[Swan-dev] how to send certificate request payload in IKE_AUTH request

Paul Wouters paul at nohats.ca
Wed Jul 15 02:18:59 UTC 2020

On Tue, 14 Jul 2020, Balaji Thoguluva wrote:

> I am trying to establish an IKEv2/IPsec tunnel using certificate based authentication so that both ends can exchange certificates to authenticate
> themselves.
> How can I configure Libreswan which initiates the connection to send a "certificate request" (CERTREQ) payload in IKE_AUTH request so that the other end
> can send it's certificate in the IKE_AUTH response back?

The two are not related. The CERTREQ is just a "hint" for the other side
to pick its own CERT if it has more than one to choose from.

> For example, I have configured as follows
> conn radcert
>         ikev2=yes
>         left=
>         leftsubnet=
>         leftca=%same
>         leftrsasigkey=%cert
>         leftid=libswan at xyz.com   <------ other end's identity
>         leftprotoport=17/1812
>         right=
>         rightsubnet=
>         rightprotoport=17/1812
>         auto=ondemand
>         ike=aes128-sha1;dh14
>         phase2=esp
>         phase2alg=aes128-sha1;modp2048
>         pfs=yes
>         rightcert="mycert"
>         rightrsasigkey=%cert
>         rightsendcert=always
>         rightid=@abc.com
>         rightca=%same
>         type=tunnel
>         esn=no
>         rekey=yes
>         salifetime=28800s
>         ikelifetime=3600s
>         dpddelay=0s
>         dpdtimeout=0s
>         dpdaction=hold

looks good, other than the dpd values which should never be 0, and
dpdaction hold should be restart.

> I have p12 file in /etc/ipsec.d directory which is a container of mycert crtificate, mycert's CA certificate and private key of mycert. This p12 file is
> imported.
> When this connection is activated, Libreswan sends its certificate (because rightsendcert=always) in CERT payload however it does not send CERTREQ
> payload. Is there a way to instruct Libreswan to send CERTREQ payload?

Why does it need to send a CERTREQ? Does the other end not send any CERT

> Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: initiating v2 parent SA                                                                    
> Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: local IKE proposals for radcert (IKE SA initiator selecting KE):
> Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: STATE_PARENT_I1: sent v2I1, expected v2R1                                             
> Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: local ESP/AH proposals for radcert (IKE SA initiator emitting ESP/AH proposals):
> Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=sha
> group=MODP2048}
> Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: IKEv2 mode peer ID is ID_USER_FQDN: 'libswan at xyz.com'         
> Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: no RSA public key known for 'libswan at xyz.com'  <-----------------------------------              

Does the ID libswan at xyz.com appear as SAN on the certificate?
Perhaps you can run with plutodebug=all enabled so we can have a closer


More information about the Swan-dev mailing list