[strongSwan] [strongSwan IKEv2] Issue in CA certificate updates
Sajal Malhotra
sajalmalhotra at gmail.com
Thu Jun 17 10:56:28 CEST 2010
Hi Martin,
Any update on this issue ? Is there any other way to fix the issue?
BR
Sajal
On Thu, Jun 10, 2010 at 5:21 PM, Sajal Malhotra <sajalmalhotra at gmail.com>wrote:
> Hi Martin,
>
> Thanks for the help
>
> I tried the patch you gave.
>
> After compilation with your patch we followed the steps below:-
> 1. gave the following ipsec.conf file to IKEv2 stack having two ca
> sections:-
>
> *********start ipsec.conf*****************************
> config setup
> cachecrls=no
> charonstart=yes
> plutostart=no
> strictcrlpolicy=no
> uniqueids=no
>
> ca OldWithNew
> cacert=/tmp/cacertown.pem
> auto=add
>
> ca NewWithNew
> cacert=/tmp/cacertnwn.pem
> auto=add
>
> conn test1
> ikelifetime=24h
> keyexchange=ikev2
> keyingtries=%forever
> keylife=90m
> reauth=no
> rekey=yes
> mobike=no
> dpddelay=0
> rekeymargin=4m
> ike=aes128-sha1-modp1024,3des-sha1-modp1024!
> esp=aes128-sha1-modp1024,3des-sha1-modp1024!
> authby=rsasig
> left=20.20.20.21
> leftsubnet=16.16.16.2/32
> right=10.10.10.2
> rightsubnet=14.14.14.2/32
> leftprotoport=sctp/4000
> rightprotoport=sctp/4000
> leftcert=/tmp/mycert.pem
> rightid=%any
> auto=add
> ***********end ipsec.conf*****************************
>
>
> 2. After that I removed the 'OldWithNew' ca section from the ipsec.conf
> (only one ca section is removed) and fired 'ipsec reload' command.
> *3. In display of "ipsec listall" CA information section shows one 1 Ca
> cert however in CA cert section and also in output of command 'ipsec
> listcacerts' it still shows 2 ca certs.*
>
> Can you tell me if there is any other way to fix this?
>
> Thanks for your help.
>
> Regards,
> Sajal
>
>
> On Mon, Jun 7, 2010 at 5:26 PM, Martin Willi <martin at strongswan.org>wrote:
>
>>
>>
>> > Can you direct me to the place from where i can update the code so
>> > that we can clear the cache externally
>>
>> Please try the attached patch, it should flush the certificate cache if
>> a CA section is deleted via "ipsec reload". I'll push it if this works
>> for your setup.
>>
>> Regards
>> Martin
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100617/0dbf70db/attachment.html>
More information about the Users
mailing list