[strongSwan] Pretty urgent: Removed user still able to connect
Russ Cox
russ.cox at e-dba.com
Wed Jun 22 15:30:33 CEST 2011
Hi All, got a bit of an issue - I've removed a user's certificate from my
ipsec gw (ikev2 rw setup), revoked their cert, updated the crl (put in
/etc/ipsec.d/crls/) and restarted ipsec but they are still able to connect
to my gateway.
Does anyone have any suggestions, this is pretty urgent!
Let me know if you need any more info
Thanks in advance sirs!
Russ
---------------
ipsec.conf
-------------------
config setup
crlcheckinterval=180
strictcrlpolicy=no
nat_traversal=yes
charonstart=yes
plutostart=yes
plutodebug=all
conn %default
# ikelifetime=60m
# keylife=20m
# rekeymargin=9m
# keyingtries=3
rekey=no
dpdaction=clear
dpddelay=300s
conn edba-nat-ikev2
left=%defaultroute
keyexchange=ikev2
rightsourceip=192.168.7.0/24
auto=add
also=rw_default
conn rw_default
right=%any
leftcert=gw-cert.pem
leftid=@gw.full.hostname
leftsubnet=0.0.0.0/0
leftfirewall=yes
------------------------
daemon.log
--------------------------
Jun 22 14:07:29 gw charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan
4.5.0)
Jun 22 14:07:29 gw charon: 00[KNL] listening on interfaces:
Jun 22 14:07:29 gw charon: 00[KNL] eth1
Jun 22 14:07:29 gw charon: 00[KNL] {EXTERNAL_IP}
Jun 22 14:07:29 gw charon: 00[KNL] eth0
Jun 22 14:07:29 gw charon: 00[KNL] {INTERNAL_IP}
Jun 22 14:07:29 gw charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jun 22 14:07:29 gw charon: 00[CFG] loaded ca certificate "BLANKED" from
'/etc/ipsec.d/cacerts/cacert.pem'
Jun 22 14:07:29 gw charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jun 22 14:07:29 gw charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Jun 22 14:07:29 gw charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Jun 22 14:07:29 gw charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jun 22 14:07:29 gw charon: 00[CFG] loaded crl from
'/etc/ipsec.d/crls/crl.pem'
Jun 22 14:07:29 gw charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 22 14:07:29 gw charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/gw-key.pem'
Jun 22 14:07:29 gw charon: 00[CFG] loaded IKE secret for EXTERNAL_IP
UNUSED_IP
Jun 22 14:07:29 gw charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5
random x509 revocation pubkey pkcs1 pgp pem openssl gcrypt fips-prf gmp
agent xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2
Jun 22 14:07:29 gw charon: 00[JOB] spawning 16 worker threads
Jun 22 14:07:29 gw charon: 09[CFG] received stroke: add connection
'edba-nat-ikev2'
Jun 22 14:07:29 gw charon: 09[CFG] loaded certificate "BLANKED'
Jun 22 14:07:29 gw charon: 09[CFG] added configuration 'edba-nat-ikev2'
Jun 22 14:07:29 gw charon: 09[CFG] adding virtual IP address pool
'edba-nat-ikev2': 192.168.7.0/24
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110622/2318497d/attachment.html>
More information about the Users
mailing list