[strongSwan] ocsp in ikev2

Sriram sriram.ec at gmail.com
Fri Jan 17 12:15:03 CET 2014


Thanks Martin.

Below is the log excerpt and strongswan.conf

Jan 17 06:57:21 localhost charon: 02[LIB] libcurl http request failed:
couldn't connect to host
Jan 17 06:57:21 localhost charon: 02[CFG] ocsp request to
http://10.206.1.11:8880 failed
Jan 17 06:57:21 localhost charon: 02[CFG]   requesting ocsp status from '
http://10.206.1.11:8880' ...
Jan 17 06:57:21 localhost charon: 02[LIB]   sending http request to
'http://10.206.1.11:8880'...
Jan 17 06:57:31 localhost charon: 02[LIB] libcurl http request failed:
couldn't connect to host
Jan 17 06:57:31 localhost charon: 02[CFG] ocsp request to
http://10.206.1.11:8880 failed
Jan 17 06:57:31 localhost charon: 02[CFG] ocsp check failed, fallback to crl
Jan 17 06:57:31 localhost charon: 02[CFG] certificate status is not
available
Jan 17 06:57:31 localhost charon: 02[CFG]   certificate "C=in, ST=kar,
L=bng, O=airvana, O=nsc, OU=net, CN=rootca" key: 1024 bit RSA
Jan 17 06:57:31 localhost charon: 02[CFG]   reached self-signed root ca
with a path length of 0
Jan 17 06:57:31 localhost charon: 02[LIB] signature verification:
Jan 17 06:57:31 localhost charon: 02[IKE] authentication of '
sriram.airvana.org' with RSA signature successful
Jan 17 06:57:31 localhost charon: 02[IKE] IKE_SA home[2] established
between 10.206.1.10[arvind.airvana.org]...10.206.1.11[sriram.airvana.org]
Jan 17 06:57:31 localhost charon: 02[IKE] IKE_SA home[2] state change:
CONNECTING => ESTABLISHED

cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file

charon {
  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509
revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5
updown
}

Earlier httpd was not up in 10.206.1.11, I started the httpd service, still
i get the same error.

Regards,
Sriram.







On Fri, Jan 17, 2014 at 2:52 PM, Martin Willi <martin at strongswan.org> wrote:

> Hi Sriram,
>
> > When I tested this, I saw peers exchanging AuthorityInfoAccess as part of
> > certificate data extensions. But I didnt any exchanges happening between
> > ocsp server and peer to confirm the validity of certificates.
>
> For OCSP support, you need both the revocation plugin and one of the
> fetcher plugins enabled. The curl plugin depends on libcurl and is
> usually the better choice, the soup plugin builds upon libsoup/glib.
>
> If you still see no OCSP requests, please provide an excerpt of your
> logfile.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140117/10b83127/attachment.html>


More information about the Users mailing list