[strongSwan] Problem with CRLs

Daniel Riedemann stigmayta at googlemail.com
Wed Feb 17 11:59:41 CET 2010 

Hi Andreas,

simple but powerful solution! ;)
It works now:

Feb 17 11:36:02 vpn charon: 13[CFG] checking certificate status of 
"C=DE, ST=Sachsen, L=Leipzig, O=StrongSWAN Project, OU=StrongSWAN PKI, 
CN=User003, E=User003 at project.lan"
Feb 17 11:36:02 vpn charon: 13[CFG]   fetching crl from 
'http://192.168.1.50/StrongSWAN_Root_CA.crl' ...
Feb 17 11:36:02 vpn charon: 13[CFG]   using trusted certificate "C=DE, 
ST=Sachsen, L=Leipzig, O=StrongSWAN Project, OU=StrongSWAN PKI, 
CN=StrongSWAN Root CA"
Feb 17 11:36:02 vpn charon: 13[CFG]   crl correctly signed by "C=DE, 
ST=Sachsen, L=Leipzig, O=StrongSWAN Project, OU=StrongSWAN PKI, 
CN=StrongSWAN Root CA"
Feb 17 11:36:02 vpn charon: 13[CFG] certificate was revoked on Feb 16 
23:01:43 UTC 2010, reason: unspecified
Feb 17 11:36:02 vpn charon: 13[IKE] no trusted RSA public key found for 
'C=DE, ST=Sachsen, L=Leipzig, O=StrongSWAN Project, OU=StrongSWAN PKI, 
CN=User003, E=User003 at project.lan'
Feb 17 11:36:02 vpn charon: 13[ENC] generating IKE_AUTH response 1 [ 
N(AUTH_FAILED) ]
Feb 17 11:36:02 vpn charon: 13[NET] sending packet: from 
192.168.1.50[4500] to 192.168.1.7[39668]

Thank you very, very much!

Best Regards
Daniel


Am 17.02.2010 07:06, schrieb Andreas Steffen:
> Hi Daniel,
>
> 0x2d is the hyphen character '-'. This means that your CRL is in
> PEM encoded format:
>
> -----BEGIN X509 CRL-----
> MIIDKDCCARACAQEwDQYJKoZIhvcNAQEFBQAwQjELMAkGA1UEBhMCQ0gxFzAVBgNV
> ...
> D5YFfogtCUfUI7/qOdwwoSozPQVe7Ov4FES3peE+ii1Vm3hc07Fsc5zsWw=
> -----END X509 CRL-----
>
> Before putting a CRL onto a web server you must convert it into
> binary ASN.1-DER encoded format, e.g. with the command
>
> openssl crl -in crl.pem -outform der -out strongSwan_Root_CA.crl
>
> Regards
>
> Andreas
>
> Daniel Riedemann wrote:
>    
>> Hello all,
>>
>> I am using StrongSWAN the first time and I am using the tool xca to
>> build a PKI. So far everything works fine (connection from a windows 7
>> host to a linux strongswan gateway). The Connection get started correctly.
>>
>> Now I wanted to test the CRLs. And installed a certificate at the
>> windows client which I revoked later. But the CRL I am generating with
>> xca can't be read by charon:
>>
>> Feb 17 00:03:17 vpn charon: 14[CFG]   fetching crl from
>> 'http://192.168.1.50/StrongSWAN_Root_CA.crl' ...
>> Feb 17 00:03:17 vpn charon: 14[LIB] L0 - certificateList: ASN1 tag 0x30
>> expected, but is 0x2d
>> Feb 17 00:03:17 vpn charon: 14[LIB] building CRED_CERTIFICATE - X509_CRL
>> failed, tried 2 builders
>> Feb 17 00:03:17 vpn charon: 14[CFG] crl fetched successfully but parsing
>> failed
>>
>> I generated a CRL with an other tool (gnomint) also, but charon is
>> telling me the same...
>>
>> If I place the CRL directly into /etc/ipsec.d/crls I just see this on
>> the log:
>>
>> Feb 17 00:51:28 vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
>> Feb 17 00:51:28 vpn charon: 00[CFG]   loaded crl from
>> '/etc/ipsec.d/crls/StrongSWAN_Root_CA.crl'
>>
>> But the connection get started normaly, so the CRL in this directory is
>> also not read correctly.
>>
>> I'am using RSA certificates with 4096 bit for the CA, and 2048 bit for
>> gateway and client. Hashing algorithm is sha-256.
>>
>> What am I doing wrong? Or is there a bug in both tools (or strongswan)?
>> I really appreciate your help.
>>
>> Best Regards
>> Daniel Riedemann
>>
>>
>> ipsec.conf:
>>
>> config setup
>>           crlcheckinterval=600
>>           cachecrls=yes
>>           nat_traversal=yes
>>           charonstart=yes
>>           plutostart=no
>>
>> ca StrongSWAN_Root_CA
>>           cacert=StrongSWAN_Root_CA.crt
>>           crluri="http://192.168.1.50/StrongSWAN_Root_CA.crl"
>>           auto=add
>>
>> conn roadwarrior-ikev2
>>           authby=pubkey
>>           auth=esp
>>           type=tunnel
>>           keyexchange=ikev2
>>           auto=add
>>           compress=yes
>>           dpddelay=15
>>           dpdtimeout=60
>>           esp=aes256-sha1-modp2048
>>           ike=aes256-sha1-modp2048
>>           rekey=yes
>>           ikelifetime=10800
>>           lifetime=3600
>>           reauth=yes
>>           margintime=180
>>           pfs=yes
>>           left=%defaultroute
>>           leftcert=vpn.project.lan.crt
>>           leftfirewall=yes
>> leftid=@vpn.project.lan
>>           leftsendcert=ifasked
>>           leftsubnet=10.0.0.0/8
>>           right=%any
>>           rightsourceip=172.17.0.0/16
>>      
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>

More information about the Users mailing list