[Openswan Users] Re: Openswan with X.509 signed by different CAs

Andreas Steffen andreas.steffen at strongsec.net
Thu Dec 9 08:07:37 CET 2004

The problem is that your Windows client has sends a Certificate
Request message to *swan requesting a certificate issued by
CA A whereas *swan has a certificate issued by CA B. Therefore
the negotiation fails. If you can reconfigure your Windows client
to request either a certificate from CA B or send an empty
Certificate Request then *swan will respond and send its own



WADA Masahiro wrote:
> Jacco wrote:
>>If I remember correctly, the Microsoft documentation says that
>>both sides MUST be using certificates from the same CA.
> I have never heard such information.
> If someone know its document, please tell me.
>>Unless you are a
>>third-party IPsec client and not the native IPsec implementation?
> I tested native IPsec client on WindowsXP and Windows2000.
> The certificate for XP is signed by the VeriSign,
> and the other for 2000 is signed by the openssl private CA.
> They could be connected each other.
> Masahiro Wada

Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list