[strongSwan] Need help on "ipsec purgecrls"
sajalmalhotra at gmail.com
Tue May 26 12:39:58 CEST 2015
Dear Strongswan team,
We are facing similar problem as reported by Shobhit here.
1. We had a CRL say "abc.pem" that was present in /etc/ipsec.d/crls. This
was loaded correctly by Strongswan stack
2. However before the Nextupdate time expired, we got an updated CRL with
certificate of peer revoked in it
3. Placed this updated CRL with same name "abc.pem" in same directory
/etc/ipsec.d/crls and then executed "ipsec rereadcrls".
However it is noticed that Strongswan does not loads this CRL immediately.
It only does that only after NextUpdate time of old CRL has expired.
Is there any way to force strongswan to reload the CRL file with same name
but updated contents?
I mean this could be very much possible that a CA issues a new CRL before
its NextUpdate time and then different Nodes should be able to take this
CRL into use. Isn't it?
On Mon, Jan 27, 2014 at 8:10 PM, shobhit shingla <coolshobhit7 at gmail.com>
> Here is the scenario
> IPSEC CRL is present in /etc/ipsec.d/crls for revoked certificate of other
> IPSEC tunnel is not established since certificate is revoked.
> Now remove CRL file from /etc/ipsec.d/crls/ and run these commands
> ipsec purgecrls
> ipsec rereadcrls
> Expected behaviour -
> IPSEC CRL cache should be flushed after purgecrls
> Now when ipsec rereadcrls is invoked, as now there are no crls in
> /etc/ipsec.d/crls, there should be no CRLs in the ipsec and hence ipsec
> listcrls should be empty.
> Also IPSEC tunnel should now get established without restarting ipsec.
> Actual behaviour
> ipsec purgecrls command does not flush the CRL cache. This we have
> verified using ipsec listcrls commands after flushing.
> ipsec tunnel is not established after crl is removed without restart.
> Thanks and regards,
> Users mailing list
> Users at lists.strongswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users