Hello,
first I use strongswan v4.5.2 in my centos 5.5. when ipsec daemon start, I found /etc/ipsec.d/crls/crl.pem loaded successfully: Jul 23 03:06:20 lag3 pluto[30328]: loading aa certificates from '/etc/ipsec.d/aacerts' Jul 23 03:06:20 lag3 pluto[30328]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts' Jul 23 03:06:20 lag3 pluto[30328]: Changing to directory '/etc/ipsec.d/crls' Jul 23 03:06:20 lag3 pluto[30328]: loaded crl from 'crl.der' Jul 23 03:06:20 lag3 pluto[30328]: loading attribute certificates from '/etc/ipsec.d/acerts' Jul 23 03:06:20 lag3 pluto[30328]: spawning 4 worker threads Jul 23 03:06:20 lag3 ipsec_starter[30327]: pluto (30328) started after 20 ms And Jul 23 03:06:20 lag3 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jul 23 03:06:20 lag3 charon: 00[CFG] loaded ca certificate "C=US, ST=CO, L=Denver, O=igvpn.com, CN=igvpn.com CA, [email protected]" from '/etc/ipsec.d/cacerts/ca.crt' Jul 23 03:06:20 lag3 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jul 23 03:06:20 lag3 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jul 23 03:06:20 lag3 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jul 23 03:06:20 lag3 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Jul 23 03:06:20 lag3 charon: 00[CFG] loaded crl from '/etc/ipsec.d/crls/crl.der' Jul 23 03:06:20 lag3 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Actually, I have 30 certificates revoked in my CRLs. #ipsec listcrls 000 000 List of X.509 CRLs: 000 000 issuer: "C=US, ST=CO, L=Denver, O=igvpn.com, CN=igvpn.com CA, [email protected]" 000 revoked: 30 certificates 000 distPts: 'file:///etc/ipsec.d/crls/crl.der' 000 updates: this Jul 21 00:31:08 2011 000 next Aug 20 00:31:08 2011 ok List of X.509 CRLs: issuer: "C=US, ST=CO, L=Denver, O=igvpn.com, CN=igvpn.com CA, [email protected]" revoked: 30 certificates updates: this Jul 21 00:31:08 2011 next Aug 20 00:31:08 2011, ok I use one of the revoked certificate to connect to my Strongswan server, the IKEv1 daemon Pluto can correctly reject this certs: ul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: size (1160) differs from size specified in ISAKMP HDR (1144) Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: Cisco VPN client appends 16 surplus NULL bytes Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: received Vendor ID payload [XAUTH] Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: received Vendor ID payload [Dead Peer Detection] Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: ignoring Vendor ID payload [FRAGMENTATION 80000000] Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: ignoring Vendor ID payload [Cisco-Unity] Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11] 218.249.58.137:1117 #21: responding to Main Mode from unknown peer 218.249.58.137:1117 Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11] 218.249.58.137:1117 #21: peer requested 2147483 seconds which exceeds our limit 86400 seconds Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11] 218.249.58.137:1117 #21: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification) Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: size (352) differs from size specified in ISAKMP HDR (336) Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: Cisco VPN client appends 16 surplus NULL bytes Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11] 218.249.58.137:1117 #21: ignoring Vendor ID payload [b86d2f5e92fd6cffdb3255aa8b2cc015] Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11] 218.249.58.137:1117 #21: ignoring Vendor ID payload [Cisco-Unity] Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11] 218.249.58.137:1117 #21: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11] 218.249.58.137:1117 #21: ignoring informational payload, type IPSEC_INITIAL_CONTACT Jul 23 12:16:23 lag3 pluto[4778]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11] 218.249.58.137:1117 #21: Peer ID is ID_DER_ASN1_DN: 'C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected]' Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11] 218.249.58.137:1117 #21: certificate was revoked on Jul 20 16:29:25 UTC 2011, reason: unspecified Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11] 218.249.58.137:1117 #21: X.509 certificate