Hi Fabrice, I don't know what your problem might be. In our KVM scenario running strongswan 5.5.0 under Debian 8, the CRL is written to a file:
https://www.strongswan.org/testing/testresults/ikev2/crl-to-cache/ Best regards Andreas On 13.09.2016 14:15, Fabrice Barconnière wrote: > Hello, > > I still have problem with CRL cache with strongSwan 5.3.5 and Ubuntu 16.04. > > Certificates status are checked with CRL as we can see in log file. > ipsec listcrls output command gives: > > List of X.509 CRLs: > > issuer: "C=FR, O=Education Nationale, OU=0002 110043015, CN=AC EN > Scolarite et Formation" > serial: 09:43 > revoked: 13 certificates > updates: this Sep 13 00:00:06 2016 > next Sep 20 00:00:06 2016, ok (expires in 6 days) > authkey: cc:2e:37:0f:06:b2:b9:b5:e9:2d:ff:be:52:37:c6:1d:b4:b7:07:17 > > But ll /etc/ipsec.d/crls/ gives : > total 8 > drwxr-xr-x 2 root root 4096 avril 5 15:44 ./ > drwxr-xr-x 11 root root 4096 août 30 21:01 ../ > > With ubuntu 14.04 and strongSwan 5.1.2 (after apparmor profile correction) > > ll /etc/ipsec.d/crls/ gives : > total 12 > drwxr-xr-x 2 root root 4096 sept. 13 09:18 ./ > drwxr-xr-x 11 root root 4096 sept. 10 01:04 ../ > -rw-r--r-- 1 root root 1307 sept. 13 09:18 > cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl > > What can i check other ? > > > > Le 09/09/2016 à 14:50, Fabrice Barconnière a écrit : >> Hi all, >> >> /etc/ipsec.d/crls directory is still empty after established connections. >> >> OS: Ubuntu 16.04 >> Version: 5.3.5-1ubuntu3 >> >> >> * ipsec.conf : >> >> config setup >> uniqueids = yes >> cachecrls = yes >> strictcrlpolicy = no >> ... >> ... >> >> >> * ipsec statusall : >> >> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-36-generic, >> x86_64): >> uptime: 17 minutes, since Sep 09 14:13:12 2016 >> malloc: sbrk 5275648, mmap 532480, used 1125024, free 4150624 >> worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 6 >> loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 >> sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 >> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg >> fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql >> sqlite attr kernel-netlink resolve socket-default farp stroke updown >> eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 >> eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 >> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic >> xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 >> tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr >> addrblock unity >> Listening IP addresses: >> 192.168.0.11 >> 172.30.101.11 >> Connections: >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1: >> 192.168.0.11...192.168.0.31 IKEv1/2, dpddelay=120s >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1: >> local: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, >> CN=sphynx.ac-test.fr] uses public key authentication >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1: >> cert: "C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, >> CN=sphynx.ac-test.fr" >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1: >> remote: [C=FR, L=Toulouse, O=Education Nationale, OU=ac-toulouse, >> OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr] uses public key >> authentication >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1: >> child: 172.30.101.0/24 === 10.1.1.0/24 TUNNEL, dpdaction=clear >> Security Associations (1 up, 0 connecting): >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]: >> ESTABLISHED 10 minutes ago, 192.168.0.11[C=FR, L=Dijon, O=Education >> Nationale, OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR, >> L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015, >> CN=0120101V-01-TEST.ac-toulouse.fr] >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]: >> IKEv2 SPIs: b858dddc617a4ac3_i d7697a226ce94911_r*, public key >> reauthentication in 2 hours >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]: >> IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}: >> INSTALLED, TUNNEL, reqid 2, ESP SPIs: c84807a5_i c234d7e7_o >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}: >> AES_GCM_16_128, 336 bytes_i (4 pkts, 6s ago), 336 bytes_o (4 pkts, 6s >> ago), rekeying in 32 minutes >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}: >> 172.30.101.0/24 === 10.1.1.0/24 >> >> >> * Logs : >> >> 2016-09-09T14:35:48.169931+02:00 sphynx.ac-test.lan charon: 00[DMN] >> Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-36-generic, >> x86_64) >> 2016-09-09T14:35:48.220738+02:00 sphynx.ac-test.lan charon: 00[CFG] >> disabling load-tester plugin, not configured >> 2016-09-09T14:35:48.221002+02:00 sphynx.ac-test.lan charon: 00[LIB] >> plugin 'load-tester': failed to load - load_tester_plugin_create >> returned NULL >> 2016-09-09T14:35:48.229358+02:00 sphynx.ac-test.lan charon: 00[CFG] >> dnscert plugin is disabled >> 2016-09-09T14:35:48.229716+02:00 sphynx.ac-test.lan charon: 00[CFG] >> ipseckey plugin is disabled >> 2016-09-09T14:35:48.230376+02:00 sphynx.ac-test.lan charon: 00[CFG] >> attr-sql plugin: database URI not set >> 2016-09-09T14:35:48.230648+02:00 sphynx.ac-test.lan charon: 00[CFG] >> loading ca certificates from '/etc/ipsec.d/cacerts' >> 2016-09-09T14:35:48.230799+02:00 sphynx.ac-test.lan charon: 00[CFG] >> loaded ca certificate "C=FR, O=Education Nationale, OU=0002 110043015, >> CN=AC EN Scolarite et Formation" from '/etc/ipsec.d/cacerts/AC EN >> Scolarite et Formation.pem' >> 2016-09-09T14:35:48.230997+02:00 sphynx.ac-test.lan charon: 00[CFG] >> loaded ca certificate "C=FR, O=Education Nationale, L=Dijon, OU=0002 >> 110043015, CN=CA-sphynx-RVP" from '/etc/ipsec.d/cacerts/CA-sphynx-RVP.pem' >> 2016-09-09T14:35:48.231144+02:00 sphynx.ac-test.lan charon: 00[CFG] >> loaded ca certificate "C=FR, O=Education Nationale, OU=0002 110043015, >> CN=AC Education Nationale" from '/etc/ipsec.d/cacerts/AC Education >> Nationale.pem' >> 2016-09-09T14:35:48.231622+02:00 sphynx.ac-test.lan charon: 00[CFG] >> loaded ca certificate "C=FR, O=Ministere Education Nationale >> Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR" from >> '/etc/ipsec.d/cacerts/AC Racine Ministere ENESR.pem' >> 2016-09-09T14:35:48.231793+02:00 sphynx.ac-test.lan charon: 00[CFG] >> loading aa certificates from '/etc/ipsec.d/aacerts' >> 2016-09-09T14:35:48.231918+02:00 sphynx.ac-test.lan charon: 00[CFG] >> loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' >> 2016-09-09T14:35:48.232078+02:00 sphynx.ac-test.lan charon: 00[CFG] >> loading attribute certificates from '/etc/ipsec.d/acerts' >> 2016-09-09T14:35:48.232214+02:00 sphynx.ac-test.lan charon: 00[CFG] >> loading crls from '/etc/ipsec.d/crls' >> 2016-09-09T14:35:48.232356+02:00 sphynx.ac-test.lan charon: 00[CFG] >> loading secrets from '/etc/ipsec.secrets' >> 2016-09-09T14:35:48.232522+02:00 sphynx.ac-test.lan charon: 00[CFG] >> loaded RSA private key from '/etc/ipsec.d/private/privsphynx.ac-test.fr.pem' >> 2016-09-09T14:35:48.232664+02:00 sphynx.ac-test.lan charon: 00[CFG] >> opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or >> directory >> 2016-09-09T14:35:48.232805+02:00 sphynx.ac-test.lan charon: 00[CFG] >> eap-simaka-sql database URI missing >> 2016-09-09T14:35:48.233119+02:00 sphynx.ac-test.lan charon: 00[CFG] >> loaded 0 RADIUS server configurations >> 2016-09-09T14:35:48.233315+02:00 sphynx.ac-test.lan charon: 00[CFG] no >> threshold configured for systime-fix, disabled >> 2016-09-09T14:35:48.233515+02:00 sphynx.ac-test.lan charon: 00[CFG] >> coupling file path unspecified >> 2016-09-09T14:35:48.233706+02:00 sphynx.ac-test.lan charon: 00[LIB] >> loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 >> sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 >> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg >> fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql >> sqlite attr kernel-netlink resolve