<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello,<br>
<br>
I still have problem with CRL cache with strongSwan 5.3.5 and
Ubuntu 16.04.<br>
<br>
Certificates status are checked with CRL as we can see in log
file.<br>
ipsec listcrls output command gives:<br>
<br>
List of X.509 CRLs:<br>
<br>
issuer: "C=FR, O=Education Nationale, OU=0002 110043015, CN=AC
EN Scolarite et Formation"<br>
serial: 09:43<br>
revoked: 13 certificates<br>
updates: this Sep 13 00:00:06 2016<br>
next Sep 20 00:00:06 2016, ok (expires in 6 days) <br>
authkey:
cc:2e:37:0f:06:b2:b9:b5:e9:2d:ff:be:52:37:c6:1d:b4:b7:07:17<br>
<br>
But ll /etc/ipsec.d/crls/ gives :<br>
total 8<br>
drwxr-xr-x 2 root root 4096 avril 5 15:44 ./<br>
drwxr-xr-x 11 root root 4096 août 30 21:01 ../<br>
<br>
With ubuntu 14.04 and strongSwan 5.1.2 (after apparmor profile
correction)<br>
<br>
ll /etc/ipsec.d/crls/ gives :<br>
total 12<br>
drwxr-xr-x 2 root root 4096 sept. 13 09:18 ./<br>
drwxr-xr-x 11 root root 4096 sept. 10 01:04 ../<br>
-rw-r--r-- 1 root root 1307 sept. 13 09:18
cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl<br>
<br>
What can i check other ?<br>
<br>
<br>
<br>
Le 09/09/2016 à 14:50, Fabrice Barconnière a écrit :<br>
</div>
<blockquote
cite="mid:9b28f816-175e-bc23-b715-3f591fe5d342@ac-dijon.fr"
type="cite">
<pre wrap="">Hi all,
/etc/ipsec.d/crls directory is still empty after established connections.
OS: Ubuntu 16.04
Version: 5.3.5-1ubuntu3
* ipsec.conf :
config setup
uniqueids = yes
cachecrls = yes
strictcrlpolicy = no
...
...
* ipsec statusall :
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-36-generic,
x86_64):
uptime: 17 minutes, since Sep 09 14:13:12 2016
malloc: sbrk 5275648, mmap 532480, used 1125024, free 4150624
worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 6
loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1
sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg
fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql
sqlite attr kernel-netlink resolve socket-default farp stroke updown
eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr
addrblock unity
Listening IP addresses:
192.168.0.11
172.30.101.11
Connections:
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
192.168.0.11...192.168.0.31 IKEv1/2, dpddelay=120s
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
local: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015,
CN=sphynx.ac-test.fr] uses public key authentication
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
cert: "C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015,
CN=sphynx.ac-test.fr"
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
remote: [C=FR, L=Toulouse, O=Education Nationale, OU=ac-toulouse,
OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr] uses public key
authentication
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
child: 172.30.101.0/24 === 10.1.1.0/24 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]:
ESTABLISHED 10 minutes ago, 192.168.0.11[C=FR, L=Dijon, O=Education
Nationale, OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR,
L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015,
CN=0120101V-01-TEST.ac-toulouse.fr]
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]:
IKEv2 SPIs: b858dddc617a4ac3_i d7697a226ce94911_r*, public key
reauthentication in 2 hours
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]:
IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}:
INSTALLED, TUNNEL, reqid 2, ESP SPIs: c84807a5_i c234d7e7_o
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}:
AES_GCM_16_128, 336 bytes_i (4 pkts, 6s ago), 336 bytes_o (4 pkts, 6s
ago), rekeying in 32 minutes
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}:
172.30.101.0/24 === 10.1.1.0/24
* Logs :
2016-09-09T14:35:48.169931+02:00 sphynx.ac-test.lan charon: 00[DMN]
Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-36-generic,
x86_64)
2016-09-09T14:35:48.220738+02:00 sphynx.ac-test.lan charon: 00[CFG]
disabling load-tester plugin, not configured
2016-09-09T14:35:48.221002+02:00 sphynx.ac-test.lan charon: 00[LIB]
plugin 'load-tester': failed to load - load_tester_plugin_create
returned NULL
2016-09-09T14:35:48.229358+02:00 sphynx.ac-test.lan charon: 00[CFG]
dnscert plugin is disabled
2016-09-09T14:35:48.229716+02:00 sphynx.ac-test.lan charon: 00[CFG]
ipseckey plugin is disabled
2016-09-09T14:35:48.230376+02:00 sphynx.ac-test.lan charon: 00[CFG]
attr-sql plugin: database URI not set
2016-09-09T14:35:48.230648+02:00 sphynx.ac-test.lan charon: 00[CFG]
loading ca certificates from '/etc/ipsec.d/cacerts'
2016-09-09T14:35:48.230799+02:00 sphynx.ac-test.lan charon: 00[CFG]
loaded ca certificate "C=FR, O=Education Nationale, OU=0002 110043015,
CN=AC EN Scolarite et Formation" from '/etc/ipsec.d/cacerts/AC EN
Scolarite et Formation.pem'
2016-09-09T14:35:48.230997+02:00 sphynx.ac-test.lan charon: 00[CFG]
loaded ca certificate "C=FR, O=Education Nationale, L=Dijon, OU=0002
110043015, CN=CA-sphynx-RVP" from '/etc/ipsec.d/cacerts/CA-sphynx-RVP.pem'
2016-09-09T14:35:48.231144+02:00 sphynx.ac-test.lan charon: 00[CFG]
loaded ca certificate "C=FR, O=Education Nationale, OU=0002 110043015,
CN=AC Education Nationale" from '/etc/ipsec.d/cacerts/AC Education
Nationale.pem'
2016-09-09T14:35:48.231622+02:00 sphynx.ac-test.lan charon: 00[CFG]
loaded ca certificate "C=FR, O=Ministere Education Nationale
Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR" from
'/etc/ipsec.d/cacerts/AC Racine Ministere ENESR.pem'
2016-09-09T14:35:48.231793+02:00 sphynx.ac-test.lan charon: 00[CFG]
loading aa certificates from '/etc/ipsec.d/aacerts'
2016-09-09T14:35:48.231918+02:00 sphynx.ac-test.lan charon: 00[CFG]
loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
2016-09-09T14:35:48.232078+02:00 sphynx.ac-test.lan charon: 00[CFG]
loading attribute certificates from '/etc/ipsec.d/acerts'
2016-09-09T14:35:48.232214+02:00 sphynx.ac-test.lan charon: 00[CFG]
loading crls from '/etc/ipsec.d/crls'
2016-09-09T14:35:48.232356+02:00 sphynx.ac-test.lan charon: 00[CFG]
loading secrets from '/etc/ipsec.secrets'
2016-09-09T14:35:48.232522+02:00 sphynx.ac-test.lan charon: 00[CFG]
loaded RSA private key from '/etc/ipsec.d/private/privsphynx.ac-test.fr.pem'
2016-09-09T14:35:48.232664+02:00 sphynx.ac-test.lan charon: 00[CFG]
opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or
directory
2016-09-09T14:35:48.232805+02:00 sphynx.ac-test.lan charon: 00[CFG]
eap-simaka-sql database URI missing
2016-09-09T14:35:48.233119+02:00 sphynx.ac-test.lan charon: 00[CFG]
loaded 0 RADIUS server configurations
2016-09-09T14:35:48.233315+02:00 sphynx.ac-test.lan charon: 00[CFG] no
threshold configured for systime-fix, disabled
2016-09-09T14:35:48.233515+02:00 sphynx.ac-test.lan charon: 00[CFG]
coupling file path unspecified
2016-09-09T14:35:48.233706+02:00 sphynx.ac-test.lan charon: 00[LIB]
loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1
sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg
fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql
sqlite attr kernel-netlink resolve socket-default farp stroke updown
eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr
addrblock unity
2016-09-09T14:35:48.234163+02:00 sphynx.ac-test.lan charon: 00[LIB]
dropped capabilities, running as uid 0, gid 0
2016-09-09T14:35:48.234345+02:00 sphynx.ac-test.lan charon: 00[JOB]
spawning 32 worker threads
2016-09-09T14:35:48.247156+02:00 sphynx.ac-test.lan charon: 06[CFG]
received stroke: add connection
'aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1'
2016-09-09T14:35:48.247447+02:00 sphynx.ac-test.lan charon: 06[CFG]
