[strongSwan] [strongSwan IKEv2] Issue in CA certificate updates
Sajal Malhotra
sajalmalhotra at gmail.com
Wed Jun 2 10:25:02 CEST 2010
Hi Andreas/Tobias,
PLease let me know if you need any further inputs
Regards
Sajal
On Mon, May 31, 2010 at 7:50 PM, Sajal Malhotra <sajalmalhotra at gmail.com>wrote:
> Hi
> This is regarding update of CA certificates in IKEv2 stack.
> We are facing issue in update of CA certificates while following the steps
> below:
> Step 1. Initially we have a configuration with 2 CA certificates mentioned
> in ipsec.conf as follows:
>
> ca cert1
> cacert=/home/sajal/abc.pem
> auto=add
>
> ca cert2
> cacert=/home/sajal/xyz.pem
> auto=add
>
> * Using this we were able to establish SA with our peer which also has a
> certificate signed by above CA certificate.*
>
> Step 2. Now we set the date of system(where ikev2 stack is running) to a *future
> date* with value *beyond the expiry time* of CA Certificates
> Step 3. After doing so SA establishment with peer fails saying AUTH Failure
> Step 4. Now i deleted the above 2 CA certificates by specifying a different
> CA certificate in ipsec.conf and issuing the "ipsec update" command:
>
> ca cert1
> cacert=/home/sajal/ijk.pem
> auto=add
> Step 5. Now i set the system date back to normal.
> Step 6. Now when we try to establish SA with our Peer it is still
> successfully established. This is incorrect as the Certificate of peer is
> signed by *previous CA *certificate, which has been deleted in step 4
> above.
>
>
> Can you please let us know what is the issue here
>
>
> Warm Regards
> Sajal
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100602/00d5429c/attachment.html>
More information about the Users
mailing list