socket-default farp stroke updown >> eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 >> eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 >> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic >> xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 >> tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr >> addrblock unity >> 2016-09-09T14:35:48.234163+02:00 sphynx.ac-test.lan charon: 00[LIB] >> dropped capabilities, running as uid 0, gid 0 >> 2016-09-09T14:35:48.234345+02:00 sphynx.ac-test.lan charon: 00[JOB] >> spawning 32 worker threads >> 2016-09-09T14:35:48.247156+02:00 sphynx.ac-test.lan charon: 06[CFG] >> received stroke: add connection >> 'aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1' >> 2016-09-09T14:35:48.247447+02:00 sphynx.ac-test.lan charon: 06[CFG] >> loaded certificate "C=FR, L=Dijon, O=Education Nationale, OU=0002 >> 110043015, CN=sphynx.ac-test.fr" from 'sphynx.ac-test.fr.pem' >> 2016-09-09T14:35:48.247635+02:00 sphynx.ac-test.lan charon: 06[CFG] >> added configuration >> 'aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1' >> 2016-09-09T14:35:48.247825+02:00 sphynx.ac-test.lan charon: 08[CFG] >> received stroke: initiate >> 'aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1' >> 2016-09-09T14:35:48.248034+02:00 sphynx.ac-test.lan charon: 08[IKE] >> initiating IKE_SA >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1] >> to 192.168.0.31 >> 2016-09-09T14:35:48.248224+02:00 sphynx.ac-test.lan charon: 08[IKE] >> initiating IKE_SA >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1] >> to 192.168.0.31 >> 2016-09-09T14:35:48.259508+02:00 sphynx.ac-test.lan charon: 08[ENC] >> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> N(HASH_ALG) ] >> 2016-09-09T14:35:48.259817+02:00 sphynx.ac-test.lan charon: 08[NET] >> sending packet: from 192.168.0.11[500] to 192.168.0.31[500] (1252 bytes) >> 2016-09-09T14:35:48.264907+02:00 sphynx.ac-test.lan charon: 10[NET] >> received packet: from 192.168.0.31[500] to 192.168.0.11[500] (517 bytes) >> 2016-09-09T14:35:48.265160+02:00 sphynx.ac-test.lan charon: 10[ENC] >> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] >> 2016-09-09T14:35:48.278316+02:00 sphynx.ac-test.lan charon: 10[IKE] >> received cert request for "C=FR, O=Ministere Education Nationale >> Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR" >> 2016-09-09T14:35:48.278600+02:00 sphynx.ac-test.lan charon: 10[IKE] >> received cert request for "C=FR, O=Education Nationale, OU=0002 >> 110043015, CN=AC EN Scolarite et Formation" >> 2016-09-09T14:35:48.278825+02:00 sphynx.ac-test.lan charon: 10[IKE] >> received cert request for "C=FR, O=Education Nationale, OU=0002 >> 110043015, CN=AC Education Nationale" >> 2016-09-09T14:35:48.279014+02:00 sphynx.ac-test.lan charon: 10[IKE] >> received cert request for "C=FR, O=Education Nationale, L=Dijon, OU=0002 >> 110043015, CN=CA-sphynx-RVP" >> 2016-09-09T14:35:48.279201+02:00 sphynx.ac-test.lan charon: 10[IKE] >> sending cert request for "C=FR, O=Education Nationale, OU=0002 >> 110043015, CN=AC EN Scolarite et Formation" >> 2016-09-09T14:35:48.279419+02:00 sphynx.ac-test.lan charon: 10[IKE] >> sending cert request for "C=FR, O=Education Nationale, L=Dijon, OU=0002 >> 110043015, CN=CA-sphynx-RVP" >> 2016-09-09T14:35:48.279590+02:00 sphynx.ac-test.lan charon: 10[IKE] >> sending cert request for "C=FR, O=Education Nationale, OU=0002 >> 110043015, CN=AC Education Nationale" >> 2016-09-09T14:35:48.279791+02:00 sphynx.ac-test.lan charon: 10[IKE] >> sending cert request for "C=FR, O=Ministere Education Nationale >> Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR" >> 2016-09-09T14:35:48.283674+02:00 sphynx.ac-test.lan charon: 10[IKE] >> authentication of 'C=FR, L=Dijon, O=Education Nationale, OU=0002 >> 110043015, CN=sphynx.ac-test.fr' (myself) with RSA signature successful >> 2016-09-09T14:35:48.283936+02:00 sphynx.ac-test.lan charon: 10[IKE] >> sending end