Hello Markus, could you send me the sales end entity and ca certificates as well as the CRL?
Regards Andreas Markus Müller wrote: > Hello, > > I've got the following 2 questions about a strongSwan 4.3.6 setup with > OpenSSL 0.9.8g certificates: > > 1) > Is there a way to tell the pluto & charon daemons to "forget" removed CA > certificates from /etc/ipsec.d/cacerts without a restart > (and thus disrupted connections)? > When I delete a certificate from the folder and run 'ipsec rereadcacerts', > the removed certificate is still listed in the 'ipsec listcacerts' output. > > 2) > I generated CRLs for my CAs and put those in the /etc/ipsec.d/crls folder. > One of the CRLs belongs to a CA with a revoked certificate. > When I tried to connect, using that revoked certificate, I got connected > when keyexchange is set to ikev2 and rejected (as expected) when > keyexchange is set to ike. > > Thanks in advance, > Markus > > > The ipsec.conf files look like this: > > gateway side: > conn 1 > left=192.168.150.135 > leftsubnet=172.16.121.0/24 > right=%any > authby=rsasig > leftcert=cert1.pem > leftid="C=de, ST=state, O=company, OU=develop, CN=cert 1, [email protected]" > rightid=%any > dpdaction=hold > dpddelay=15s > ike=aes256-sha2_512-modp8192,aes256-sha2_512-modp4096! > esp=aes256-sha2_256! > keyexchange=ikev2 > ikelifetime=3600s > keyingtries=%forever > keylife=300s > rekey=yes > rekeymargin=60s > rekeyfuzz=50% > reauth=yes > auto=add > leftsendcert=ifasked > > client side: > conn 1 > left=192.168.150.136 > right=192.168.150.135 > rightsubnet=172.16.121.0/24 > authby=rsasig > leftcert=cert2.pem > leftid="C=de, ST=state, O=company, OU=sales, CN=cert 2, [email protected]" > rightcert=cert1.pem > rightid="C=de, ST=state, O=company, OU=develop, CN=cert 1, > [email protected]" > dpdaction=hold > dpddelay=15s > ike=aes256-sha2_512-modp8192,aes256-sha2_512-modp4096! > esp=aes128-sha2_256,aes256-sha2_256! > keyexchange=ikev2 > ikelifetime=3600s > keyingtries=%forever > keylife=300s > rekey=yes > rekeymargin=60s > rekeyfuzz=50% > reauth=yes > auto=add > leftsendcert=ifasked > > 'ipsec listcrls' output on gateway side: > 000 > 000 List of X.509 CRLs: > 000 > 000 issuer: "C=de, ST=state, L=city, O=company, OU=sales, > CN=sales ca, [email protected]" > 000 revoked: 1 certificates > 000 distPts: 'file:///etc/ipsec.d/crls/sales_crl.pem' > 000 updates: this Feb 23 13:31:38 2010 > 000 next Feb 21 13:31:38 2020 ok > 000 > 000 issuer: "C=de, ST=state, L=city, O=company, OU=develop, > CN=develop ca, [email protected]" > 000 revoked: 0 certificates > 000 distPts: 'file:///etc/ipsec.d/crls/develop_crl.pem' > 000 updates: this Jan 22 14:53:53 2010 > 000 next Jan 20 14:53:53 2020 ok > > List of X.509 CRLs: > > issuer: "C=de, ST=state, L=city, O=company, OU=sales, CN=sales > ca, [email protected]" > revoked: 1 certificate > updates: this Feb 23 13:31:38 2010 > next Feb 21 13:31:38 2020, ok > > issuer: "C=de, ST=state, L=city, O=company, OU=develop, > CN=develop ca, [email protected]" > revoked: 0 certificates > updates: this Jan 22 14:53:53 2010 > next Jan 20 14:53:53 2020, ok > > log on gateway side (ikev2): > s_local@(none) charon: 11[CFG] selected peer config '1' > s_local@(none) charon: 11[CFG] using certificate "C=de, ST=state, > O=company, OU=sales, CN=cert 2, [email protected]" > s_local@(none) charon: 11[CFG] using trusted ca certificate > "C=de, ST=state, L=city, O=company, OU=sales, CN=sales ca, > [email protected]" > s_local@(none) charon: 11[CFG] checking certificate status of > "C=de, ST=state, O=company, OU=sales, CN=cert 2, [email protected]" > s_local@(none) charon: 11[CFG] certificate status is not available > s_local@(none) charon: 11[CFG] reached self-signed root ca with a > path length of 0 > s_local@(none) charon: 11[IKE] authentication of 'C=de, ST=state, > O=company, OU=sales, CN=cert 2, [email protected]' with RSA signature > successful > > log on gateway side (ikev1): > "1"[1] 192.168.150.136 #3: responding to Main Mode from unknown > peer 192.168.150.136 > "1"[1] 192.168.150.136 #3: Peer ID is ID_DER_ASN1_DN: 'C=de, > ST=state, O=company, OU=sales, CN=cert 2, [email protected]' > "1"[1] 192.168.150.136 #3: certificate was revoked on Feb 23 > 13:30:46 UTC 2010, reason: unspecified > "1"[1] 192.168.150.136 #3: X.509 certificate rejected > "1"[1] 192.168.150.136 #3: no public key known for 'C=de, ST=state, > O=company, OU=sales, CN=cert 2, [email protected]' > "1"[1] 192.168.150.136 #3: sending encrypted notification > INVALID_KEY_INFORMATION to 192.168.150.136:500 ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
