Re: [strongSwan] Reread of CA certificates, CRL checking

Mon, 01 Mar 2010 06:48:44 -0800 

Hi,

I'll post the ipsec.conf files of the gateway and client again because
I created some new certificates. The gateway uses the certificate cert1.pem
with key cert1key.pem and has the CA certificates develop_cert.pem and
sales_cert.pem, together with the CRLs develop_crl.pem and sales_crl.pem.
The client uses the revoked cert2.pem with key cert2key.pem, cert1.pem
(as rightcert) and has the same CA certificates (but an outdated CRL of
the 'sales CA' sales_crl_old.pem).
The CA certificates and CRLs are stored in the corresponding /etc/ipsec.d/
directories, while the end entity certificates and keys are stored
outside of the /etc/ipsec.d/ directories and referenced with absolute
pathnames in the ipsec.conf and ipsec.secret files.

Best regards,
   Markus


gateway ipsec.conf:
 conn 1
        left=192.168.150.135
        leftsubnet=172.16.121.0/24
        right=%any
        authby=rsasig
        leftcert=/path_to/cert1.pem
leftid="C=de, ST=state, O=company, OU=develop, CN=cert 1 develop, [email protected]" 
        rightid=%any
        dpdaction=hold
        dpddelay=15s
        ike=aes256-sha2_512-modp8192,aes256-sha2_512-modp4096!
        esp=aes256-sha2_256!
        keyexchange=ikev2
        ikelifetime=3600s
        keyingtries=%forever
        keylife=300s
        rekey=yes
        rekeymargin=60s
        rekeyfuzz=50%
        reauth=yes
        auto=add
        leftsendcert=ifasked

client ipsec.conf:
 conn 1
        left=192.168.150.136
        right=192.168.150.135
        rightsubnet=172.16.121.0/24
        authby=rsasig
        leftcert=/path_to/cert2.pem
leftid="C=de, ST=state, O=company, OU=sales, CN=cert 2 sales, [email protected]" 
        rightcert=/path_to/cert1.pem
rightid="C=de, ST=state, O=company, OU=develop, CN=cert 1 develop, [email protected]" 
        dpdaction=hold
        dpddelay=15s
        ike=aes256-sha2_512-modp8192,aes256-sha2_512-modp4096!
        esp=aes128-sha2_256,aes256-sha2_256!
        keyexchange=ikev2
        ikelifetime=3600s
        keyingtries=%forever
        keylife=300s
        rekey=yes
        rekeymargin=60s
        rekeyfuzz=50%
        reauth=yes
        auto=add
        leftsendcert=ifasked




Hello Markus,

could you send me the sales end entity and ca certificates as well
as the CRL?

Regards

Andreas




_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to