Hello, I've got the following 2 questions about a strongSwan 4.3.6 setup with OpenSSL 0.9.8g certificates:
1) Is there a way to tell the pluto & charon daemons to "forget" removed CA certificates from /etc/ipsec.d/cacerts without a restart (and thus disrupted connections)? When I delete a certificate from the folder and run 'ipsec rereadcacerts', the removed certificate is still listed in the 'ipsec listcacerts' output. 2) I generated CRLs for my CAs and put those in the /etc/ipsec.d/crls folder. One of the CRLs belongs to a CA with a revoked certificate. When I tried to connect, using that revoked certificate, I got connected when keyexchange is set to ikev2 and rejected (as expected) when keyexchange is set to ike. Thanks in advance, Markus The ipsec.conf files look like this: gateway side: conn 1 left=192.168.150.135 leftsubnet=172.16.121.0/24 right=%any authby=rsasig leftcert=cert1.pem leftid="C=de, ST=state, O=company, OU=develop, CN=cert 1, [email protected]" rightid=%any dpdaction=hold dpddelay=15s ike=aes256-sha2_512-modp8192,aes256-sha2_512-modp4096! esp=aes256-sha2_256! keyexchange=ikev2 ikelifetime=3600s keyingtries=%forever keylife=300s rekey=yes rekeymargin=60s rekeyfuzz=50% reauth=yes auto=add leftsendcert=ifasked client side: conn 1 left=192.168.150.136 right=192.168.150.135 rightsubnet=172.16.121.0/24 authby=rsasig leftcert=cert2.pem leftid="C=de, ST=state, O=company, OU=sales, CN=cert 2, [email protected]" rightcert=cert1.pem rightid="C=de, ST=state, O=company, OU=develop, CN=cert 1, [email protected]" dpdaction=hold dpddelay=15s ike=aes256-sha2_512-modp8192,aes256-sha2_512-modp4096! esp=aes128-sha2_256,aes256-sha2_256! keyexchange=ikev2 ikelifetime=3600s keyingtries=%forever keylife=300s rekey=yes rekeymargin=60s rekeyfuzz=50% reauth=yes auto=add leftsendcert=ifasked 'ipsec listcrls' output on gateway side: 000 000 List of X.509 CRLs: 000 000 issuer: "C=de, ST=state, L=city, O=company, OU=sales, CN=sales ca, [email protected]" 000 revoked: 1 certificates 000 distPts: 'file:///etc/ipsec.d/crls/sales_crl.pem' 000 updates: this Feb 23 13:31:38 2010 000 next Feb 21 13:31:38 2020 ok 000 000 issuer: "C=de, ST=state, L=city, O=company, OU=develop, CN=develop ca, [email protected]" 000 revoked: 0 certificates 000 distPts: 'file:///etc/ipsec.d/crls/develop_crl.pem' 000 updates: this Jan 22 14:53:53 2010 000 next Jan 20 14:53:53 2020 ok List of X.509 CRLs: issuer: "C=de, ST=state, L=city, O=company, OU=sales, CN=sales ca, [email protected]" revoked: 1 certificate updates: this Feb 23 13:31:38 2010 next Feb 21 13:31:38 2020, ok issuer: "C=de, ST=state, L=city, O=company, OU=develop, CN=develop ca, [email protected]" revoked: 0 certificates updates: this Jan 22 14:53:53 2010 next Jan 20 14:53:53 2020, ok log on gateway side (ikev2): s_local@(none) charon: 11[CFG] selected peer config '1' s_local@(none) charon: 11[CFG] using certificate "C=de, ST=state, O=company, OU=sales, CN=cert 2, [email protected]" s_local@(none) charon: 11[CFG] using trusted ca certificate "C=de, ST=state, L=city, O=company, OU=sales, CN=sales ca, [email protected]" s_local@(none) charon: 11[CFG] checking certificate status of "C=de, ST=state, O=company, OU=sales, CN=cert 2, [email protected]" s_local@(none) charon: 11[CFG] certificate status is not available s_local@(none) charon: 11[CFG] reached self-signed root ca with a path length of 0 s_local@(none) charon: 11[IKE] authentication of 'C=de, ST=state, O=company, OU=sales, CN=cert 2, [email protected]' with RSA signature successful log on gateway side (ikev1): "1"[1] 192.168.150.136 #3: responding to Main Mode from unknown peer 192.168.150.136 "1"[1] 192.168.150.136 #3: Peer ID is ID_DER_ASN1_DN: 'C=de, ST=state, O=company, OU=sales, CN=cert 2, [email protected]' "1"[1] 192.168.150.136 #3: certificate was revoked on Feb 23 13:30:46 UTC 2010, reason: unspecified "1"[1] 192.168.150.136 #3: X.509 certificate rejected "1"[1] 192.168.150.136 #3: no public key known for 'C=de, ST=state, O=company, OU=sales, CN=cert 2, [email protected]' "1"[1] 192.168.150.136 #3: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.150.136:500 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
