<div dir="ltr">Hi All, I have copy pasted ipsec.conf, strongswan.conf and openssl.cnf below. Does anybody have any clue why strongswan is not seeing the revoked certificate ? I appreciate any help or suggestions.<div><br></div>
<div>Thanks,</div><div>Nagaraj</div><div><br><div><div>[root@TroposDA ~]# cat /usr/local/strongswan4/etc/ipsec.conf</div><div>config setup</div><div> plutostart=yes</div><div> plutostderrlog=/var/log/pluto.log</div>
<div> nat_traversal=yes</div><div> uniqueids=yes</div><div> crlcheckinterval=600</div><div> cachecrls=no</div><div> strictcrlpolicy=no</div><div><br></div><div>ca tropos</div><div> cacert=/etc/pki/CA/certs/caCert.pem</div>
<div> crluri=/etc/pki/CA/certs/crl.pem</div><div> auto=add</div><div><br></div><div>conn ios</div><div> keyexchange=ikev1</div><div> authby=xauthrsasig</div><div> xauth=server</div><div>
left=%defaultroute</div><div> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div> leftcert=serverCert.pem</div><div> leftfirewall=yes</div><div> right=%any</div><div> rightsourceip=<a href="http://10.2.0.0/16">10.2.0.0/16</a></div>
<div> pfs=no</div><div> auto=add</div></div><div>===============================================================================================</div><div><div>[root@TroposDA ~]# cat /usr/local/strongswan4/etc/strongswan.conf</div>
<div># strongswan.conf - strongSwan configuration file</div><div><br></div><div>charon {</div><div><br></div><div> # number of worker threads in charon</div><div> threads = 32</div><div><br></div><div> # send strongswan vendor ID?</div>
<div> # send_vendor_id = yes</div><div><br></div><div> plugins {</div><div><br></div><div> sql {</div><div> # loglevel to log into sql database</div><div> loglevel = -1</div>
<div><br></div><div> # URI to the database</div><div> # database = sqlite:///path/to/file.db</div><div> # database = mysql://user:password@localhost/database</div>
<div> }</div><div> }</div><div><br></div><div> # ...</div><div>}</div><div><br></div><div>pluto {</div><div> dns1 = 10.2.0.253</div><div>}</div><div><br></div><div>libstrongswan {</div>
<div><br></div><div> # set to no, the DH exponent size is optimized</div><div> # dh_exponent_ansi_x9_42 = no</div><div>}</div></div><div>===============================================================================================</div>
<div><div>[root@TroposDA ~]# cat /etc/pki/tls/openssl.cnf</div><div>#</div><div># OpenSSL example configuration file.</div><div># This is mostly being used for generation of certificate requests.</div><div>#</div><div><br>
</div><div># This definition stops the following lines choking if HOME isn't</div><div># defined.</div><div>HOME = .</div><div>RANDFILE = $ENV::HOME/.rnd</div><div><br></div><div># Extra OBJECT IDENTIFIER info:</div>
<div>#oid_file = $ENV::HOME/.oid</div><div>oid_section = new_oids</div><div><br></div><div># To use this configuration file with the "-extfile" option of the</div><div># "openssl x509" utility, name here the section containing the</div>
<div># X.509v3 extensions to use:</div><div># extensions =</div><div># (Alternatively, use a configuration file that has only</div><div># X.509v3 extensions in its main [= default] section.)</div><div><br></div>
<div>[ new_oids ]</div><div><br></div><div># We can add new OIDs in here for use by 'ca', 'req' and 'ts'.</div><div># Add a simple OID like this:</div><div># testoid1=1.2.3.4</div><div># Or use config file substitution like this:</div>
<div># testoid2=${testoid1}.5.6</div><div><br></div><div># Policies used by the TSA examples.</div><div>tsa_policy1 = 1.2.3.4.1</div><div>tsa_policy2 = 1.2.3.4.5.6</div><div>tsa_policy3 = 1.2.3.4.5.7</div><div><br></div><div>
####################################################################</div><div>[ ca ]</div><div>default_ca = CA_default # The default ca section</div><div><br></div><div>####################################################################</div>
<div>[ CA_default ]</div><div><br></div><div>dir = /etc/pki/CA # Where everything is kept</div><div>certs = $dir/certs # Where the issued certs are kept</div><div>crl_dir = $dir/crl # Where the issued crl are kept</div>
<div>database = $dir/index.txt # database index file.</div><div>#unique_subject = no # Set to 'no' to allow creation of</div><div> # several ctificates with same subject.</div>