loaded certificate "C=FR, L=Dijon, O=Education Nationale, OU=0002
110043015, CN=sphynx.ac-test.fr" from 'sphynx.ac-test.fr.pem'
2016-09-09T14:35:48.247635+02:00 sphynx.ac-test.lan charon: 06[CFG]
added configuration
'aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1'
2016-09-09T14:35:48.247825+02:00 sphynx.ac-test.lan charon: 08[CFG]
received stroke: initiate
'aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1'
2016-09-09T14:35:48.248034+02:00 sphynx.ac-test.lan charon: 08[IKE]
initiating IKE_SA
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1]
to 192.168.0.31
2016-09-09T14:35:48.248224+02:00 sphynx.ac-test.lan charon: 08[IKE]
initiating IKE_SA
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1]
to 192.168.0.31
2016-09-09T14:35:48.259508+02:00 sphynx.ac-test.lan charon: 08[ENC]
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) ]
2016-09-09T14:35:48.259817+02:00 sphynx.ac-test.lan charon: 08[NET]
sending packet: from 192.168.0.11[500] to 192.168.0.31[500] (1252 bytes)
2016-09-09T14:35:48.264907+02:00 sphynx.ac-test.lan charon: 10[NET]
received packet: from 192.168.0.31[500] to 192.168.0.11[500] (517 bytes)
2016-09-09T14:35:48.265160+02:00 sphynx.ac-test.lan charon: 10[ENC]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
2016-09-09T14:35:48.278316+02:00 sphynx.ac-test.lan charon: 10[IKE]
received cert request for "C=FR, O=Ministere Education Nationale
Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR"
2016-09-09T14:35:48.278600+02:00 sphynx.ac-test.lan charon: 10[IKE]
received cert request for "C=FR, O=Education Nationale, OU=0002
110043015, CN=AC EN Scolarite et Formation"
2016-09-09T14:35:48.278825+02:00 sphynx.ac-test.lan charon: 10[IKE]
received cert request for "C=FR, O=Education Nationale, OU=0002
110043015, CN=AC Education Nationale"
2016-09-09T14:35:48.279014+02:00 sphynx.ac-test.lan charon: 10[IKE]
received cert request for "C=FR, O=Education Nationale, L=Dijon, OU=0002
110043015, CN=CA-sphynx-RVP"
2016-09-09T14:35:48.279201+02:00 sphynx.ac-test.lan charon: 10[IKE]
sending cert request for "C=FR, O=Education Nationale, OU=0002
110043015, CN=AC EN Scolarite et Formation"
2016-09-09T14:35:48.279419+02:00 sphynx.ac-test.lan charon: 10[IKE]
sending cert request for "C=FR, O=Education Nationale, L=Dijon, OU=0002
110043015, CN=CA-sphynx-RVP"
2016-09-09T14:35:48.279590+02:00 sphynx.ac-test.lan charon: 10[IKE]
sending cert request for "C=FR, O=Education Nationale, OU=0002
110043015, CN=AC Education Nationale"
2016-09-09T14:35:48.279791+02:00 sphynx.ac-test.lan charon: 10[IKE]
sending cert request for "C=FR, O=Ministere Education Nationale
Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR"
2016-09-09T14:35:48.283674+02:00 sphynx.ac-test.lan charon: 10[IKE]
authentication of 'C=FR, L=Dijon, O=Education Nationale, OU=0002
110043015, CN=sphynx.ac-test.fr' (myself) with RSA signature successful
2016-09-09T14:35:48.283936+02:00 sphynx.ac-test.lan charon: 10[IKE]
sending end entity cert "C=FR, L=Dijon, O=Education Nationale, OU=0002
110043015, CN=sphynx.ac-test.fr"
2016-09-09T14:35:48.284141+02:00 sphynx.ac-test.lan charon: 10[IKE]
establishing CHILD_SA
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1
2016-09-09T14:35:48.284333+02:00 sphynx.ac-test.lan charon: 10[IKE]
establishing CHILD_SA
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1
2016-09-09T14:35:48.284487+02:00 sphynx.ac-test.lan charon: 10[ENC]
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
AUTH SA TSi TSr N(EAP_ONLY) ]
2016-09-09T14:35:48.284681+02:00 sphynx.ac-test.lan charon: 10[NET]
sending packet: from 192.168.0.11[500] to 192.168.0.31[500] (2416 bytes)
2016-09-09T14:35:48.698280+02:00 sphynx.ac-test.lan charon: 11[NET]
received packet: from 192.168.0.31[500] to 192.168.0.11[500] (2112 bytes)
