<div dir="ltr">Hi,<div><br></div><div><br></div><div>We are using Strongswan 4.2 and 5.2 version of stack in our Lab and we have following setup:<br></div><div>Linux Box 1(v4.2)<----->Linux Box 2(v5.2)</div><div><br></div><div><br></div><div>Here is what we are trying:</div><div>1. Both Sides are using Device Certificates signed by different Root CA.</div><div>2. On both Devices we have provided both the root CA certificates in ipsec.conf:</div><div><p class="MsoNormal" style="margin-left:0.5in"><span style="color:rgb(31,73,125)">ca section1</span></p><p class="MsoNormal" style="margin-left:0.5in"><span style="color:rgb(31,73,125)">        cacert=/usr/local/etc/ipsec.d/cacerts/CA.pem</span></p><p class="MsoNormal" style="margin-left:0.5in"><span style="color:rgb(31,73,125)">        auto=add</span></p><p class="MsoNormal" style="margin-left:0.5in"><span style="color:rgb(31,73,125)">ca section2</span></p><p class="MsoNormal" style="margin-left:0.5in"><span style="color:rgb(31,73,125)">        cacert=/usr/local/etc/ipsec.d/ca.pem</span></p><p class="MsoNormal" style="margin-left:0.5in"><span style="color:rgb(31,73,125)">        auto=add</span></p></div><div>3. With this configuration the SA comes up. Which is also expected and no Issues.<br></div><div>4. Also When we execute "ipsec listcacerts" on either end we can see that it has loaded both CA certificates:</div><div><div><p class="MsoNormal" style="margin-left:0.5in"><span style="color:rgb(31,73,125)">  subject:  "C=IN, ST=IN, I=IN, O=IN, CN=IN"</span></p><p class="MsoNormal" style="margin-left:0.5in"><span style="color:rgb(31,73,125)">  issuer:   "C=IN, ST=IN, I=IN, O=IN, CN=IN"</span></p><p class="MsoNormal" style="margin-left:0.5in"><span style="color:rgb(31,73,125)">  serial:    1f:3f</span></p></div><div><br></div><div><p class="MsoNormal" style="margin-left:0.5in"><span style="color:rgb(31,73,125)">  subject:  "C=IN, O=Aricent, OU=BTSR?D, ST=Gurgaon, CN=TestRootCA, L=Udyog Vihar"</span></p><p class="MsoNormal" style="margin-left:0.5in"><span style="color:rgb(31,73,125)">  issuer:   "C=IN, O=Aricent, OU=BTSR?D, ST=Gurgaon, CN=TestRootCA, L=Udyog Vihar"</span></p><p class="MsoNormal" style="margin-left:0.5in"><span style="color:rgb(31,73,125)">  serial:    00:8b</span></p></div></div><div>All is fine till this stage.</div><div>5. Now we bring the tunnel down and remove the Root CA of peer from one end. i.e "ca section 2" is removed from ipsec.conf:</div><div><p class="MsoNormal" style="margin-left:0.5in"><span style="color:rgb(31,73,125)">ca section1</span></p><p class="MsoNormal" style="margin-left:0.5in"><span style="color:rgb(31,73,125)">        cacert=/usr/local/etc/ipsec.d/cacerts/CA.pem</span></p><p class="MsoNormal" style="margin-left:0.5in"><span style="color:rgb(31,73,125)">        auto=add</span></p><p class="MsoNormal" style="margin-left:0.5in"></p><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"></div><p></p><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">6. After removing this and executing "ipsec update" we expect that the SA will not get established as the end which does not have root CA of peer will reject the IKE_AUTH.</div></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">However it is observed that the SA still comes up. And on executing "ipsec listcacerts" we still see both the certificates present in Device.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">We have observed this behavior with both v4.2.8 and v5.2 of stack. Is this expected behavior. Is there any way to remove the CA certs from Stack's memory?</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Thanks and Regards</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Sajal<br></div></div>