<p>Hi </p>
<div>This is regarding update of CA certificates in IKEv2 stack. </div>
<div>We are facing issue in update of CA certificates while following the steps below:<br>Step 1. Initially we have a configuration with 2 CA certificates mentioned in ipsec.conf as follows:</div>
<p> ca cert1<br> cacert=/home/sajal/abc.pem<br> auto=add</p>
<p> ca cert2<br> cacert=/home/sajal/xyz.pem<br> auto=add</p>
<p><strong> Using this we were able to establish SA with our peer which also has a certificate signed by above CA certificate.</strong></p>
<p>Step 2. Now we set the date of system(where ikev2 stack is running) to a <strong>future date</strong> with value <strong>beyond the expiry time</strong> of CA Certificates<br>Step 3. After doing so SA establishment with peer fails saying AUTH Failure<br>
Step 4. Now i deleted the above 2 CA certificates by specifying a different CA certificate in ipsec.conf and issuing the "ipsec update" command:<br> <br> ca cert1<br> cacert=/home/sajal/ijk.pem<br> auto=add<br>
Step 5. Now i set the system date back to normal. <br>Step 6. Now when we try to establish SA with our Peer it is still successfully established. This is incorrect as the Certificate of peer is signed by <strong>previous CA </strong>certificate, which has been deleted in step 4 above.</p>
<p><br>Can you please let us know what is the issue here</p>
<p><br>Warm Regards<br>Sajal</p>