[strongSwan] Pretty urgent: Removed user still able to connect
Andreas Steffen
andreas.steffen at strongswan.org
Wed Jun 22 15:50:05 CEST 2011
Hello Russ,
in order to help you I need at least the output of
ipsec listall
after the start up of strongSwan. Even better would be a log
which shows that the user could successfully connect.
Best regards
Andreas
On 22.06.2011 15:30, Russ Cox wrote:
> Hi All, got a bit of an issue - I've removed a user's certificate from
> my ipsec gw (ikev2 rw setup), revoked their cert, updated the crl (put
> in /etc/ipsec.d/crls/) and restarted ipsec but they are still able to
> connect to my gateway.
>
> Does anyone have any suggestions, this is pretty urgent!
>
> Let me know if you need any more info
>
> Thanks in advance sirs!
>
> Russ
>
> ---------------
> ipsec.conf
> -------------------
>
> config setup
> crlcheckinterval=180
> strictcrlpolicy=no
> nat_traversal=yes
> charonstart=yes
> plutostart=yes
> plutodebug=all
>
> conn %default
> # ikelifetime=60m
> # keylife=20m
> # rekeymargin=9m
> # keyingtries=3
> rekey=no
> dpdaction=clear
> dpddelay=300s
>
> conn edba-nat-ikev2
> left=%defaultroute
> keyexchange=ikev2
> rightsourceip=192.168.7.0/24 <http://192.168.7.0/24>
> auto=add
> also=rw_default
>
> conn rw_default
> right=%any
> leftcert=gw-cert.pem
> leftid=@gw.full.hostname
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> leftfirewall=yes
>
> ------------------------
> daemon.log
> --------------------------
> Jun 22 14:07:29 gw charon: 00[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.5.0)
> Jun 22 14:07:29 gw charon: 00[KNL] listening on interfaces:
> Jun 22 14:07:29 gw charon: 00[KNL] eth1
> Jun 22 14:07:29 gw charon: 00[KNL] {EXTERNAL_IP}
> Jun 22 14:07:29 gw charon: 00[KNL] eth0
> Jun 22 14:07:29 gw charon: 00[KNL] {INTERNAL_IP}
> Jun 22 14:07:29 gw charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Jun 22 14:07:29 gw charon: 00[CFG] loaded ca certificate "BLANKED"
> from '/etc/ipsec.d/cacerts/cacert.pem'
> Jun 22 14:07:29 gw charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Jun 22 14:07:29 gw charon: 00[CFG] loading ocsp signer certificates from
> '/etc/ipsec.d/ocspcerts'
> Jun 22 14:07:29 gw charon: 00[CFG] loading attribute certificates from
> '/etc/ipsec.d/acerts'
> Jun 22 14:07:29 gw charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Jun 22 14:07:29 gw charon: 00[CFG] loaded crl from
> '/etc/ipsec.d/crls/crl.pem'
> Jun 22 14:07:29 gw charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Jun 22 14:07:29 gw charon: 00[CFG] loaded RSA private key from
> '/etc/ipsec.d/private/gw-key.pem'
> Jun 22 14:07:29 gw charon: 00[CFG] loaded IKE secret for EXTERNAL_IP
> UNUSED_IP
> Jun 22 14:07:29 gw charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5
> random x509 revocation pubkey pkcs1 pgp pem openssl gcrypt fips-prf gmp
> agent xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
> eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2
> Jun 22 14:07:29 gw charon: 00[JOB] spawning 16 worker threads
> Jun 22 14:07:29 gw charon: 09[CFG] received stroke: add connection
> 'edba-nat-ikev2'
> Jun 22 14:07:29 gw charon: 09[CFG] loaded certificate "BLANKED'
> Jun 22 14:07:29 gw charon: 09[CFG] added configuration 'edba-nat-ikev2'
> Jun 22 14:07:29 gw charon: 09[CFG] adding virtual IP address pool
> 'edba-nat-ikev2': 192.168.7.0/24 <http://192.168.7.0/24>
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list