embedding PUBKEY certificate in payload failed
When using raw ECDSA keys with pubkey auth and a near default (no crypto plugins disabled) installation,
when the IKE_SA gets initiated, strongSwan complains about "embedding PUBKEY certificate in payload failed", but the negotiation completes nonetheless.
#1 Updated by Tobias Brunner 4 months ago
- Status changed from New to Feedback
That's normal if you don't prevent certificates from getting sent (e.g. via explicit configuration or if the peer doesn't send a certificate request). The public key is wrapped in a certificate_t object by the pubkey plugin and internally treated like a self-signed certificate. However, since it's not an X.509 certificate it can't be encoded in a certificate payload (we currently don't support RFC 7670), which causes that log message.