<div>new_certs_dir = $dir/newcerts # default place for new certs.</div><div><br></div><div>certificate = $dir/certs/caCert.pem # The CA certificate</div><div>serial = $dir/serial # The current serial number</div>
<div>crlnumber = $dir/crlnumber # the current crl number</div><div> # must be commented out to leave a V1 CRL</div><div>crl = $dir/certs/crl.pem # The current CRL</div>
<div>private_key = $dir/private/caKey.pem# The private key</div><div>RANDFILE = $dir/private/.rand # private random number file</div><div><br></div><div>x509_extensions = usr_cert # The extentions to add to the cert</div>
<div><br></div><div># Comment out the following two lines for the "traditional"</div><div># (and highly broken) format.</div><div>name_opt = ca_default # Subject Name options</div><div>cert_opt = ca_default # Certificate field options</div>
<div><br></div><div># Extension copying option: use with caution.</div><div># copy_extensions = copy</div><div><br></div><div># Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs</div><div># so this is commented out by default to leave a V1 CRL.</div>
<div># crlnumber must also be commented out to leave a V1 CRL.</div><div>crl_extensions = crl_ext</div><div><br></div><div>default_days = 365 # how long to certify for</div><div>default_crl_days= 30 # how long before next CRL</div>
<div>default_md = default # use public key default MD</div><div>preserve = no # keep passed DN ordering</div><div><br></div><div># A few difference way of specifying how similar the request should look</div>
<div># For type CA, the listed attributes must be the same, and the optional</div><div># and supplied fields are just that :-)</div><div>policy = policy_match</div><div><br></div><div># For the CA policy</div><div>
[ policy_match ]</div><div>countryName = match</div><div>stateOrProvinceName = match</div><div>organizationName = match</div><div>organizationalUnitName = optional</div><div>commonName = supplied</div>
<div>emailAddress = optional</div><div><br></div><div># For the 'anything' policy</div><div># At this point in time, you must list all acceptable 'object'</div><div># types.</div><div>[ policy_anything ]</div>
<div>countryName = optional</div><div>stateOrProvinceName = optional</div><div>localityName = optional</div><div>organizationName = optional</div><div>organizationalUnitName = optional</div>
<div>commonName = supplied</div><div>emailAddress = optional</div><div><br></div><div>####################################################################</div><div>[ req ]</div><div>default_bits = 2048</div>
<div>default_md = sha1</div><div>default_keyfile = privkey.pem</div><div>distinguished_name = req_distinguished_name</div><div>attributes = req_attributes</div><div>x509_extensions = v3_ca # The extentions to add to the self signed cert</div>
<div><br></div><div># Passwords for private keys if not present they will be prompted for</div><div># input_password = secret</div><div># output_password = secret</div><div><br></div><div># This sets a mask for permitted string types. There are several options.</div>
<div># default: PrintableString, T61String, BMPString.</div><div># pkix : PrintableString, BMPString (PKIX recommendation before 2004)</div><div># utf8only: only UTF8Strings (PKIX recommendation after 2004).</div><div># nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).</div>
<div># MASK:XXXX a literal mask value.</div><div># WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.</div><div>string_mask = utf8only</div><div><br></div><div># req_extensions = v3_req # The extensions to add to a certificate request</div>
<div><br></div><div>[ req_distinguished_name ]</div><div>countryName = Country Name (2 letter code)</div><div>countryName_default = XX</div><div>countryName_min = 2</div><div>
countryName_max = 2</div><div><br></div><div>stateOrProvinceName = State or Province Name (full name)</div><div>#stateOrProvinceName_default = Default Province</div><div><br></div><div>localityName = Locality Name (eg, city)</div>
<div>localityName_default = Default City</div><div><br></div><div>0.organizationName = Organization Name (eg, company)</div><div>0.organizationName_default = Default Company Ltd</div><div><br></div><div>
