Thanks to everyone for the great job done on IPsec for open-source
I'm trying to connect to an ASA as an open-source replacement for Cisco
Client. Auth method used is xauth_rsa_client. The certificate chain
- user certificate
- three intermediate CA certificates
- root CA certificate
At the moment I'm always ending up with:
ERROR: ignore information because ISAKMP-SA has not been established
So far I've discovered that:
- ASA requires 'Send CA Certificate Chain' option to be checked in
Client in order to connect succesfully,
- racoon (according to wireshark) only sends the user certificate to
- ASA only receives one certificate:
Nov 22 2011 16:13:02: %ASA-7-717025: Validating certificate chain
containing 1 certificate(s).
Nov 22 2011 16:13:02: %ASA-7-717029: Identified client certificate
within certificate chain. serial number: xxxxxxxxxxxxxxxxxxxxxxxx,
subject name: cn=xxxxxxxxxxxxxxx
Nov 22 2011 16:13:02: %ASA-3-717009: Certificate validation failed. No
suitable trustpoints found to validate certificate serial number:
By now I've tried to concatenate all certs (X509) in one file and feed
racoon using the 'certificate_type x509' config directive and to
CAs (again concatenated) with 'ca_type x509' directive. Neither seemed
any effect on what certs are being sent.
After reviewing the source code I came to a conclusion
that only sending the user certificate is supported (correct me if I'm
Therefor I added a new option to config file 'send_ca' to list an array
certificates which are all sent with ISAKMP_NPTYPE_CERT payload type to
responder right after the user certificate (RFC4306).
Currently I'm still receiving the same error, but I can see all CA
being transported to the responder. Also an 84-byte Informational
payload: Hash) is received from the responder, but it is encrypted.
Please correct me if I'm on the wrong path and if there is another way
achieving this. Has anyone looked into such a problem yet? I would be
to receive some input from other developers.
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.