[strongSwan] Strongswan does not removes CA Certificate from its internal objects (RAM) even after removing the certificate from cacerts directory or ca section.

Sajal Malhotra sajalmalhotra at gmail.com
Wed May 13 11:28:39 CEST 2015


Hi,


We are using Strongswan 4.2 and 5.2 version of stack in our Lab and we have
following setup:
Linux Box 1(v4.2)<----->Linux Box 2(v5.2)


Here is what we are trying:
1. Both Sides are using Device Certificates signed by different Root CA.
2. On both Devices we have provided both the root CA certificates in
ipsec.conf:

ca section1

        cacert=/usr/local/etc/ipsec.d/cacerts/CA.pem

        auto=add

ca section2

        cacert=/usr/local/etc/ipsec.d/ca.pem

        auto=add
3. With this configuration the SA comes up. Which is also expected and no
Issues.
4. Also When we execute "ipsec listcacerts" on either end we can see that
it has loaded both CA certificates:

  subject:  "C=IN, ST=IN, I=IN, O=IN, CN=IN"

  issuer:   "C=IN, ST=IN, I=IN, O=IN, CN=IN"

  serial:    1f:3f

  subject:  "C=IN, O=Aricent, OU=BTSR?D, ST=Gurgaon, CN=TestRootCA, L=Udyog
Vihar"

  issuer:   "C=IN, O=Aricent, OU=BTSR?D, ST=Gurgaon, CN=TestRootCA, L=Udyog
Vihar"

  serial:    00:8b
All is fine till this stage.
5. Now we bring the tunnel down and remove the Root CA of peer from one
end. i.e "ca section 2" is removed from ipsec.conf:

ca section1

        cacert=/usr/local/etc/ipsec.d/cacerts/CA.pem

        auto=add

6. After removing this and executing "ipsec update" we expect that the SA
will not get established as the end which does not have root CA of peer
will reject the IKE_AUTH.
However it is observed that the SA still comes up. And on executing "ipsec
listcacerts" we still see both the certificates present in Device.

We have observed this behavior with both v4.2.8 and v5.2 of stack. Is this
expected behavior. Is there any way to remove the CA certs from Stack's
memory?

Thanks and Regards
Sajal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150513/cd50a7fc/attachment.html>


More information about the Users mailing list