rejected Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11] 218.249.58.137:1117 #21: no public key known for 'C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected]' Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11] 218.249.58.137:1117 #21: sending encrypted notification INVALID_KEY_INFORMATION to 218.249.58.137:1117 ------------------------- but charon daemon still accept the certs: Jul 23 12:25:42 lag3 charon: 08[IKE] 117.136.0.52 is initiating an IKE_SA Jul 23 12:25:42 lag3 charon: 08[IKE] remote host is behind NAT Jul 23 12:25:42 lag3 charon: 08[IKE] sending cert request for "C=US, ST=CO, L=Denver, O=igvpn.com, CN=igvpn.com CA, [email protected]" Jul 23 12:25:42 lag3 charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Jul 23 12:25:42 lag3 charon: 08[NET] sending packet: from 199.119.201.165[500] to 117.136.0.52[46643] Jul 23 12:25:43 lag3 charon: 10[NET] received packet: from 117.136.0.52[46644] to 199.119.201.165[4500] Jul 23 12:25:43 lag3 charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr ] Jul 23 12:25:43 lag3 charon: 10[IKE] received cert request for "C=US, ST=CO, L=Denver, O=igvpn.com, CN=igvpn.com CA, [email protected]" Jul 23 12:25:43 lag3 charon: 10[IKE] received end entity cert "C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected]" Jul 23 12:25:43 lag3 charon: 10[CFG] looking for peer configs matching 199.119.201.165[%any]...117.136.0.52[C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected]] Jul 23 12:25:43 lag3 charon: 10[CFG] selected peer config 'RW_IKEv2_RSA' Jul 23 12:25:43 lag3 charon: 10[CFG] using certificate "C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected]" Jul 23 12:25:43 lag3 charon: 10[CFG] using trusted ca certificate "C=US, ST=CO, L=Denver, O=igvpn.com, CN=igvpn.com CA, [email protected]" Jul 23 12:25:43 lag3 charon: 10[CFG] checking certificate status of "C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected]" Jul 23 12:25:43 lag3 charon: 10[CFG] certificate status is not available Jul 23 12:25:43 lag3 charon: 10[CFG] reached self-signed root ca with a path length of 0 Jul 23 12:25:43 lag3 charon: 10[IKE] authentication of 'C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected]' with RSA signature successful Jul 23 12:25:43 lag3 charon: 10[IKE] authentication of 'lag3.igvpn.com' (myself) with RSA signature successful Jul 23 12:25:43 lag3 charon: 10[IKE] IKE_SA RW_IKEv2_RSA[3] established between 199.119.201.165[lag3.igvpn.com]...117.136.0.52[C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected]] Jul 23 12:25:43 lag3 charon: 10[IKE] scheduling reauthentication in 10207s Jul 23 12:25:43 lag3 charon: 10[IKE] maximum IKE_SA lifetime 10747s Jul 23 12:25:43 lag3 charon: 10[IKE] sending end entity cert "C=US, ST=CO, L=Denver, O=igvpn.com, CN=lag3.igvpn.com, [email protected]" Jul 23 12:25:43 lag3 charon: 10[IKE] peer requested virtual IP %any Jul 23 12:25:43 lag3 charon: 10[CFG] reassigning offline lease to 'C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected]' Jul 23 12:25:43 lag3 charon: 10[IKE] assigning virtual IP 10.0.6.3 to peer 'C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected]' Jul 23 12:25:43 lag3 charon: 10[IKE] CHILD_SA RW_IKEv2_RSA{3} established with SPIs c0c373b1_i 1228f27d_o and TS 0.0.0.0/0 === 10.0.6.3/32 Jul 23 12:25:43 lag3 vpn: + C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected] 10.0.6.3/32 == 117.136.0.52 -- 199.119.201.165 == 0.0.0.0/0 Jul 23 12:25:43 lag3 charon: 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR DNS NBNS DNS NBNS) SA TSi TSr N(AUTH_LFT) ] Jul 23 12:25:43 lag3 charon: 10[NET] sending packet: from 199.119.201.165[4500] to 117.136.0.52[46644] Jul 23 12:25:52 lag3 charon: 11[NET] received packet: from 117.136.0.52[46644] to 199.119.201.165[4500] My original ipsec.conf config setup plutostart=yes #plutodebug=control #plutodebug=all uniqueids=yes nat_traversal=yes charonstart=yes strictcrlpolicy=no virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172 .19.32.0/24 When I change ipsec.conf to this: config setup plutostart=yes #plutodebug=control #plutodebug=all uniqueids=yes nat_traversal=yes charonstart=yes crlcheckinterval=600s strictcrlpolicy=yes charondebug="ike control" virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172 .19.32.0/24 