<div dir="ltr"><div><div><div><div><div>Hi<br><br></div>Does Strongswan running on a local-gw,  supposed to check whether the certificate that is being used in "leftcert=xxx.pem" is valid or expired?<br><br></div>Its not doing so as observed below, is there any option to be enabled?<br></div></div><br>================================<br><br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs# date<br>Tue Apr 21 19:35:02 IST 2020<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs# ipsec listcerts<br><br>List of X.509 End Entity Certificates:<br><br>  subject:  "C=IN, O=strongSwan, CN=gateway2"<br>  issuer:   "C=IN, O=strongSwan, CN=strongSwan CA"<br>  serial:    02<br>  validity:  not before Oct 16 01:39:07 2014, ok<br>             not after  Oct 15 01:39:07 2016, expired (1284 days ago)<br>  pubkey:    RSA 2048 bits, has private key<br>  keyid:     21:42:15:1f:97:bd:9c:8c:43:8b:2d:50:df:76:ce:c1:85:ef:eb:e1<br>  subjkey:   bf:84:76:d6:f5:85:fa:8f:27:bf:b0:75:02:6c:9a:4a:20:f8:d8:ad<br>  authkey:   f6:9c:8d:ea:e6:48:58:8f:30:8d:97:0a:8c:17:21:a8:67:70:be:69<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs# ipsec start --nofork<br>Starting weakSwan 5.3.0 IPsec [starter]...<br>charon is already running (/var/run/charon.pid exists) -- skipping daemon start<br>starter is already running (/var/run/starter.charon.pid exists) -- no fork done<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs# ipsec stop<br>Stopping strongSwan IPsec...<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#<br>root@suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs# cd /usr/local/etc/<br>root@suram-OptiPlex-7010:/usr/local/etc#<br>root@suram-OptiPlex-7010:/usr/local/etc# cat ipsec.conf<br># /etc/ipsec.conf - strongSwan IPsec configuration file<br><br>config setup<br>        strictcrlpolicy=no<br>        charondebug="ike 1, dmn 1, chd 1, knl 1, cfg 1, net 1, esp 1, enc 1"<br><br>conn %default<br>        ikelifetime=24h<br>        keylife=18h<br>        mobike=no<br><br>conn togw1<br>        left=2.2.2.5<br>        leftsubnet=<a href="http://192.168.25.0/24">192.168.25.0/24</a><br>        right=2.2.2.34<br>        rightsubnet=<a href="http://192.168.34.0/24">192.168.34.0/24</a><br>        leftcert=peer2Cert.pem<br>        leftauth=pubkey<br>        rightauth=pubkey<br>        leftid="/C=IN/O=strongSwan/CN=gateway2"<br>        rightid=%any<br>        type=tunnel<br>        keyexchange=ikev1<br>        ike=3des-sha1-modp1024!<br>        esp=3des-sha1-modp1024!<br>        auto=add<br>root@suram-OptiPlex-7010:/usr/local/etc#<br>root@suram-OptiPlex-7010:/usr/local/etc#<br>root@suram-OptiPlex-7010:/usr/local/etc#<br>root@suram-OptiPlex-7010:/usr/local/etc# ipsec start --nofork<br>Starting weakSwan 5.3.0 IPsec [starter]...<br>00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux 3.11.0-26-generic, x86_64)<br>00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'<br>00[CFG]   loaded ca certificate "C=IN, O=strongSwan, CN=strongSwan CA" from '/usr/local/etc/ipsec.d/cacerts/strongcaCert.pem'<br>00[CFG]   loaded ca certificate "C=IN, O=strongSwan, CN=strongSwan CA" from '/usr/local/etc/ipsec.d/cacerts/caCert.pem'<br>00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'<br>00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'<br>00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'<br>00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'<br>00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'<br>00[CFG]   loaded RSA private key from '/usr/local/etc/ipsec.d/private/peer2Key.pem'<br>00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory<br>00[CFG] loaded 0 RADIUS server configurations<br>00[LIB] loaded plugins: charon aes des blowfish rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-aka eap-simaka-pseudonym eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-noauth tnc-tnccs dhcp lookip error-notify unity<br>00[JOB] spawning 16 worker threads<br>charon (10745) started after 20 ms<br>06[CFG] received stroke: add connection 'togw1'<br>06[CFG]   loaded certificate "C=IN, O=strongSwan, CN=gateway2" from 'peer2Cert.pem'<br>06[CFG] added configuration 'togw1'<br>^C00[DMN] signal of type SIGINT received. Shutting down<br>charon stopped after 200 ms<br>ipsec starter stopped<br>root@suram-OptiPlex-7010:/usr/local/etc# date<br>Tue Apr 21 19:36:23 IST 2020<br>root@suram-OptiPlex-7010:/usr/local/etc#<br>==================================================<br><br></div><div>thanks & regards<br></div><div>rajiv<br><br></div></div>