2016-09-09T14:35:48.698782+02:00 sphynx.ac-test.lan charon: 11[ENC]
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
2016-09-09T14:35:48.699000+02:00 sphynx.ac-test.lan charon: 11[IKE]
received end entity cert "C=FR, L=Toulouse, O=Education Nationale,
OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr"
2016-09-09T14:35:48.699199+02:00 sphynx.ac-test.lan charon: 11[CFG]
using certificate "C=FR, L=Toulouse, O=Education Nationale,
OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr"
2016-09-09T14:35:48.699435+02:00 sphynx.ac-test.lan charon: 11[CFG]
using trusted intermediate ca certificate "C=FR, O=Education Nationale,
OU=0002 110043015, CN=AC EN Scolarite et Formation"
2016-09-09T14:35:48.699629+02:00 sphynx.ac-test.lan charon: 11[CFG]
checking certificate status of "C=FR, L=Toulouse, O=Education Nationale,
OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr"
2016-09-09T14:35:48.699828+02:00 sphynx.ac-test.lan charon: 11[CFG]
fetching crl from
'<a class="moz-txt-link-freetext" href="http://crl.pncn.education.gouv.fr/ac-men-scolarite-et-formation.crl">http://crl.pncn.education.gouv.fr/ac-men-scolarite-et-formation.crl</a>' ...
2016-09-09T14:35:48.739498+02:00 sphynx.ac-test.lan charon: 11[CFG]
using trusted intermediate ca certificate "C=FR, O=Education Nationale,
OU=0002 110043015, CN=AC Education Nationale"
2016-09-09T14:35:48.739798+02:00 sphynx.ac-test.lan charon: 11[CFG]
reached self-signed root ca with a path length of 0
2016-09-09T14:35:48.740023+02:00 sphynx.ac-test.lan charon: 11[CFG]
using trusted certificate "C=FR, O=Education Nationale, OU=0002
110043015, CN=AC EN Scolarite et Formation"
2016-09-09T14:35:48.740227+02:00 sphynx.ac-test.lan charon: 11[CFG]
crl correctly signed by "C=FR, O=Education Nationale, OU=0002 110043015,
CN=AC EN Scolarite et Formation"
2016-09-09T14:35:48.740439+02:00 sphynx.ac-test.lan charon: 11[CFG]
crl is valid: until Sep 16 00:00:05 2016
2016-09-09T14:35:48.740651+02:00 sphynx.ac-test.lan charon: 11[CFG]
certificate status is good
2016-09-09T14:35:48.740875+02:00 sphynx.ac-test.lan charon: 11[CFG]
using trusted intermediate ca certificate "C=FR, O=Education Nationale,
OU=0002 110043015, CN=AC Education Nationale"
2016-09-09T14:35:48.741131+02:00 sphynx.ac-test.lan charon: 11[CFG]
checking certificate status of "C=FR, O=Education Nationale, OU=0002
110043015, CN=AC EN Scolarite et Formation"
2016-09-09T14:35:48.741452+02:00 sphynx.ac-test.lan charon: 11[CFG]
requesting ocsp status from '<a class="moz-txt-link-freetext" href="http://ocsp.pncn.education.gouv.fr/men">http://ocsp.pncn.education.gouv.fr/men</a>' ...
2016-09-09T14:35:48.866481+02:00 sphynx.ac-test.lan charon: 11[CFG]
ocsp response correctly signed by "C=FR, O=Education Nationale, OU=0002
110043015, CN=Signature OCSP - AC MEN"
2016-09-09T14:35:48.866895+02:00 sphynx.ac-test.lan charon: 11[CFG]
ocsp response is valid: until Sep 09 14:35:58 2016
2016-09-09T14:35:48.867158+02:00 sphynx.ac-test.lan charon: 11[CFG]
certificate status is good
2016-09-09T14:35:48.867391+02:00 sphynx.ac-test.lan charon: 11[CFG]
using trusted ca certificate "C=FR, O=Ministere Education Nationale
Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR"
2016-09-09T14:35:48.867598+02:00 sphynx.ac-test.lan charon: 11[CFG]
checking certificate status of "C=FR, O=Education Nationale, OU=0002
110043015, CN=AC Education Nationale"
2016-09-09T14:35:48.867803+02:00 sphynx.ac-test.lan charon: 11[CFG] ocsp
response verification failed, no signer certificate 'C=FR, O=Education
Nationale, OU=0002 110043015, CN=Signature OCSP - AC MEN' found
2016-09-09T14:35:48.868006+02:00 sphynx.ac-test.lan charon: 11[CFG]
requesting ocsp status from '<a class="moz-txt-link-freetext" href="http://ocsp.pncn.education.gouv.fr/menesr">http://ocsp.pncn.education.gouv.fr/menesr</a>' ...