ca IGVPN cacert=ca.crt crluri="http://www.igvpn.com:8000/crl/crl.der"; auto=add and restart ipsec daemon, I use the revoked certs to connect to Strongswan using IKEv2, I found something different in charon log: ------------------------ Jul 23 12:41:26 lag3 charon: 08[IKE] 117.136.0.7 is initiating an IKE_SA Jul 23 12:41:26 lag3 charon: 08[IKE] remote host is behind NAT Jul 23 12:41:26 lag3 charon: 08[IKE] sending cert request for "C=US, ST=CO, L=Denver, O=igvpn.com, CN=igvpn.com CA, [email protected]" Jul 23 12:41:26 lag3 charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Jul 23 12:41:26 lag3 charon: 08[NET] sending packet: from 199.119.201.165[500] to 117.136.0.7[41191] Jul 23 12:41:28 lag3 charon: 03[NET] received packet: from 117.136.0.7[29600] to 199.119.201.165[4500] Jul 23 12:41:28 lag3 charon: 03[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr ] Jul 23 12:41:28 lag3 charon: 03[IKE] received cert request for "C=US, ST=CO, L=Denver, O=igvpn.com, CN=igvpn.com CA, [email protected]" Jul 23 12:41:28 lag3 charon: 03[IKE] received end entity cert "C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected]" Jul 23 12:41:28 lag3 charon: 03[CFG] looking for peer configs matching 199.119.201.165[%any]...117.136.0.7[C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected]] Jul 23 12:41:28 lag3 charon: 03[CFG] selected peer config 'RW_IKEv2_RSA' Jul 23 12:41:28 lag3 charon: 03[CFG] using certificate "C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected]" Jul 23 12:41:28 lag3 charon: 03[CFG] using trusted ca certificate "C=US, ST=CO, L=Denver, O=igvpn.com, CN=igvpn.com CA, [email protected]" Jul 23 12:41:28 lag3 charon: 03[CFG] checking certificate status of "C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected]" Jul 23 12:41:28 lag3 charon: 03[CFG] fetching crl from 'http://www.igvpn.com:8000/crl/crl.der' ... Jul 23 12:41:28 lag3 charon: 03[CFG] issuer of fetched CRL 'C=US, ST=CO, L=Denver, O=igvpn.com, CN=igvpn.com CA, [email protected]' does not match CRL issuer '9b:00:ad:ef:3d:af:74:3b:72:6e:28:33:f5:33:4a:6a:e8:77:2e:bb' Jul 23 12:41:28 lag3 charon: 03[CFG] certificate status is not available Jul 23 12:41:28 lag3 charon: 03[CFG] reached self-signed root ca with a path length of 0 Jul 23 12:41:28 lag3 charon: 03[IKE] authentication of 'C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, [email protected]' with RSA signature successful Jul 23 12:41:28 lag3 charon: 03[CFG] constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD Jul 23 12:41:28 lag3 charon: 03[CFG] selected peer config 'RW_IKEv2_RSA' inacceptable Jul 23 12:41:28 lag3 charon: 03[CFG] switching to peer config 'RW_IKEv2_MSEAPV2' Jul 23 12:41:28 lag3 charon: 03[CFG] constraint requires EAP authentication, but public key was used Jul 23 12:41:28 lag3 charon: 03[CFG] selected peer config 'RW_IKEv2_MSEAPV2' inacceptable Jul 23 12:41:28 lag3 charon: 03[CFG] switching to peer config 'RW_IKEv1_RSA' Jul 23 12:41:28 lag3 charon: 03[CFG] constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD Jul 23 12:41:28 lag3 charon: 03[CFG] selected peer config 'RW_IKEv1_RSA' inacceptable Jul 23 12:41:28 lag3 charon: 03[CFG] switching to peer config 'RW_IKEv1_PSK_XAUTH' Jul 23 12:41:28 lag3 charon: 03[CFG] constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD Jul 23 12:41:28 lag3 charon: 03[CFG] selected peer config 'RW_IKEv1_PSK_XAUTH' inacceptable Jul 23 12:41:28 lag3 charon: 03[CFG] switching to peer config 'RW_IKEv1_RSA_XAUTH' Jul 23 12:41:28 lag3 charon: 03[CFG] constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD Jul 23 12:41:28 lag3 charon: 03[CFG] selected peer config 'RW_IKEv1_RSA_XAUTH' inacceptable Jul 23 12:41:28 lag3 charon: 03[CFG] switching to peer config 'RW_IKEv1_L2TP_PSK' Jul 23 12:41:28 lag3 charon: 03[CFG] constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD Jul 23 12:41:28 lag3 charon: 03[CFG] selected peer config 'RW_IKEv1_L2TP_PSK' inacceptable Jul 23 12:41:28 lag3 charon: 03[CFG] no alternative config found Jul 23 12:41:28 lag3 charon: 03[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Jul 23 12:41:28 lag3 charon: 03[NET] sending packet: from 199.119.201.165[4500] to 117.136.0.7[29600] Please help.
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