# we can do this but it is not needed normally :-)</div><div>#1.organizationName = Second Organization Name (eg, company)</div><div>#1.organizationName_default = World Wide Web Pty Ltd</div><div><br></div>
<div>organizationalUnitName = Organizational Unit Name (eg, section)</div><div>#organizationalUnitName_default =</div><div><br></div><div>commonName = Common Name (eg, your name or your server\'s hostname)</div>
<div>commonName_max = 64</div><div><br></div><div>emailAddress = Email Address</div><div>emailAddress_max = 64</div><div><br></div><div># SET-ex3 = SET extension number 3</div>
<div><br></div><div>[ req_attributes ]</div><div>challengePassword = A challenge password</div><div>challengePassword_min = 4</div><div>challengePassword_max = 20</div><div><br></div><div>
unstructuredName = An optional company name</div><div><br></div><div>[ usr_cert ]</div><div><br></div><div># These extensions are added when 'ca' signs a request.</div><div><br></div><div># This goes against PKIX guidelines but some CAs do it and some software</div>
<div># requires this to avoid interpreting an end user certificate as a CA.</div><div><br></div><div>basicConstraints=CA:FALSE</div><div><br></div><div># Here are some examples of the usage of nsCertType. If it is omitted</div>
<div># the certificate can be used for anything *except* object signing.</div><div><br></div><div># This is OK for an SSL server.</div><div># nsCertType = server</div><div><br></div><div># For an object signing certificate this would be used.</div>
<div># nsCertType = objsign</div><div><br></div><div># For normal client use this is typical</div><div># nsCertType = client, email</div><div><br></div><div># and for everything including object signing:</div><div># nsCertType = client, email, objsign</div>
<div><br></div><div># This is typical in keyUsage for a client certificate.</div><div># keyUsage = nonRepudiation, digitalSignature, keyEncipherment</div><div><br></div><div># This will be displayed in Netscape's comment listbox.</div>
<div>nsComment = "OpenSSL Generated Certificate"</div><div><br></div><div># PKIX recommendations harmless if included in all certificates.</div><div>subjectKeyIdentifier=hash</div><div>authorityKeyIdentifier=keyid,issuer</div>
<div><br></div><div># This stuff is for subjectAltName and issuerAltname.</div><div># Import the email address.</div><div># subjectAltName=email:copy</div><div># An alternative to produce certificates that aren't</div>
<div># deprecated according to PKIX.</div><div># subjectAltName=email:move</div><div><br></div><div># Copy subject details</div><div># issuerAltName=issuer:copy</div><div><br></div><div>#nsCaRevocationUrl = <a href="http://www.domain.dom/ca-crl.pem">http://www.domain.dom/ca-crl.pem</a></div>
<div>#nsBaseUrl</div><div>#nsRevocationUrl</div><div>#nsRenewalUrl</div><div>#nsCaPolicyUrl</div><div>#nsSslServerName</div><div><br></div><div># This is required for TSA certificates.</div><div># extendedKeyUsage = critical,timeStamping</div>
<div><br></div><div>[ v3_req ]</div><div><br></div><div># Extensions to add to a certificate request</div><div><br></div><div>basicConstraints = CA:FALSE</div><div>keyUsage = nonRepudiation, digitalSignature, keyEncipherment</div>
<div><br></div><div>[ v3_ca ]</div><div><br></div><div><br></div><div># Extensions for a typical CA</div><div><br></div><div><br></div><div># PKIX recommendation.</div><div><br></div><div>subjectKeyIdentifier=hash</div><div>
<br></div><div>authorityKeyIdentifier=keyid:always,issuer</div><div><br></div><div># This is what PKIX recommends but some broken software chokes on critical</div><div># extensions.</div><div>#basicConstraints = critical,CA:true</div>
<div># So we do this instead.</div><div>basicConstraints = CA:true</div><div><br></div><div># Key usage: this is typical for a CA certificate. However since it will</div><div># prevent it being used as an test self-signed certificate it is best</div>
<div># left out by default.</div><div># keyUsage = cRLSign, keyCertSign</div><div><br></div><div># Some might want this also</div><div># nsCertType = sslCA, emailCA</div><div><br></div><div># Include email address in subject alt name: another PKIX recommendation</div>
<div># subjectAltName=email:copy</div><div># Copy issuer details</div><div># issuerAltName=issuer:copy</div><div><br></div><div># DER hex encoding of an extension: beware experts only!</div><div># obj=DER:02:03</div><div>
