[strongSwan] Problem with CRLs
Daniel Riedemann
stigmayta at googlemail.com
Wed Feb 17 11:59:41 CET 2010
Hi Andreas,
simple but powerful solution! ;)
It works now:
Feb 17 11:36:02 vpn charon: 13[CFG] checking certificate status of
"C=DE, ST=Sachsen, L=Leipzig, O=StrongSWAN Project, OU=StrongSWAN PKI,
CN=User003, E=User003 at project.lan"
Feb 17 11:36:02 vpn charon: 13[CFG] fetching crl from
'http://192.168.1.50/StrongSWAN_Root_CA.crl' ...
Feb 17 11:36:02 vpn charon: 13[CFG] using trusted certificate "C=DE,
ST=Sachsen, L=Leipzig, O=StrongSWAN Project, OU=StrongSWAN PKI,
CN=StrongSWAN Root CA"
Feb 17 11:36:02 vpn charon: 13[CFG] crl correctly signed by "C=DE,
ST=Sachsen, L=Leipzig, O=StrongSWAN Project, OU=StrongSWAN PKI,
CN=StrongSWAN Root CA"
Feb 17 11:36:02 vpn charon: 13[CFG] certificate was revoked on Feb 16
23:01:43 UTC 2010, reason: unspecified
Feb 17 11:36:02 vpn charon: 13[IKE] no trusted RSA public key found for
'C=DE, ST=Sachsen, L=Leipzig, O=StrongSWAN Project, OU=StrongSWAN PKI,
CN=User003, E=User003 at project.lan'
Feb 17 11:36:02 vpn charon: 13[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Feb 17 11:36:02 vpn charon: 13[NET] sending packet: from
192.168.1.50[4500] to 192.168.1.7[39668]
Thank you very, very much!
Best Regards
Daniel
Am 17.02.2010 07:06, schrieb Andreas Steffen:
> Hi Daniel,
>
> 0x2d is the hyphen character '-'. This means that your CRL is in
> PEM encoded format:
>
> -----BEGIN X509 CRL-----
> MIIDKDCCARACAQEwDQYJKoZIhvcNAQEFBQAwQjELMAkGA1UEBhMCQ0gxFzAVBgNV
> ...
> D5YFfogtCUfUI7/qOdwwoSozPQVe7Ov4FES3peE+ii1Vm3hc07Fsc5zsWw=
> -----END X509 CRL-----
>
> Before putting a CRL onto a web server you must convert it into
> binary ASN.1-DER encoded format, e.g. with the command
>
> openssl crl -in crl.pem -outform der -out strongSwan_Root_CA.crl
>
> Regards
>
> Andreas
>
> Daniel Riedemann wrote:
>
>> Hello all,
>>
>> I am using StrongSWAN the first time and I am using the tool xca to
>> build a PKI. So far everything works fine (connection from a windows 7
>> host to a linux strongswan gateway). The Connection get started correctly.
>>
>> Now I wanted to test the CRLs. And installed a certificate at the
>> windows client which I revoked later. But the CRL I am generating with
>> xca can't be read by charon:
>>
>> Feb 17 00:03:17 vpn charon: 14[CFG] fetching crl from
>> 'http://192.168.1.50/StrongSWAN_Root_CA.crl' ...
>> Feb 17 00:03:17 vpn charon: 14[LIB] L0 - certificateList: ASN1 tag 0x30
>> expected, but is 0x2d
>> Feb 17 00:03:17 vpn charon: 14[LIB] building CRED_CERTIFICATE - X509_CRL
>> failed, tried 2 builders
>> Feb 17 00:03:17 vpn charon: 14[CFG] crl fetched successfully but parsing
>> failed
>>
>> I generated a CRL with an other tool (gnomint) also, but charon is
>> telling me the same...
>>
>> If I place the CRL directly into /etc/ipsec.d/crls I just see this on
>> the log:
>>
>> Feb 17 00:51:28 vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
>> Feb 17 00:51:28 vpn charon: 00[CFG] loaded crl from
>> '/etc/ipsec.d/crls/StrongSWAN_Root_CA.crl'
>>
>> But the connection get started normaly, so the CRL in this directory is
>> also not read correctly.
>>
>> I'am using RSA certificates with 4096 bit for the CA, and 2048 bit for
>> gateway and client. Hashing algorithm is sha-256.
>>
>> What am I doing wrong? Or is there a bug in both tools (or strongswan)?
>> I really appreciate your help.
>>
>> Best Regards
>> Daniel Riedemann
>>
>>
>> ipsec.conf:
>>
>> config setup
>> crlcheckinterval=600
>> cachecrls=yes
>> nat_traversal=yes
>> charonstart=yes
>> plutostart=no
>>
>> ca StrongSWAN_Root_CA
>> cacert=StrongSWAN_Root_CA.crt
>> crluri="http://192.168.1.50/StrongSWAN_Root_CA.crl"
>> auto=add
>>
>> conn roadwarrior-ikev2
>> authby=pubkey
>> auth=esp
>> type=tunnel
>> keyexchange=ikev2
>> auto=add
>> compress=yes
>> dpddelay=15
>> dpdtimeout=60
>> esp=aes256-sha1-modp2048
>> ike=aes256-sha1-modp2048
>> rekey=yes
>> ikelifetime=10800
>> lifetime=3600
>> reauth=yes
>> margintime=180
>> pfs=yes
>> left=%defaultroute
>> leftcert=vpn.project.lan.crt
>> leftfirewall=yes
>> leftid=@vpn.project.lan
>> leftsendcert=ifasked
>> leftsubnet=10.0.0.0/8
>> right=%any
>> rightsourceip=172.17.0.0/16
>>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
More information about the Users
mailing list