[strongSwan] Reread of CA certificates, CRL checking

Andreas Steffen andreas.steffen at strongswan.org
Fri Feb 26 22:14:24 CET 2010 

Hello Markus,

could you send me the sales end entity and ca certificates as well
as the CRL?

Regards

Andreas

Markus Müller wrote:
> Hello,
> 
> I've got the following 2 questions about a strongSwan 4.3.6 setup with
> OpenSSL 0.9.8g certificates:
> 
> 1)
>   Is there a way to tell the pluto & charon daemons to "forget" removed CA
>   certificates from /etc/ipsec.d/cacerts without a restart
>   (and thus disrupted connections)?
>   When I delete a certificate from the folder and run 'ipsec rereadcacerts',
>   the removed certificate is still listed in the 'ipsec listcacerts' output.
> 
> 2)
>   I generated CRLs for my CAs and put those in the /etc/ipsec.d/crls folder.
>   One of the CRLs belongs to a CA with a revoked certificate.
>   When I tried to connect, using that revoked certificate, I got connected
>   when keyexchange is set to ikev2 and rejected (as expected) when
>   keyexchange is set to ike.
> 
> Thanks in advance,
>   Markus
> 
> 
>   The ipsec.conf files look like this:
> 
>   gateway side:
>   conn 1
>    left=192.168.150.135
>    leftsubnet=172.16.121.0/24
>    right=%any
>    authby=rsasig
>    leftcert=cert1.pem
>    leftid="C=de, ST=state, O=company, OU=develop, CN=cert 1, E=dev at company.de"
>    rightid=%any
>    dpdaction=hold
>    dpddelay=15s
>    ike=aes256-sha2_512-modp8192,aes256-sha2_512-modp4096!
>    esp=aes256-sha2_256!
>    keyexchange=ikev2
>    ikelifetime=3600s
>    keyingtries=%forever
>    keylife=300s
>    rekey=yes
>    rekeymargin=60s
>    rekeyfuzz=50%
>    reauth=yes
>    auto=add
>    leftsendcert=ifasked
> 
>   client side:
>   conn 1
>    left=192.168.150.136
>    right=192.168.150.135
>    rightsubnet=172.16.121.0/24
>    authby=rsasig
>    leftcert=cert2.pem
>    leftid="C=de, ST=state, O=company, OU=sales, CN=cert 2, E=sales at company.de"
>    rightcert=cert1.pem
>    rightid="C=de, ST=state, O=company, OU=develop, CN=cert 1, E=dev at company.de"
>    dpdaction=hold
>    dpddelay=15s
>    ike=aes256-sha2_512-modp8192,aes256-sha2_512-modp4096!
>    esp=aes128-sha2_256,aes256-sha2_256!
>    keyexchange=ikev2
>    ikelifetime=3600s
>    keyingtries=%forever
>    keylife=300s
>    rekey=yes
>    rekeymargin=60s
>    rekeyfuzz=50%
>    reauth=yes
>    auto=add
>    leftsendcert=ifasked
> 
>   'ipsec listcrls' output on gateway side:
>    000
>    000 List of X.509 CRLs:
>    000
>    000   issuer:   "C=de, ST=state, L=city, O=company, OU=sales,  
> CN=sales ca, E=sales at company.de"
>    000   revoked:   1 certificates
>    000   distPts:  'file:///etc/ipsec.d/crls/sales_crl.pem'
>    000   updates:   this Feb 23 13:31:38 2010
>    000              next Feb 21 13:31:38 2020 ok
>    000
>    000   issuer:   "C=de, ST=state, L=city, O=company, OU=develop,  
> CN=develop ca, E=dev at company.de"
>    000   revoked:   0 certificates
>    000   distPts:  'file:///etc/ipsec.d/crls/develop_crl.pem'
>    000   updates:   this Jan 22 14:53:53 2010
>    000              next Jan 20 14:53:53 2020 ok
> 
>    List of X.509 CRLs:
> 
>      issuer:   "C=de, ST=state, L=city, O=company, OU=sales, CN=sales  
> ca, E=sales at company.de"
>      revoked:   1 certificate
>      updates:   this Feb 23 13:31:38 2010
>                 next Feb 21 13:31:38 2020, ok
> 
>      issuer:   "C=de, ST=state, L=city, O=company, OU=develop,  
> CN=develop ca, E=dev at company.de"
>      revoked:   0 certificates
>      updates:   this Jan 22 14:53:53 2010
>                 next Jan 20 14:53:53 2020, ok
> 
>   log on gateway side (ikev2):
>    s_local@(none) charon: 11[CFG] selected peer config '1'
>    s_local@(none) charon: 11[CFG]   using certificate "C=de, ST=state,  
> O=company, OU=sales, CN=cert 2, E=sales at company.de"
>    s_local@(none) charon: 11[CFG]   using trusted ca certificate  
> "C=de, ST=state, L=city, O=company, OU=sales, CN=sales ca,  
> E=sales at company.de"
>    s_local@(none) charon: 11[CFG] checking certificate status of  
> "C=de, ST=state, O=company, OU=sales, CN=cert 2, E=sales at company.de"
>    s_local@(none) charon: 11[CFG] certificate status is not available
>    s_local@(none) charon: 11[CFG]   reached self-signed root ca with a  
> path length of 0
>    s_local@(none) charon: 11[IKE] authentication of 'C=de, ST=state,  
> O=company, OU=sales, CN=cert 2, E=sales at company.de' with RSA signature  
> successful
> 
>   log on gateway side (ikev1):
>    "1"[1] 192.168.150.136 #3: responding to Main Mode from unknown  
> peer 192.168.150.136
>    "1"[1] 192.168.150.136 #3: Peer ID is ID_DER_ASN1_DN: 'C=de,  
> ST=state, O=company, OU=sales, CN=cert 2, E=sales at company.de'
>    "1"[1] 192.168.150.136 #3: certificate was revoked on Feb 23  
> 13:30:46 UTC 2010, reason: unspecified
>    "1"[1] 192.168.150.136 #3: X.509 certificate rejected
>    "1"[1] 192.168.150.136 #3: no public key known for 'C=de, ST=state,  
> O=company, OU=sales, CN=cert 2, E=sales at company.de'
>    "1"[1] 192.168.150.136 #3: sending encrypted notification  
> INVALID_KEY_INFORMATION to 192.168.150.136:500

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list