Hi Ranjit, On 09/16/2010 09:48 PM, [email protected] wrote: > Hi Andreas, > > I am Ranjit Kollu working as a developer at EMC Corporation. > > We are using strongswan to setup IPSec tunnel between our management > servers and we use our own CA and digital certificates. So we are > experimenting the renewal of certificates and it's effect on IPSec > tunnel. Following are the questions I have : > > 1) If the host (digital certificate) is about to expire on our > management servers and say the IPSec tunnel is up. If we revoke the > digital certificate on the management server and re-create new one's > that are signed by the same CA( before the digital certificate > expires ). - What effect does it have on the IPSec tunnel ?. - Does > we need to start the ipsec ? - Or does the existing tunnel keep > working fine?. - Is there a periodic check on the ipsec tunnel for > the validity of the certificates ?. > The validity and revocation status of a certificate is verified during IKEv1 Main Mode or during IKEv2 Reauthentication only, the time period defined by ikelifetime= in ipsec.conf. The default value is every 3 hours.
When you update an end entity certificate then you should take down the connection on the end that is in possession of the old cert, update the cert and restart it: ipsec down <conn> ipsec update ipsec up <conn> Make sure to store the new end entity certificate under a different file name and adapt the leftcert=<certfile> statement in ipsec.conf accordingly. Otherwise "ipsec update" will not load the new certificate. All other running tunnels are not affected. > 2) Extending on question 1) , what if the IPSec tunnel goes down for > some reason and once we restart the IPSec tunnel using our new > digital certs, Does it have any effect on the IPSec tunnel > establishment ? > Just the new certs will be used as described under 1) 3) What happens if the CA itself expires ?. - Can we safely revoke > the existing host certificates and remove the CA and create a new CA > and new digital certificates ?. - What are it's effects on the IPSec > tunnel ?. - Do we need to restart the ipsec ?. > Create a new CA certificate a sufficiently long time before the old one expires, copy it to /etc/ipsec.d/cacerts/ and execute ipsec rereadcacerts The new CA certificate will then be known together with the old one, so that you can now issue new certificates signed by the new CA and introduce them using step 1) > Could you please answer the above questions when you have time. > > > Thanks, Ranjit. > Regards Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
