[strongSwan] Problem with CRLs

Daniel Riedemann stigmayta at googlemail.com
Wed Feb 17 01:05:47 CET 2010 

Hello all,

I am using StrongSWAN the first time and I am using the tool xca to 
build a PKI. So far everything works fine (connection from a windows 7 
host to a linux strongswan gateway). The Connection get started correctly.

Now I wanted to test the CRLs. And installed a certificate at the 
windows client which I revoked later. But the CRL I am generating with 
xca can't be read by charon:

Feb 17 00:03:17 vpn charon: 14[CFG]   fetching crl from 
'http://192.168.1.50/StrongSWAN_Root_CA.crl' ...
Feb 17 00:03:17 vpn charon: 14[LIB] L0 - certificateList: ASN1 tag 0x30 
expected, but is 0x2d
Feb 17 00:03:17 vpn charon: 14[LIB] building CRED_CERTIFICATE - X509_CRL 
failed, tried 2 builders
Feb 17 00:03:17 vpn charon: 14[CFG] crl fetched successfully but parsing 
failed

I generated a CRL with an other tool (gnomint) also, but charon is 
telling me the same...

If I place the CRL directly into /etc/ipsec.d/crls I just see this on 
the log:

Feb 17 00:51:28 vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 17 00:51:28 vpn charon: 00[CFG]   loaded crl from 
'/etc/ipsec.d/crls/StrongSWAN_Root_CA.crl'

But the connection get started normaly, so the CRL in this directory is 
also not read correctly.

I'am using RSA certificates with 4096 bit for the CA, and 2048 bit for 
gateway and client. Hashing algorithm is sha-256.

What am I doing wrong? Or is there a bug in both tools (or strongswan)?
I really appreciate your help.

Best Regards
Daniel Riedemann


ipsec.conf:

config setup
         crlcheckinterval=600
         cachecrls=yes
         nat_traversal=yes
         charonstart=yes
         plutostart=no

ca StrongSWAN_Root_CA
         cacert=StrongSWAN_Root_CA.crt
         crluri="http://192.168.1.50/StrongSWAN_Root_CA.crl"
         auto=add

conn roadwarrior-ikev2
         authby=pubkey
         auth=esp
         type=tunnel
         keyexchange=ikev2
         auto=add
         compress=yes
         dpddelay=15
         dpdtimeout=60
         esp=aes256-sha1-modp2048
         ike=aes256-sha1-modp2048
         rekey=yes
         ikelifetime=10800
         lifetime=3600
         reauth=yes
         margintime=180
         pfs=yes
         left=%defaultroute
         leftcert=vpn.project.lan.crt
         leftfirewall=yes
leftid=@vpn.project.lan
         leftsendcert=ifasked
         leftsubnet=10.0.0.0/8
         right=%any
         rightsourceip=172.17.0.0/16

More information about the Users mailing list