[strongSwan] [strongSwan IKEv2] Issue in CA certificate updates

Sajal Malhotra sajalmalhotra at gmail.com
Thu Jun 17 10:56:28 CEST 2010


Hi Martin,

Any update on this issue ? Is there any other way to fix the issue?

BR
Sajal

On Thu, Jun 10, 2010 at 5:21 PM, Sajal Malhotra <sajalmalhotra at gmail.com>wrote:

> Hi Martin,
>
> Thanks for the help
>
> I tried the patch you gave.
>
> After compilation with your patch we followed the steps below:-
> 1. gave the following ipsec.conf file to IKEv2 stack having two ca
> sections:-
>
> *********start ipsec.conf*****************************
>  config setup
>  cachecrls=no
>  charonstart=yes
>  plutostart=no
>  strictcrlpolicy=no
>  uniqueids=no
>
> ca OldWithNew
>  cacert=/tmp/cacertown.pem
>  auto=add
>
>  ca NewWithNew
>  cacert=/tmp/cacertnwn.pem
>  auto=add
>
> conn test1
>  ikelifetime=24h
>  keyexchange=ikev2
>  keyingtries=%forever
>  keylife=90m
>  reauth=no
>  rekey=yes
>  mobike=no
>  dpddelay=0
>  rekeymargin=4m
>  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
>  esp=aes128-sha1-modp1024,3des-sha1-modp1024!
>  authby=rsasig
>  left=20.20.20.21
>  leftsubnet=16.16.16.2/32
>  right=10.10.10.2
>  rightsubnet=14.14.14.2/32
>  leftprotoport=sctp/4000
>  rightprotoport=sctp/4000
>  leftcert=/tmp/mycert.pem
>  rightid=%any
>  auto=add
>  ***********end ipsec.conf*****************************
>
>
> 2. After that I removed the 'OldWithNew' ca section from the ipsec.conf
> (only one ca section is removed) and fired 'ipsec reload' command.
> *3. In display of "ipsec listall" CA information section shows one 1 Ca
> cert however in CA cert section and also in output of command 'ipsec
> listcacerts' it still shows 2 ca certs.*
>
> Can you tell me if there is any other way to fix this?
>
> Thanks for your help.
>
> Regards,
> Sajal
>
>
> On Mon, Jun 7, 2010 at 5:26 PM, Martin Willi <martin at strongswan.org>wrote:
>
>>
>>
>> > Can you direct me to the place from where i can update the code so
>> > that we can clear the cache externally
>>
>> Please try the attached patch, it should flush the certificate cache if
>> a CA section is deleted via "ipsec reload". I'll push it if this works
>> for your setup.
>>
>> Regards
>> Martin
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100617/0dbf70db/attachment.html>


More information about the Users mailing list