[strongSwan] Certificate Expiry of Local Cert NOT being checked
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Tue Feb 2 15:54:11 CET 2016
Hi
Does Strongswan running on a local-gw, supposed to check whether the
certificate that is being used in "leftcert=xxx.pem" is valid or expired?
Its not doing so as observed below, is there any option to be enabled?
================================
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs# date
Tue Apr 21 19:35:02 IST 2020
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs# ipsec listcerts
List of X.509 End Entity Certificates:
subject: "C=IN, O=strongSwan, CN=gateway2"
issuer: "C=IN, O=strongSwan, CN=strongSwan CA"
serial: 02
validity: not before Oct 16 01:39:07 2014, ok
not after Oct 15 01:39:07 2016, expired (1284 days ago)
pubkey: RSA 2048 bits, has private key
keyid: 21:42:15:1f:97:bd:9c:8c:43:8b:2d:50:df:76:ce:c1:85:ef:eb:e1
subjkey: bf:84:76:d6:f5:85:fa:8f:27:bf:b0:75:02:6c:9a:4a:20:f8:d8:ad
authkey: f6:9c:8d:ea:e6:48:58:8f:30:8d:97:0a:8c:17:21:a8:67:70:be:69
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs# ipsec start --nofork
Starting weakSwan 5.3.0 IPsec [starter]...
charon is already running (/var/run/charon.pid exists) -- skipping daemon
start
starter is already running (/var/run/starter.charon.pid exists) -- no fork
done
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs# ipsec stop
Stopping strongSwan IPsec...
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs#
root at suram-OptiPlex-7010:/usr/local/etc/ipsec.d/certs# cd /usr/local/etc/
root at suram-OptiPlex-7010:/usr/local/etc#
root at suram-OptiPlex-7010:/usr/local/etc# cat ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
charondebug="ike 1, dmn 1, chd 1, knl 1, cfg 1, net 1, esp 1, enc 1"
conn %default
ikelifetime=24h
keylife=18h
mobike=no
conn togw1
left=2.2.2.5
leftsubnet=192.168.25.0/24
right=2.2.2.34
rightsubnet=192.168.34.0/24
leftcert=peer2Cert.pem
leftauth=pubkey
rightauth=pubkey
leftid="/C=IN/O=strongSwan/CN=gateway2"
rightid=%any
type=tunnel
keyexchange=ikev1
ike=3des-sha1-modp1024!
esp=3des-sha1-modp1024!
auto=add
root at suram-OptiPlex-7010:/usr/local/etc#
root at suram-OptiPlex-7010:/usr/local/etc#
root at suram-OptiPlex-7010:/usr/local/etc#
root at suram-OptiPlex-7010:/usr/local/etc# ipsec start --nofork
Starting weakSwan 5.3.0 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux
3.11.0-26-generic, x86_64)
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=IN, O=strongSwan, CN=strongSwan CA" from
'/usr/local/etc/ipsec.d/cacerts/strongcaCert.pem'
00[CFG] loaded ca certificate "C=IN, O=strongSwan, CN=strongSwan CA" from
'/usr/local/etc/ipsec.d/cacerts/caCert.pem'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loaded RSA private key from
'/usr/local/etc/ipsec.d/private/peer2Key.pem'
00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No
such file or directory
00[CFG] loaded 0 RADIUS server configurations
00[LIB] loaded plugins: charon aes des blowfish rc2 sha1 sha2 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm
attr kernel-netlink resolve socket-default farp stroke updown eap-identity
eap-sim eap-aka eap-simaka-pseudonym eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-noauth tnc-tnccs dhcp lookip error-notify unity
00[JOB] spawning 16 worker threads
charon (10745) started after 20 ms
06[CFG] received stroke: add connection 'togw1'
06[CFG] loaded certificate "C=IN, O=strongSwan, CN=gateway2" from
'peer2Cert.pem'
06[CFG] added configuration 'togw1'
^C00[DMN] signal of type SIGINT received. Shutting down
charon stopped after 200 ms
ipsec starter stopped
root at suram-OptiPlex-7010:/usr/local/etc# date
Tue Apr 21 19:36:23 IST 2020
root at suram-OptiPlex-7010:/usr/local/etc#
==================================================
thanks & regards
rajiv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160202/d1d4fc13/attachment.html>
More information about the Users
mailing list