[strongSwan] Problem with CRLs

Andreas Steffen andreas.steffen at strongswan.org
Wed Feb 17 07:06:52 CET 2010 

Hi Daniel,

0x2d is the hyphen character '-'. This means that your CRL is in
PEM encoded format:

-----BEGIN X509 CRL-----
MIIDKDCCARACAQEwDQYJKoZIhvcNAQEFBQAwQjELMAkGA1UEBhMCQ0gxFzAVBgNV
...
D5YFfogtCUfUI7/qOdwwoSozPQVe7Ov4FES3peE+ii1Vm3hc07Fsc5zsWw=
-----END X509 CRL-----

Before putting a CRL onto a web server you must convert it into
binary ASN.1-DER encoded format, e.g. with the command

openssl crl -in crl.pem -outform der -out strongSwan_Root_CA.crl

Regards

Andreas

Daniel Riedemann wrote:
> Hello all,
> 
> I am using StrongSWAN the first time and I am using the tool xca to 
> build a PKI. So far everything works fine (connection from a windows 7 
> host to a linux strongswan gateway). The Connection get started correctly.
> 
> Now I wanted to test the CRLs. And installed a certificate at the 
> windows client which I revoked later. But the CRL I am generating with 
> xca can't be read by charon:
> 
> Feb 17 00:03:17 vpn charon: 14[CFG]   fetching crl from 
> 'http://192.168.1.50/StrongSWAN_Root_CA.crl' ...
> Feb 17 00:03:17 vpn charon: 14[LIB] L0 - certificateList: ASN1 tag 0x30 
> expected, but is 0x2d
> Feb 17 00:03:17 vpn charon: 14[LIB] building CRED_CERTIFICATE - X509_CRL 
> failed, tried 2 builders
> Feb 17 00:03:17 vpn charon: 14[CFG] crl fetched successfully but parsing 
> failed
> 
> I generated a CRL with an other tool (gnomint) also, but charon is 
> telling me the same...
> 
> If I place the CRL directly into /etc/ipsec.d/crls I just see this on 
> the log:
> 
> Feb 17 00:51:28 vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Feb 17 00:51:28 vpn charon: 00[CFG]   loaded crl from 
> '/etc/ipsec.d/crls/StrongSWAN_Root_CA.crl'
> 
> But the connection get started normaly, so the CRL in this directory is 
> also not read correctly.
> 
> I'am using RSA certificates with 4096 bit for the CA, and 2048 bit for 
> gateway and client. Hashing algorithm is sha-256.
> 
> What am I doing wrong? Or is there a bug in both tools (or strongswan)?
> I really appreciate your help.
> 
> Best Regards
> Daniel Riedemann
> 
> 
> ipsec.conf:
> 
> config setup
>          crlcheckinterval=600
>          cachecrls=yes
>          nat_traversal=yes
>          charonstart=yes
>          plutostart=no
> 
> ca StrongSWAN_Root_CA
>          cacert=StrongSWAN_Root_CA.crt
>          crluri="http://192.168.1.50/StrongSWAN_Root_CA.crl"
>          auto=add
> 
> conn roadwarrior-ikev2
>          authby=pubkey
>          auth=esp
>          type=tunnel
>          keyexchange=ikev2
>          auto=add
>          compress=yes
>          dpddelay=15
>          dpdtimeout=60
>          esp=aes256-sha1-modp2048
>          ike=aes256-sha1-modp2048
>          rekey=yes
>          ikelifetime=10800
>          lifetime=3600
>          reauth=yes
>          margintime=180
>          pfs=yes
>          left=%defaultroute
>          leftcert=vpn.project.lan.crt
>          leftfirewall=yes
> leftid=@vpn.project.lan
>          leftsendcert=ifasked
>          leftsubnet=10.0.0.0/8
>          right=%any
>          rightsourceip=172.17.0.0/16

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list