2016-09-09T14:35:48.992719+02:00 sphynx.ac-test.lan charon: 11[CFG]
ocsp response correctly signed by "C=FR, O=Ministere Education Nationale
Enseignement Superieur Recherche, CN=Signature OCSP - AC MENESR"
2016-09-09T14:35:48.993075+02:00 sphynx.ac-test.lan charon: 11[CFG]
ocsp response is valid: until Sep 09 14:35:58 2016
2016-09-09T14:35:48.993272+02:00 sphynx.ac-test.lan charon: 11[CFG]
certificate status is good
2016-09-09T14:35:48.993484+02:00 sphynx.ac-test.lan charon: 11[CFG]
reached self-signed root ca with a path length of 2
2016-09-09T14:35:48.993709+02:00 sphynx.ac-test.lan charon: 11[IKE]
authentication of 'C=FR, L=Toulouse, O=Education Nationale,
OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr'
with RSA signature successful
2016-09-09T14:35:48.993915+02:00 sphynx.ac-test.lan charon: 11[IKE]
IKE_SA
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1]
established between 192.168.0.11[C=FR, L=Dijon, O=Education Nationale,
OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR,
L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015,
CN=0120101V-01-TEST.ac-toulouse.fr]
2016-09-09T14:35:48.994137+02:00 sphynx.ac-test.lan charon: 11[IKE]
IKE_SA
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1]
established between 192.168.0.11[C=FR, L=Dijon, O=Education Nationale,
OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR,
L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015,
CN=0120101V-01-TEST.ac-toulouse.fr]
2016-09-09T14:35:48.994316+02:00 sphynx.ac-test.lan charon: 11[IKE]
scheduling reauthentication in 10146s
2016-09-09T14:35:48.994585+02:00 sphynx.ac-test.lan charon: 11[IKE]
maximum IKE_SA lifetime 10686s
2016-09-09T14:35:48.994955+02:00 sphynx.ac-test.lan charon: 11[IKE]
CHILD_SA
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{1}
established with SPIs ccdd7bb4_i c01e70f1_o and TS 172.30.101.0/24 ===
10.1.1.0/24
2016-09-09T14:35:48.995159+02:00 sphynx.ac-test.lan charon: 11[IKE]
CHILD_SA
aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{1}
established with SPIs ccdd7bb4_i c01e70f1_o and TS 172.30.101.0/24 ===
10.1.1.0/24
2016-09-09T14:35:48.995469+02:00 sphynx.ac-test.lan charon: 11[IKE]
received AUTH_LIFETIME of 10248s, scheduling reauthentication in 9708s
CRL cache is not empty with Ubuntu 14.04 and strongSwan version
5.1.2-0ubuntu2.4 and the same configuration. I can see this line in log
file :
2016-09-09T13:39:42.728748+02:00 amon.etb1.lan charon: 21[CFG] written
crl file
'/etc/ipsec.d/crls/cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl' (1307
bytes)
ls -l /etc/ipsec.d/crls/
total 4
-rw-r--r-- 1 root root 1307 sept. 9 13:39
cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl
Perhaps, something is wrong in my strongSwan configuration ?
Regards,
Fabrice Barconnière
<a class="moz-txt-link-freetext" href="http://pcll.ac-dijon.fr/eole/">http://pcll.ac-dijon.fr/eole/</a>
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
</blockquote>
<br>
<p><br>
</p>
<pre class="moz-signature" cols="72">--
Cordialement,
Fabrice Barconnière
Pôle logiciels libres - EOLE</pre>
</body>
</html>