[strongSwan] [strongSwan IKEv2] Issue in CA certificate updates
Sajal Malhotra
sajalmalhotra at gmail.com
Thu Jun 10 13:51:13 CEST 2010
Hi Martin,
Thanks for the help
I tried the patch you gave.
After compilation with your patch we followed the steps below:-
1. gave the following ipsec.conf file to IKEv2 stack having two ca
sections:-
*********start ipsec.conf*****************************
config setup
cachecrls=no
charonstart=yes
plutostart=no
strictcrlpolicy=no
uniqueids=no
ca OldWithNew
cacert=/tmp/cacertown.pem
auto=add
ca NewWithNew
cacert=/tmp/cacertnwn.pem
auto=add
conn test1
ikelifetime=24h
keyexchange=ikev2
keyingtries=%forever
keylife=90m
reauth=no
rekey=yes
mobike=no
dpddelay=0
rekeymargin=4m
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
authby=rsasig
left=20.20.20.21
leftsubnet=16.16.16.2/32
right=10.10.10.2
rightsubnet=14.14.14.2/32
leftprotoport=sctp/4000
rightprotoport=sctp/4000
leftcert=/tmp/mycert.pem
rightid=%any
auto=add
***********end ipsec.conf*****************************
2. After that I removed the 'OldWithNew' ca section from the ipsec.conf
(only one ca section is removed) and fired 'ipsec reload' command.
*3. In display of "ipsec listall" CA information section shows one 1 Ca cert
however in CA cert section and also in output of command 'ipsec listcacerts'
it still shows 2 ca certs.*
Can you tell me if there is any other way to fix this?
Thanks for your help.
Regards,
Sajal
On Mon, Jun 7, 2010 at 5:26 PM, Martin Willi <martin at strongswan.org> wrote:
>
>
> > Can you direct me to the place from where i can update the code so
> > that we can clear the cache externally
>
> Please try the attached patch, it should flush the certificate cache if
> a CA section is deleted via "ipsec reload". I'll push it if this works
> for your setup.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100610/805d8447/attachment.html>
More information about the Users
mailing list