-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello,
Did you try using "ipsec stroke rereadcrls"? Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 26.05.2015 um 12:39 schrieb Sajal Malhotra: > Dear Strongswan team, > > We are facing similar problem as reported by Shobhit here. > 1. We had a CRL say "abc.pem" that was present in /etc/ipsec.d/crls. This was > loaded correctly by Strongswan stack > 2. However before the Nextupdate time expired, we got an updated CRL with > certificate of peer revoked in it > 3. Placed this updated CRL with same name "abc.pem" in same directory > /etc/ipsec.d/crls and then executed "ipsec rereadcrls". > > However it is noticed that Strongswan does not loads this CRL immediately. It > only does that only after NextUpdate time of old CRL has expired. > Is there any way to force strongswan to reload the CRL file with same name > but updated contents? > > I mean this could be very much possible that a CA issues a new CRL before its > NextUpdate time and then different Nodes should be able to take this CRL into > use. Isn't it? > > BR > Sajal > > > > > On Mon, Jan 27, 2014 at 8:10 PM, shobhit shingla <[email protected] > <mailto:[email protected]>> wrote: > > > Hi, > > Here is the scenario > > IPSEC CRL is present in /etc/ipsec.d/crls for revoked certificate of > other side. > IPSEC tunnel is not established since certificate is revoked. > > Now remove CRL file from /etc/ipsec.d/crls/ and run these commands > > ipsec purgecrls > ipsec rereadcrls > > Expected behaviour - > IPSEC CRL cache should be flushed after purgecrls > > Now when ipsec rereadcrls is invoked, as now there are no crls in > /etc/ipsec.d/crls, there should be no CRLs in the ipsec and hence ipsec > listcrls should be empty. > > Also IPSEC tunnel should now get established without restarting ipsec. > > > Actual behaviour > ipsec purgecrls command does not flush the CRL cache. This we have > verified using ipsec listcrls commands after flushing. > > ipsec tunnel is not established after crl is removed without restart. > > > > > Thanks and regards, > Shobhit > > _______________________________________________ > Users mailing list > [email protected] <mailto:[email protected]> > https://lists.strongswan.org/mailman/listinfo/users > > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVZE3MAAoJEDg5KY9j7GZYUpcP/R99eNMG5g1jkBmN9WTzmNLo 4/E7VXjGB7kDTGnR7W0d+UNbq/uz1SY9KQEytzj24MuKB5YOzML/DBTGZPLJdVQ5 k9MKblHP/9ZUxbf88yBnEaEV++rUhi9bbYiFccL6y41DRSj4WjsOiVlAczl9/cX2 pyOzUsjpYm7iL/I2O0fTMMQIZGCl4Mcr6aUxSonSTeyQBepRx8dSnTCehw8ipHnG 7BJNL53iV9o0pGTgQSvOkUojHUD/B7Td/vFFNWl4EKBOiRtDg00xCkhLhr6A7lQR BmuZ7furSFHWkliSrZuyk/PJXSeJP7c2XZ0LLpiqT56uekYK7bbVItCV6Rg14TrD T8aZxmPIFPhDWHG89lkGQ0uz1ZeIKr/1pKWp30brX3h/5Cpu1FcAiuJr1FaBbK0B gcu/HpDRg9tO7z0uJeKp8aqnSdQUARuLbT/Hi9mx9oj7gnVtK9ie+5X67w3EIvHK hZM2LB7s1UOfTZquMjLZOkPExbcdrgQNs9JU7YahWYC/gIy7HIJxv7fFt0fUAZZ9 qlqN2AGAxItRRAhQjIGiQ6KWlZsFzlXxGcrPZS+A40m579WtqBrGpICfFIFnKQCf h8zPc8ttzPEWjeM20BXvV12BuGzdXhMLUMsHEKsbl+maBEQGuYjg0MzrnLQ2FfQb bse3V3hk0xKE87S35DM/ =cvIJ -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