entity cert "C=FR, L=Dijon, O=Education Nationale, OU=0002 >> 110043015, CN=sphynx.ac-test.fr" >> 2016-09-09T14:35:48.284141+02:00 sphynx.ac-test.lan charon: 10[IKE] >> establishing CHILD_SA >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1 >> 2016-09-09T14:35:48.284333+02:00 sphynx.ac-test.lan charon: 10[IKE] >> establishing CHILD_SA >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1 >> 2016-09-09T14:35:48.284487+02:00 sphynx.ac-test.lan charon: 10[ENC] >> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr >> AUTH SA TSi TSr N(EAP_ONLY) ] >> 2016-09-09T14:35:48.284681+02:00 sphynx.ac-test.lan charon: 10[NET] >> sending packet: from 192.168.0.11[500] to 192.168.0.31[500] (2416 bytes) >> 2016-09-09T14:35:48.698280+02:00 sphynx.ac-test.lan charon: 11[NET] >> received packet: from 192.168.0.31[500] to 192.168.0.11[500] (2112 bytes) >> 2016-09-09T14:35:48.698782+02:00 sphynx.ac-test.lan charon: 11[ENC] >> parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ] >> 2016-09-09T14:35:48.699000+02:00 sphynx.ac-test.lan charon: 11[IKE] >> received end entity cert "C=FR, L=Toulouse, O=Education Nationale, >> OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr" >> 2016-09-09T14:35:48.699199+02:00 sphynx.ac-test.lan charon: 11[CFG] >> using certificate "C=FR, L=Toulouse, O=Education Nationale, >> OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr" >> 2016-09-09T14:35:48.699435+02:00 sphynx.ac-test.lan charon: 11[CFG] >> using trusted intermediate ca certificate "C=FR, O=Education Nationale, >> OU=0002 110043015, CN=AC EN Scolarite et Formation" >> 2016-09-09T14:35:48.699629+02:00 sphynx.ac-test.lan charon: 11[CFG] >> checking certificate status of "C=FR, L=Toulouse, O=Education Nationale, >> OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr" >> 2016-09-09T14:35:48.699828+02:00 sphynx.ac-test.lan charon: 11[CFG] >> fetching crl from >> 'http://crl.pncn.education.gouv.fr/ac-men-scolarite-et-formation.crl' ... >> 2016-09-09T14:35:48.739498+02:00 sphynx.ac-test.lan charon: 11[CFG] >> using trusted intermediate ca certificate "C=FR, O=Education Nationale, >> OU=0002 110043015, CN=AC Education Nationale" >> 2016-09-09T14:35:48.739798+02:00 sphynx.ac-test.lan charon: 11[CFG] >> reached self-signed root ca with a path length of 0 >> 2016-09-09T14:35:48.740023+02:00 sphynx.ac-test.lan charon: 11[CFG] >> using trusted certificate "C=FR, O=Education Nationale, OU=0002 >> 110043015, CN=AC EN Scolarite et Formation" >> 2016-09-09T14:35:48.740227+02:00 sphynx.ac-test.lan charon: 11[CFG] >> crl correctly signed by "C=FR, O=Education Nationale, OU=0002 110043015, >> CN=AC EN Scolarite et Formation" >> 2016-09-09T14:35:48.740439+02:00 sphynx.ac-test.lan charon: 11[CFG] >> crl is valid: until Sep 16 00:00:05 2016 >> 2016-09-09T14:35:48.740651+02:00 sphynx.ac-test.lan charon: 11[CFG] >> certificate status is good >> 2016-09-09T14:35:48.740875+02:00 sphynx.ac-test.lan charon: 11[CFG] >> using trusted intermediate ca certificate "C=FR, O=Education Nationale, >> OU=0002 110043015, CN=AC Education Nationale" >> 2016-09-09T14:35:48.741131+02:00 sphynx.ac-test.lan charon: 11[CFG] >> checking certificate status of "C=FR, O=Education Nationale, OU=0002 >> 110043015, CN=AC EN Scolarite et Formation" >> 2016-09-09T14:35:48.741452+02:00 sphynx.ac-test.lan charon: 11[CFG] >> requesting ocsp status from 'http://ocsp.pncn.education.gouv.fr/men' ... >> 2016-09-09T14:35:48.866481+02:00 sphynx.ac-test.lan charon: 11[CFG] >> ocsp response correctly signed by "C=FR, O=Education Nationale, OU=0002 >> 110043015, CN=Signature OCSP - AC MEN" >> 2016-09-09T14:35:48.866895+02:00 sphynx.ac-test.lan charon: 11[CFG] >> ocsp response is valid: until Sep 09 14:35:58 2016 >> 2016-09-09T14:35:48.867158+02:00 sphynx.ac-test.lan charon: 11[CFG] >> certificate status is good >> 2016-09-09T14:35:48.867391+02:00 sphynx.ac-test.lan charon: 11[CFG] >> using trusted ca certificate "C=FR, O=Ministere