[strongSwan] Doubt regarding Certificate updation in IKEv2 Stack
vivek bairathi
bairathi.vivek at gmail.com
Thu May 27 11:00:47 CEST 2010
Hi,
Some doubts regarding certificates updation in IKEv2 Stack. Consider
the following scenario:-
CACERT1(old with new) & CACERT2 (new with new) are both from same CA.
CERT1 : signed with CACERT1
CERT2: signed with CACERT2
PC1 PC2
1. certificates on pc1: 1. certificates on pc2:
CACERT1 CACERT2 CACERT1 CACERT2
CERT2 (signed with cacert2) CERT1 (signed with cacert1)
IKE and IPSEC SA<----PC1----------------PC2-------->creation is
successfull.
2. certificates on pc1: 2. certificates on pc2:
CACERT2 CACERT1 CACERT2
CERT2 (signed with cacert2) CERT1 (signed with cacert1)
IKE and IPSEC SA<----PC1-----????--------PC2-------->creation is successfull.
In the second step, when IKEv2 stack on PC1 is given only CACERT2 and
CERT2 through ipsec.conf file by firing "ipsec update" command.
Q. Now If I try to create another IKE SA between PC1 and PC2 will it
be successfull as PC1 will not be able to decrypt PC2's certificate
(CERT1) because of the non-availability of the CACERT1 on PC1?
Thanks in advance.
Regards,
Vivek
More information about the Users
mailing list