# Where 'obj' is a standard or added object</div><div># You can even override a supported extension:</div><div># basicConstraints= critical, DER:30:03:01:01:FF</div><div><br></div><div>[ crl_ext ]</div><div><br></div>
<div># CRL extensions.</div><div># Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.</div><div><br></div><div># issuerAltName=issuer:copy</div><div>authorityKeyIdentifier=keyid:always</div><div><br></div>
<div>[ proxy_cert_ext ]</div><div># These extensions should be added when creating a proxy certificate</div><div><br></div><div># This goes against PKIX guidelines but some CAs do it and some software</div><div># requires this to avoid interpreting an end user certificate as a CA.</div>
<div><br></div><div>basicConstraints=CA:FALSE</div><div><br></div><div># Here are some examples of the usage of nsCertType. If it is omitted</div><div># the certificate can be used for anything *except* object signing.</div>
<div><br></div><div># This is OK for an SSL server.</div><div># nsCertType = server</div><div><br></div><div># For an object signing certificate this would be used.</div><div># nsCertType = objsign</div>
<div><br></div><div># For normal client use this is typical</div><div># nsCertType = client, email</div><div><br></div><div># and for everything including object signing:</div><div># nsCertType = client, email, objsign</div>
<div><br></div><div># This is typical in keyUsage for a client certificate.</div><div># keyUsage = nonRepudiation, digitalSignature, keyEncipherment</div><div><br></div><div># This will be displayed in Netscape's comment listbox.</div>
<div>nsComment = "OpenSSL Generated Certificate"</div><div><br></div><div># PKIX recommendations harmless if included in all certificates.</div><div>subjectKeyIdentifier=hash</div><div>authorityKeyIdentifier=keyid,issuer</div>
<div><br></div><div># This stuff is for subjectAltName and issuerAltname.</div><div># Import the email address.</div><div># subjectAltName=email:copy</div><div># An alternative to produce certificates that aren't</div>
<div># deprecated according to PKIX.</div><div># subjectAltName=email:move</div><div><br></div><div># Copy subject details</div><div># issuerAltName=issuer:copy</div><div><br></div><div>#nsCaRevocationUrl = <a href="http://www.domain.dom/ca-crl.pem">http://www.domain.dom/ca-crl.pem</a></div>
<div>#nsBaseUrl</div><div>#nsRevocationUrl</div><div>#nsRenewalUrl</div><div>#nsCaPolicyUrl</div><div>#nsSslServerName</div><div><br></div><div># This really needs to be in place for it to be a proxy certificate.</div><div>
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo</div><div><br></div><div>####################################################################</div><div>[ tsa ]</div><div><br></div><div>default_tsa = tsa_config1 # the default TSA section</div>
<div><br></div><div>[ tsa_config1 ]</div><div><br></div><div># These are used by the TSA reply generation only.</div><div>dir = ./demoCA # TSA root directory</div><div>serial = $dir/tsaserial # The current serial number (mandatory)</div>
<div>crypto_device = builtin # OpenSSL engine to use for signing</div><div>signer_cert = $dir/tsacert.pem # The TSA signing certificate</div><div> # (optional)</div>
<div>certs = $dir/cacert.pem # Certificate chain to include in reply</div><div> # (optional)</div><div>signer_key = $dir/private/tsakey.pem # The TSA private key (optional)</div>
<div><br></div><div>default_policy = tsa_policy1 # Policy if request did not specify it</div><div> # (optional)</div><div>other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)</div>
<div>digests = md5, sha1 # Acceptable message digests (mandatory)</div><div>accuracy = secs:1, millisecs:500, microsecs:100 # (optional)</div><div>clock_precision_digits = 0 # number of digits after dot. (optional)</div>
<div>ordering = yes # Is ordering defined for timestamps?</div><div> # (optional, default: no)</div><div>tsa_name = yes # Must the TSA name be included in the reply?</div>
<div> # (optional, default: no)</div><div>ess_cert_id_chain = no # Must the ESS cert id chain be included?</div><div> # (optional, default: no)</div></div>
<div><br></div><div><br></div><div><br></div><div><br></div></div></div>