On 11/30/2011 05:41 PM, A. J. Clark wrote:
Hi there,
I can confirm that this issue exists in Linux as well... the same
certificate/VPN setup shows the following;
...
DB : phase1 resend event canceled ( ref count = 1 )
-> : send IKE packet 10.250.0.243:500 -> 10.250.0.241:500 ( 1984 bytes )
ii : unable to get certificate CRL(3) at depth:0
ii : subject :/ST=British Columbia/L=Kamloops/O=SuperTestzing/OU=IPSec
VPN/CN=0162072007000231/CN=(250)
434-8700/CN=ecdsa-key/CN=test.cert.vpn/CN=Adam Clark
ii : unable to get certificate CRL(3) at depth:1
ii : subject :/C=CA/ST=British
Columbia/L=Kamloops/O=Testzing/OU=StaffVPN/CN=test.cert.vpn
Segmentation fault
I'm not sure if/why iked might be having issues with no CRL setup (as
there's no place to put a CRL setup), or if it's just coincidence that
that's the last thing it logs before it crashes.
Hi Adam,
The only reason I think that there must be a CRL in your certs is
because iirc none of the other cert-based iked logs that I've seen on
this list say anything about CRLs.
Did I already ask if there's something that would block your certificate
services on the client from going to the web to check a CRL?
BTW, if you've got linux, you should be able to run a command sort of
like this to show you the cert and if there's a CRL in it (if it's not
x509, use the appropriate format)
openssl x509 -in cert.crt -text
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
