Hi, > ca section1 > cacert=/usr/local/etc/ipsec.d/cacerts/CA.pem
> 6. After removing this and executing "ipsec update" we expect that the > SA will not get established as the end which does not have root CA of > peer will reject the IKE_AUTH. All CA certificates placed under the cacerts directory get loaded implicitly. The ipsec.conf ca section is there to load CA certificates from other locations, or to define additional properties for that CA (refer to the ipsec.conf manpage for details). Further, CA certificate unloading was not supported until 5.3.0, see [1]. With that version, you can re/unload all CA certificates from the cacerts directory using the "ipsec reread" command, or use "ipsec update" to re/unload CA certificates referenced in ipsec.conf ca sections. Regards Martin [1]https://wiki.strongswan.org/issues/842 _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
