[strongSwan] Pretty urgent: Removed user still able to connect

Russ Cox russ.cox at e-dba.com
Wed Jun 22 15:30:33 CEST 2011


Hi All, got a bit of an issue - I've removed a user's certificate from my
ipsec gw (ikev2 rw setup), revoked their cert, updated the crl (put in
/etc/ipsec.d/crls/) and restarted ipsec but they are still able to connect
to my gateway.

Does anyone have any suggestions, this is pretty urgent!

Let me know if you need any more info

Thanks in advance sirs!

Russ

---------------
ipsec.conf
-------------------

config setup
        crlcheckinterval=180
        strictcrlpolicy=no
        nat_traversal=yes
        charonstart=yes
        plutostart=yes
        plutodebug=all

conn %default
       # ikelifetime=60m
       # keylife=20m
       # rekeymargin=9m
       # keyingtries=3
        rekey=no
        dpdaction=clear
        dpddelay=300s

conn edba-nat-ikev2
        left=%defaultroute
        keyexchange=ikev2
        rightsourceip=192.168.7.0/24
        auto=add
        also=rw_default

conn rw_default
        right=%any
        leftcert=gw-cert.pem
        leftid=@gw.full.hostname
        leftsubnet=0.0.0.0/0
        leftfirewall=yes

------------------------
daemon.log
--------------------------
Jun 22 14:07:29 gw charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan
4.5.0)
Jun 22 14:07:29 gw charon: 00[KNL] listening on interfaces:
Jun 22 14:07:29 gw charon: 00[KNL]   eth1
Jun 22 14:07:29 gw charon: 00[KNL]     {EXTERNAL_IP}
Jun 22 14:07:29 gw charon: 00[KNL]   eth0
Jun 22 14:07:29 gw charon: 00[KNL]     {INTERNAL_IP}
Jun 22 14:07:29 gw charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jun 22 14:07:29 gw charon: 00[CFG]   loaded ca certificate "BLANKED" from
'/etc/ipsec.d/cacerts/cacert.pem'
Jun 22 14:07:29 gw charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jun 22 14:07:29 gw charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Jun 22 14:07:29 gw charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Jun 22 14:07:29 gw charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jun 22 14:07:29 gw charon: 00[CFG]   loaded crl from
'/etc/ipsec.d/crls/crl.pem'
Jun 22 14:07:29 gw charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 22 14:07:29 gw charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/gw-key.pem'
Jun 22 14:07:29 gw charon: 00[CFG]   loaded IKE secret for EXTERNAL_IP
UNUSED_IP
Jun 22 14:07:29 gw charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5
random x509 revocation pubkey pkcs1 pgp pem openssl gcrypt fips-prf gmp
agent xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2
Jun 22 14:07:29 gw charon: 00[JOB] spawning 16 worker threads
Jun 22 14:07:29 gw charon: 09[CFG] received stroke: add connection
'edba-nat-ikev2'
Jun 22 14:07:29 gw charon: 09[CFG]   loaded certificate "BLANKED'
Jun 22 14:07:29 gw charon: 09[CFG] added configuration 'edba-nat-ikev2'
Jun 22 14:07:29 gw charon: 09[CFG] adding virtual IP address pool
'edba-nat-ikev2': 192.168.7.0/24
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110622/2318497d/attachment.html>


More information about the Users mailing list