[strongSwan] Loading CRLs from file

Andreas Steffen andreas.steffen at strongswan.org
Fri Feb 19 17:18:40 CET 2010 

vivek bairathi wrote:
> Hi All,
> 
> Hi All,
> 
> I  have a CRL in pem format with me. The CRL file is loaded at startup.
> 
> 1. If the CRL file is updated in  the directory, how can strongswan be
> indicated to update it. Does crlCheckInterval timer work with
> strongswan IKEv2?
>
The fetcher does only look for a fresh CRL if the nextUpdate time
of the old CRL has expired. If you want frequent automatic CRL
updates then you must shorten the lifetime of the CRLs.

There is a manual workaround, though. If you copy the CRL into
the default directory /etc/ipsec.d/crls [it can even be in PEM format]
then the CRL is automatically loaded during the charon startup
and you can reload the CRL manually any time by executing the command

  ipsec rereadcrls

> 2. Is there an option to load CRL present in Cert directory at every
> IKE Autentication
>
no

> 3. Also, If I try to specify a specific fileuri, I get the follwoing error:-
> 
> Error:-
> Feb 20 00:58:17 vivek-desktop charon: 09[CFG]   fetching crl from
> '/home/vivek/vivek/linux_pc_90_1/crl.pem' ...
> Feb 20 00:58:17 vivek-desktop charon: 09[LIB] unable to fetch from
> /home/vivek/vivek/linux_pc_90_1/crl.pem, no capable fetcher found
> Feb 20 00:58:17 vivek-desktop charon: 09[CFG] crl fetching failed
>
It seems that fetcher does not handle crls in PEM format. Just convert
the CRL into binary DER format with the command

   openssl crl -in crl.pem -outform der -out crl.der

> ipsec.conf

:-
> config setup
> 	cachecrls=no
> 	charonstart=yes
> 	plutostart=no
> 	strictcrlpolicy=yes
> 	uniqueids=no
> 
> ca AllPlanes
> 	cacert=/tmp/RootCert3801_7349bbdb.pem
> 	crluri=file:///home/vivek/vivek/linux_pc_90_1/crl.pem
> 	auto=add
> 
> conn IpSecSSEPlane
> 	ikelifetime=24h
> 	keyexchange=ikev2
> 	keyingtries=%forever
> 	keylife=90m
> 	reauth=no
> 	rekey=yes
> 	mobike=no
> 	rekeymargin=4m
> 	ike=aes128-sha1-modp1024,3des-sha1-modp1024!
> 	esp=3des-sha1-modp1024,aes128-sha1-modp1024!
> 	authby=rsasig
> 	left=21.21.21.20
> 	leftsubnet=14.14.14.10/32
> 	right=21.21.21.21
> 	leftcert=/home/vivek/vivek/linux_pc_90_1/cert.pem
> 	rightid=%any
> 	auto=add
> 
> 
> Thanks for your inputs in advance.
> 
> Regards,
> Vivek

Best regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list