[strongSwan] [strongSwan IKEv2] Issue in CA certificate updates

Sajal Malhotra sajalmalhotra at gmail.com
Thu Jun 10 13:51:13 CEST 2010


Hi Martin,

Thanks for the help

I tried the patch you gave.

After compilation with your patch we followed the steps below:-
1. gave the following ipsec.conf file to IKEv2 stack having two ca
sections:-

*********start ipsec.conf*****************************
 config setup
 cachecrls=no
 charonstart=yes
 plutostart=no
 strictcrlpolicy=no
 uniqueids=no

ca OldWithNew
 cacert=/tmp/cacertown.pem
 auto=add

 ca NewWithNew
 cacert=/tmp/cacertnwn.pem
 auto=add

conn test1
 ikelifetime=24h
 keyexchange=ikev2
 keyingtries=%forever
 keylife=90m
 reauth=no
 rekey=yes
 mobike=no
 dpddelay=0
 rekeymargin=4m
 ike=aes128-sha1-modp1024,3des-sha1-modp1024!
 esp=aes128-sha1-modp1024,3des-sha1-modp1024!
 authby=rsasig
 left=20.20.20.21
 leftsubnet=16.16.16.2/32
 right=10.10.10.2
 rightsubnet=14.14.14.2/32
 leftprotoport=sctp/4000
 rightprotoport=sctp/4000
 leftcert=/tmp/mycert.pem
 rightid=%any
 auto=add
 ***********end ipsec.conf*****************************


2. After that I removed the 'OldWithNew' ca section from the ipsec.conf
(only one ca section is removed) and fired 'ipsec reload' command.
*3. In display of "ipsec listall" CA information section shows one 1 Ca cert
however in CA cert section and also in output of command 'ipsec listcacerts'
it still shows 2 ca certs.*

Can you tell me if there is any other way to fix this?

Thanks for your help.

Regards,
Sajal

On Mon, Jun 7, 2010 at 5:26 PM, Martin Willi <martin at strongswan.org> wrote:

>
>
> > Can you direct me to the place from where i can update the code so
> > that we can clear the cache externally
>
> Please try the attached patch, it should flush the certificate cache if
> a CA section is deleted via "ipsec reload". I'll push it if this works
> for your setup.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100610/805d8447/attachment.html>


More information about the Users mailing list