Issue Summary: Juniper is not sending its complete Trust Chain certificates in IKE_AUTH Message(RFC 4306) while establishing IKEv2 Tunnel. Juniper Box Details: (Tech output provided along with Debug Logs) HW: Juniper Netscreen 5400 SW: Firmware Version: 6.3.0r17.0 (Firewall+VPN) Issue Details: Configuration: - We are using Juniper Netscreen 5400 Device as our Security Gateway which is connected to a Linux Box running Strongswan IKEv2 Stack. We are trying to establish and IKEv2 Tunnel between the 2 Nodes (LinuxJuniper Netscreen). The IKEv2 Auth Method being used is “rsa-sig” on both ends. We have configured a X.509 certificate chain on both ends: o o o As seen in diagram above, both Trust Chains are signed by same Root CA. On Juniper we have installed only its own trust chain. i.e. Root CASub-CA-2JunDev Cert On Linux as well only its own trust chain is installed. i.e. Root CASub-CA-1Dev Cert Juniper VPN Configuration: Gateway being used: Gateway Settings: Gateway SettingsPreferred Certificate: In Preferred Certificates we provided the Juniper Device Certificate (amit_13) as “Local Cert” and in “Peer CA” we provided Issuer’s Certificate of Juniper (i.e. Sub-CA2) Issue Logs: It is seen that When Linux Box initiates the IKE SA: 1. Linux Sends IKE_INIT Message 2. To this as expected Juniper Responds with an IKE_INIT 3. In IKE_INIT we see Juniper is sending the a [CERTREQUEST] payload with Sub-CA2 Certificate (Juniper Device Cert Issuer) info. 4. After this Linux responds with IKE_AUTH Message, in this message it sends its complete Trust Chain Certificates. 5. Since Juniper gets complete trust chain certificates from Linux, as a result it is able to validate the Linux Certificates and bring the IKE Tunnel up on its own end. 6. After this as expected Juniper sends and IKE_AUTH Reply to Linux Box: 7. It is expected that in this IKE_AUTH Response Juniper will be sending its own Trust Chain Certificates in the [CERT] Payload. However it only sends its own Device Certificate and not the complete Trust Chain. 8. Due to this reason Linux is not able to validate the Juniper Device Certificate because it is not able to finds its Issuer certificate and Rejects the IKE_AUTH Response from Juniper. sending end entity cert "C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd" sending issuer cert "C=Sub1CA1, O=Sub1CA1, CN=Sub1CA1" establishing CHILD_SA IpSecMPlane generating IKE_AUTH request 1 [ IDi CERT CERT CERTREQ AUTH SA TSi TSr N(EAP_ONLY) ] sending packet: from 37.37.37.37[500] to 12.12.12.2[500] (2316 bytes) received packet: from 12.12.12.2[500] to 37.37.37.37[500] (1484 bytes) parsed IKE_AUTH response 1 [ IDr CERT AUTH SA N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) TSi TSr ] received end entity cert "C=sd, ST=amit_13, L=amit_13, O=amit_13, OU=amit_13, CN=0047092009000003, CN=amit_13, CN=rsa-key, CN=ns54030.juniper.net, CN=amit_13" using certificate "C=sd, ST=amit_13, L=amit_13, O=amit_13, OU=amit_13, CN=0047092009000003, CN=amit_13, CN=rsa-key, CN=ns54030.juniper.net, CN=amit_13" no issuer certificate found for "C=sd, ST=amit_13, L=amit_13, O=amit_13, OU=amit_13, CN=0047092009000003, CN=amit_13, CN=rsa-key, CN=ns54030.juniper.net, CN=amit_13" no trusted RSA public key found for 'ns54030.juniper.net 9. CONFIG 2: We also tried changing the “Peer CA” configuration on Juniper end. We tried setting it to “ALL” 10. However on selecting this configuration issue is observed in IKE_INIT Message itself which is sent by Juniper: It seems Juniper is sending all CA Certificates installed on it in [CERTREQUEST] Payload however the “Certificate Type” field is set as “0-RESERVED” which is an invalid value as per RFC and hence Linux Box rejects it. 11. Thereafter in IKE_AUTH Phase again, juniper sends only its own Device Certificate and not the complete Trust Chain as a result of which SA does not come-up again. Logs Provided: Config 1: “Peer CA” configured as “Sub-CA2” on juniper - Wireshark Capture: “TrustChainFailure.pcap” Juniper Config File: “_cfg_feb_peer_ca_subca.txt” Debug IKE Detail Capture from Juniper: “debug_ike_detail.txt” Config 2: “Peer CA” configured as “ALL” on juniper - Wireshark Capture: “TrustChainFailure_PeerCA_All.pcap” Juniper Config File: “_cfg_peer_ca_all.txt” Debug IKE Detail Capture from Juniper: “debug_ike_detail_peer_cert_is_all.txt” Other Logs: - Event Logs from Juniper: _evt_log.txt Techoutput from Juniper: _tech.txt Linux Box Logs.txt