[strongSwan] [strongSwan IKEv2] Issue in CA certificate updates

[Sajal Malhotra]

Hi
This is regarding update of CA certificates in IKEv2 stack.
We are facing issue in update of CA certificates while following the steps
below:
Step 1. Initially we have a configuration with 2 CA certificates mentioned
in ipsec.conf as follows:

 ca cert1
        cacert=/home/sajal/abc.pem
        auto=add

 ca cert2
        cacert=/home/sajal/xyz.pem
  auto=add

* Using this we were able to establish SA with our peer which also has a
certificate signed by above CA certificate.*

Step 2. Now we set the date of system(where ikev2 stack is running) to
a *future
date* with value *beyond the expiry time* of CA Certificates
Step 3. After doing so SA establishment with peer fails saying AUTH Failure
Step 4. Now i deleted the above 2 CA certificates by specifying a different
CA certificate in ipsec.conf and issuing the "ipsec update" command:

 ca cert1
        cacert=/home/sajal/ijk.pem
        auto=add
Step 5. Now i set the system date back to normal.
Step 6. Now when we try to establish SA with our Peer it is still
successfully established. This is incorrect as the Certificate of peer is
signed by *previous CA  *certificate, which has been deleted in step 4
above.


Can you please let us know what is the issue here


Warm Regards
Sajal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100531/7a85891c/attachment.html>