[strongSwan-dev] Certificate renewal and it's effect on ipsec tunnel

Andreas Steffen andreas.steffen at strongswan.org
Sat Sep 18 16:11:02 CEST 2010

Hi Ranjit,

On 09/16/2010 09:48 PM, ranjit.kollu at emc.com wrote:
> Hi Andreas,
> I am Ranjit Kollu working as a developer at EMC Corporation.
> We are using strongswan to setup IPSec tunnel between our management
> servers and we use our own CA and digital certificates. So we are
> experimenting the renewal of certificates and it's effect on IPSec
> tunnel. Following are the questions I have :
> 1) If the host (digital certificate) is about to expire on our
> management servers and say the IPSec tunnel is up. If we revoke the
> digital certificate on the management server and re-create new one's
> that are signed by the same CA( before the digital certificate
> expires ). - What effect does it have on the IPSec tunnel ?. - Does
> we need to start the ipsec ? - Or does the existing tunnel keep
> working fine?. - Is there a periodic check on the ipsec tunnel for
> the validity of the certificates ?.
The validity and revocation status of a certificate is verified
during IKEv1 Main Mode or during IKEv2 Reauthentication only,
the time period defined by ikelifetime= in ipsec.conf. The default
value is every 3 hours.

When you update an end entity certificate then you should take down
the connection on the end that is in possession of the old cert,
update the cert and restart it:

   ipsec down <conn>
   ipsec update
   ipsec up <conn>

Make sure to store the new end entity certificate under a different
file name and adapt the leftcert=<certfile> statement in ipsec.conf
accordingly. Otherwise "ipsec update" will not load the new certificate.
All other running tunnels are not affected.

> 2) Extending on question 1) , what if the IPSec tunnel goes down for
> some reason and once we restart the IPSec tunnel using our new
> digital certs, Does it have any effect on the IPSec tunnel
> establishment ?
Just the new certs will be used as described under 1)

  3) What happens if the CA itself expires ?. - Can we safely revoke
> the existing host certificates and remove the CA  and create a new CA
> and new digital certificates ?. - What are it's effects on the IPSec
> tunnel ?. - Do we need to restart the ipsec  ?.
Create a new CA certificate a sufficiently long time before the old one
expires, copy it to /etc/ipsec.d/cacerts/ and execute

   ipsec rereadcacerts

The new CA certificate will then be known together with the old one,
so that you can now issue new certificates signed by the new CA
and introduce them using step 1)

> Could you please answer the above questions when you have time.
> Thanks, Ranjit.


Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Dev mailing list