In scenarios where the server accepts client certificates from dozens or
even hundreds of CAs it might be necessary to omit certificate request
payloads from the IKE_SA_INIT response to avoid fragmentation.
As it is rarely the case in road-warrior scenarios that the server
already has the client certificate installed it should not be a problem
to always send it.
ike_sa_t *ike_sa;
auth_cfg_t *auth;
peer_cfg_create_t peer = {
ike_sa_t *ike_sa;
auth_cfg_t *auth;
peer_cfg_create_t peer = {
- .cert_policy = CERT_SEND_IF_ASKED,
+ .cert_policy = CERT_ALWAYS_SEND,
.unique = UNIQUE_REPLACE,
.rekey_time = 36000, /* 10h */
.jitter_time = 600, /* 10min */
.unique = UNIQUE_REPLACE,
.rekey_time = 36000, /* 10h */
.jitter_time = 600, /* 10min */