[strongSwan] Reread of CA certificates, CRL checking

Markus Müller mamu5004 at stud.uni-saarland.de
Mon Mar 1 14:59:27 CET 2010 

Hi,

I'll post the ipsec.conf files of the gateway and client again because
I created some new certificates. The gateway uses the certificate cert1.pem
with key cert1key.pem and has the CA certificates develop_cert.pem and
sales_cert.pem, together with the CRLs develop_crl.pem and sales_crl.pem.
The client uses the revoked cert2.pem with key cert2key.pem, cert1.pem
(as rightcert) and has the same CA certificates (but an outdated CRL of
the 'sales CA' sales_crl_old.pem).
The CA certificates and CRLs are stored in the corresponding /etc/ipsec.d/
directories, while the end entity certificates and keys are stored
outside of the /etc/ipsec.d/ directories and referenced with absolute
pathnames in the ipsec.conf and ipsec.secret files.

Best regards,
    Markus


gateway ipsec.conf:
  conn 1
	left=192.168.150.135
	leftsubnet=172.16.121.0/24
	right=%any
	authby=rsasig
	leftcert=/path_to/cert1.pem
	leftid="C=de, ST=state, O=company, OU=develop, CN=cert 1 develop,  
E=dev at company.de"
	rightid=%any
	dpdaction=hold
	dpddelay=15s
	ike=aes256-sha2_512-modp8192,aes256-sha2_512-modp4096!
	esp=aes256-sha2_256!
	keyexchange=ikev2
	ikelifetime=3600s
	keyingtries=%forever
	keylife=300s
	rekey=yes
	rekeymargin=60s
	rekeyfuzz=50%
	reauth=yes
	auto=add
	leftsendcert=ifasked

client ipsec.conf:
  conn 1
	left=192.168.150.136
	right=192.168.150.135
	rightsubnet=172.16.121.0/24
	authby=rsasig
	leftcert=/path_to/cert2.pem
	leftid="C=de, ST=state, O=company, OU=sales, CN=cert 2 sales,  
E=sales at company.de"
	rightcert=/path_to/cert1.pem
	rightid="C=de, ST=state, O=company, OU=develop, CN=cert 1 develop,  
E=dev at company.de"
	dpdaction=hold
	dpddelay=15s
	ike=aes256-sha2_512-modp8192,aes256-sha2_512-modp4096!
	esp=aes128-sha2_256,aes256-sha2_256!
	keyexchange=ikev2
	ikelifetime=3600s
	keyingtries=%forever
	keylife=300s
	rekey=yes
	rekeymargin=60s
	rekeyfuzz=50%
	reauth=yes
	auto=add
	leftsendcert=ifasked


>
> Hello Markus,
>
> could you send me the sales end entity and ca certificates as well
> as the CRL?
>
> Regards
>
> Andreas
>

More information about the Users mailing list