[strongSwan] [strongSwan IKEv2] Issue in CA certificate updates

Sajal Malhotra sajalmalhotra at gmail.com
Wed Jun 2 10:25:02 CEST 2010

Hi Andreas/Tobias,

PLease let me know if you need any further inputs


On Mon, May 31, 2010 at 7:50 PM, Sajal Malhotra <sajalmalhotra at gmail.com>wrote:

> Hi
> This is regarding update of CA certificates in IKEv2 stack.
> We are facing issue in update of CA certificates while following the steps
> below:
> Step 1. Initially we have a configuration with 2 CA certificates mentioned
> in ipsec.conf as follows:
>  ca cert1
>         cacert=/home/sajal/abc.pem
>         auto=add
>  ca cert2
>         cacert=/home/sajal/xyz.pem
>   auto=add
> * Using this we were able to establish SA with our peer which also has a
> certificate signed by above CA certificate.*
> Step 2. Now we set the date of system(where ikev2 stack is running) to a *future
> date* with value *beyond the expiry time* of CA Certificates
> Step 3. After doing so SA establishment with peer fails saying AUTH Failure
> Step 4. Now i deleted the above 2 CA certificates by specifying a different
> CA certificate in ipsec.conf and issuing the "ipsec update" command:
>  ca cert1
>         cacert=/home/sajal/ijk.pem
>         auto=add
> Step 5. Now i set the system date back to normal.
> Step 6. Now when we try to establish SA with our Peer it is still
> successfully established. This is incorrect as the Certificate of peer is
> signed by *previous CA  *certificate, which has been deleted in step 4
> above.
> Can you please let us know what is the issue here
> Warm Regards
> Sajal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100602/00d5429c/attachment.html>

More information about the Users mailing list