Hi, Some doubts regarding certificates updation in IKEv2 Stack. Consider the following scenario:-
CACERT1(old with new) & CACERT2 (new with new) are both from same CA. CERT1 : signed with CACERT1 CERT2: signed with CACERT2 PC1 PC2 1. certificates on pc1: 1. certificates on pc2: CACERT1 CACERT2 CACERT1 CACERT2 CERT2 (signed with cacert2) CERT1 (signed with cacert1) IKE and IPSEC SA<----PC1----------------PC2-------->creation is successfull. 2. certificates on pc1: 2. certificates on pc2: CACERT2 CACERT1 CACERT2 CERT2 (signed with cacert2) CERT1 (signed with cacert1) IKE and IPSEC SA<----PC1-----????--------PC2-------->creation is successfull. In the second step, when IKEv2 stack on PC1 is given only CACERT2 and CERT2 through ipsec.conf file by firing "ipsec update" command. Q. Now If I try to create another IKE SA between PC1 and PC2 will it be successfull as PC1 will not be able to decrypt PC2's certificate (CERT1) because of the non-availability of the CACERT1 on PC1? Thanks in advance. Regards, Vivek _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users