[strongSwan] Strongswan does not removes CA Certificate from its internal objects (RAM) even after removing the certificate from cacerts directory or ca section.
sajalmalhotra at gmail.com
Wed May 13 11:28:39 CEST 2015
We are using Strongswan 4.2 and 5.2 version of stack in our Lab and we have
Linux Box 1(v4.2)<----->Linux Box 2(v5.2)
Here is what we are trying:
1. Both Sides are using Device Certificates signed by different Root CA.
2. On both Devices we have provided both the root CA certificates in
3. With this configuration the SA comes up. Which is also expected and no
4. Also When we execute "ipsec listcacerts" on either end we can see that
it has loaded both CA certificates:
subject: "C=IN, ST=IN, I=IN, O=IN, CN=IN"
issuer: "C=IN, ST=IN, I=IN, O=IN, CN=IN"
subject: "C=IN, O=Aricent, OU=BTSR?D, ST=Gurgaon, CN=TestRootCA, L=Udyog
issuer: "C=IN, O=Aricent, OU=BTSR?D, ST=Gurgaon, CN=TestRootCA, L=Udyog
All is fine till this stage.
5. Now we bring the tunnel down and remove the Root CA of peer from one
end. i.e "ca section 2" is removed from ipsec.conf:
6. After removing this and executing "ipsec update" we expect that the SA
will not get established as the end which does not have root CA of peer
will reject the IKE_AUTH.
However it is observed that the SA still comes up. And on executing "ipsec
listcacerts" we still see both the certificates present in Device.
We have observed this behavior with both v4.2.8 and v5.2 of stack. Is this
expected behavior. Is there any way to remove the CA certs from Stack's
Thanks and Regards
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users