Education Nationale >> Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR" >> 2016-09-09T14:35:48.867598+02:00 sphynx.ac-test.lan charon: 11[CFG] >> checking certificate status of "C=FR, O=Education Nationale, OU=0002 >> 110043015, CN=AC Education Nationale" >> 2016-09-09T14:35:48.867803+02:00 sphynx.ac-test.lan charon: 11[CFG] ocsp >> response verification failed, no signer certificate 'C=FR, O=Education >> Nationale, OU=0002 110043015, CN=Signature OCSP - AC MEN' found >> 2016-09-09T14:35:48.868006+02:00 sphynx.ac-test.lan charon: 11[CFG] >> requesting ocsp status from 'http://ocsp.pncn.education.gouv.fr/menesr' ... >> 2016-09-09T14:35:48.992719+02:00 sphynx.ac-test.lan charon: 11[CFG] >> ocsp response correctly signed by "C=FR, O=Ministere Education Nationale >> Enseignement Superieur Recherche, CN=Signature OCSP - AC MENESR" >> 2016-09-09T14:35:48.993075+02:00 sphynx.ac-test.lan charon: 11[CFG] >> ocsp response is valid: until Sep 09 14:35:58 2016 >> 2016-09-09T14:35:48.993272+02:00 sphynx.ac-test.lan charon: 11[CFG] >> certificate status is good >> 2016-09-09T14:35:48.993484+02:00 sphynx.ac-test.lan charon: 11[CFG] >> reached self-signed root ca with a path length of 2 >> 2016-09-09T14:35:48.993709+02:00 sphynx.ac-test.lan charon: 11[IKE] >> authentication of 'C=FR, L=Toulouse, O=Education Nationale, >> OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr' >> with RSA signature successful >> 2016-09-09T14:35:48.993915+02:00 sphynx.ac-test.lan charon: 11[IKE] >> IKE_SA >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1] >> established between 192.168.0.11[C=FR, L=Dijon, O=Education Nationale, >> OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR, >> L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015, >> CN=0120101V-01-TEST.ac-toulouse.fr] >> 2016-09-09T14:35:48.994137+02:00 sphynx.ac-test.lan charon: 11[IKE] >> IKE_SA >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1] >> established between 192.168.0.11[C=FR, L=Dijon, O=Education Nationale, >> OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR, >> L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015, >> CN=0120101V-01-TEST.ac-toulouse.fr] >> 2016-09-09T14:35:48.994316+02:00 sphynx.ac-test.lan charon: 11[IKE] >> scheduling reauthentication in 10146s >> 2016-09-09T14:35:48.994585+02:00 sphynx.ac-test.lan charon: 11[IKE] >> maximum IKE_SA lifetime 10686s >> 2016-09-09T14:35:48.994955+02:00 sphynx.ac-test.lan charon: 11[IKE] >> CHILD_SA >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{1} >> established with SPIs ccdd7bb4_i c01e70f1_o and TS 172.30.101.0/24 === >> 10.1.1.0/24 >> 2016-09-09T14:35:48.995159+02:00 sphynx.ac-test.lan charon: 11[IKE] >> CHILD_SA >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{1} >> established with SPIs ccdd7bb4_i c01e70f1_o and TS 172.30.101.0/24 === >> 10.1.1.0/24 >> 2016-09-09T14:35:48.995469+02:00 sphynx.ac-test.lan charon: 11[IKE] >> received AUTH_LIFETIME of 10248s, scheduling reauthentication in 9708s >> >> >> CRL cache is not empty with Ubuntu 14.04 and strongSwan version >> 5.1.2-0ubuntu2.4 and the same configuration. I can see this line in log >> file : >> 2016-09-09T13:39:42.728748+02:00 amon.etb1.lan charon: 21[CFG] written >> crl file >> '/etc/ipsec.d/crls/cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl' (1307 >> bytes) >> ls -l /etc/ipsec.d/crls/ >> total 4 >> -rw-r--r-- 1 root root 1307 sept. 9 13:39 >> cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl >> >> >> Perhaps, something is wrong in my strongSwan configuration ? >> >> >> Regards, >> Fabrice Barconnière >> http://pcll.ac-dijon.fr/eole/ >> >> >> >> >> _______________________________________________ >> Users mailing list >> Users@lists.strongswan.org >> https://lists.strongswan.org/mailman/listinfo/users > > > -- > Cordialement, > Fabrice Barconnière > Pôle logiciels libres - EOLE > > > > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users