashandurl.my-server.de/ auto=add conn RU1-TI keyexchange=ikev2 left=vpn1. my-server.de leftcert=vpn1. my-server Cert.pem leftid="C=DE, O=Arvato Systems GmbH TEST-ONLY - NOT-VALID, CN=vpn1. my-server.de" leftfirewall=yes right=%any rightsourceip=10.23.0.0/20 auto=add gateway strongswan.conf: charon { hash_and_url = yes load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf gateway statusall: Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.103-6.38-default, x86_64): uptime: 5 hours, since Feb 28 10:34:02 2018 malloc: sbrk 2822144, mmap 0, used 534240, free 2287904 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink socket-default stroke vici updown xauth-generic roadwarrior ipsec.conf: ca KOMP_CA3 certuribase=http://146.185.113.20/ auto=add # Sample VPN connections conn %default keyexchange=ikev2 ike=aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024 esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1 leftcert=my.C_NK_VPN.pem leftsourceip=%config rightid=%any dpdaction=none dpdaction=clear dpddelay=300s compress = yes leftfirewall=yes auto=add
