Thanks Martin. Below is the log excerpt and strongswan.conf
Jan 17 06:57:21 localhost charon: 02[LIB] libcurl http request failed: couldn't connect to host Jan 17 06:57:21 localhost charon: 02[CFG] ocsp request to http://10.206.1.11:8880 failed Jan 17 06:57:21 localhost charon: 02[CFG] requesting ocsp status from ' http://10.206.1.11:8880' ... Jan 17 06:57:21 localhost charon: 02[LIB] sending http request to 'http://10.206.1.11:8880'... Jan 17 06:57:31 localhost charon: 02[LIB] libcurl http request failed: couldn't connect to host Jan 17 06:57:31 localhost charon: 02[CFG] ocsp request to http://10.206.1.11:8880 failed Jan 17 06:57:31 localhost charon: 02[CFG] ocsp check failed, fallback to crl Jan 17 06:57:31 localhost charon: 02[CFG] certificate status is not available Jan 17 06:57:31 localhost charon: 02[CFG] certificate "C=in, ST=kar, L=bng, O=airvana, O=nsc, OU=net, CN=rootca" key: 1024 bit RSA Jan 17 06:57:31 localhost charon: 02[CFG] reached self-signed root ca with a path length of 0 Jan 17 06:57:31 localhost charon: 02[LIB] signature verification: Jan 17 06:57:31 localhost charon: 02[IKE] authentication of ' sriram.airvana.org' with RSA signature successful Jan 17 06:57:31 localhost charon: 02[IKE] IKE_SA home[2] established between 10.206.1.10[arvind.airvana.org]...10.206.1.11[sriram.airvana.org] Jan 17 06:57:31 localhost charon: 02[IKE] IKE_SA home[2] state change: CONNECTING => ESTABLISHED cat /etc/strongswan.conf # strongswan.conf - strongSwan configuration file charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown } Earlier httpd was not up in 10.206.1.11, I started the httpd service, still i get the same error. Regards, Sriram. On Fri, Jan 17, 2014 at 2:52 PM, Martin Willi <[email protected]> wrote: > Hi Sriram, > > > When I tested this, I saw peers exchanging AuthorityInfoAccess as part of > > certificate data extensions. But I didnt any exchanges happening between > > ocsp server and peer to confirm the validity of certificates. > > For OCSP support, you need both the revocation plugin and one of the > fetcher plugins enabled. The curl plugin depends on libcurl and is > usually the better choice, the soup plugin builds upon libsoup/glib. > > If you still see no OCSP requests, please provide an excerpt of your > logfile. > > Regards > Martin > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
