[strongSwan] Empty CRL cache
Fabrice Barconnière
fabrice.barconniere at ac-dijon.fr
Tue Sep 13 14:15:14 CEST 2016
Hello,
I still have problem with CRL cache with strongSwan 5.3.5 and Ubuntu 16.04.
Certificates status are checked with CRL as we can see in log file.
ipsec listcrls output command gives:
List of X.509 CRLs:
issuer: "C=FR, O=Education Nationale, OU=0002 110043015, CN=AC EN
Scolarite et Formation"
serial: 09:43
revoked: 13 certificates
updates: this Sep 13 00:00:06 2016
next Sep 20 00:00:06 2016, ok (expires in 6 days)
authkey: cc:2e:37:0f:06:b2:b9:b5:e9:2d:ff:be:52:37:c6:1d:b4:b7:07:17
But ll /etc/ipsec.d/crls/ gives :
total 8
drwxr-xr-x 2 root root 4096 avril 5 15:44 ./
drwxr-xr-x 11 root root 4096 août 30 21:01 ../
With ubuntu 14.04 and strongSwan 5.1.2 (after apparmor profile correction)
ll /etc/ipsec.d/crls/ gives :
total 12
drwxr-xr-x 2 root root 4096 sept. 13 09:18 ./
drwxr-xr-x 11 root root 4096 sept. 10 01:04 ../
-rw-r--r-- 1 root root 1307 sept. 13 09:18
cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl
What can i check other ?
Le 09/09/2016 à 14:50, Fabrice Barconnière a écrit :
> Hi all,
>
> /etc/ipsec.d/crls directory is still empty after established connections.
>
> OS: Ubuntu 16.04
> Version: 5.3.5-1ubuntu3
>
>
> * ipsec.conf :
>
> config setup
> uniqueids = yes
> cachecrls = yes
> strictcrlpolicy = no
> ...
> ...
>
>
> * ipsec statusall :
>
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-36-generic,
> x86_64):
> uptime: 17 minutes, since Sep 09 14:13:12 2016
> malloc: sbrk 5275648, mmap 532480, used 1125024, free 4150624
> worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 6
> loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1
> sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1
> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg
> fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql
> sqlite attr kernel-netlink resolve socket-default farp stroke updown
> eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
> eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
> tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr
> addrblock unity
> Listening IP addresses:
> 192.168.0.11
> 172.30.101.11
> Connections:
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
> 192.168.0.11...192.168.0.31 IKEv1/2, dpddelay=120s
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
> local: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015,
> CN=sphynx.ac-test.fr] uses public key authentication
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
> cert: "C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015,
> CN=sphynx.ac-test.fr"
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
> remote: [C=FR, L=Toulouse, O=Education Nationale, OU=ac-toulouse,
> OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr] uses public key
> authentication
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
> child: 172.30.101.0/24 === 10.1.1.0/24 TUNNEL, dpdaction=clear
> Security Associations (1 up, 0 connecting):
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]:
> ESTABLISHED 10 minutes ago, 192.168.0.11[C=FR, L=Dijon, O=Education
> Nationale, OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR,
> L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015,
> CN=0120101V-01-TEST.ac-toulouse.fr]
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]:
> IKEv2 SPIs: b858dddc617a4ac3_i d7697a226ce94911_r*, public key
> reauthentication in 2 hours
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]:
> IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}:
> INSTALLED, TUNNEL, reqid 2, ESP SPIs: c84807a5_i c234d7e7_o
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}:
> AES_GCM_16_128, 336 bytes_i (4 pkts, 6s ago), 336 bytes_o (4 pkts, 6s
> ago), rekeying in 32 minutes
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}:
> 172.30.101.0/24 === 10.1.1.0/24
>
>
> * Logs :
>
> 2016-09-09T14:35:48.169931+02:00 sphynx.ac-test.lan charon: 00[DMN]
> Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-36-generic,
> x86_64)
> 2016-09-09T14:35:48.220738+02:00 sphynx.ac-test.lan charon: 00[CFG]
> disabling load-tester plugin, not configured
> 2016-09-09T14:35:48.221002+02:00 sphynx.ac-test.lan charon: 00[LIB]
> plugin 'load-tester': failed to load - load_tester_plugin_create
> returned NULL
> 2016-09-09T14:35:48.229358+02:00 sphynx.ac-test.lan charon: 00[CFG]
> dnscert plugin is disabled
> 2016-09-09T14:35:48.229716+02:00 sphynx.ac-test.lan charon: 00[CFG]
> ipseckey plugin is disabled
> 2016-09-09T14:35:48.230376+02:00 sphynx.ac-test.lan charon: 00[CFG]
> attr-sql plugin: database URI not set
> 2016-09-09T14:35:48.230648+02:00 sphynx.ac-test.lan charon: 00[CFG]
> loading ca certificates from '/etc/ipsec.d/cacerts'
> 2016-09-09T14:35:48.230799+02:00 sphynx.ac-test.lan charon: 00[CFG]
> loaded ca certificate "C=FR, O=Education Nationale, OU=0002 110043015,
> CN=AC EN Scolarite et Formation" from '/etc/ipsec.d/cacerts/AC EN
> Scolarite et Formation.pem'
> 2016-09-09T14:35:48.230997+02:00 sphynx.ac-test.lan charon: 00[CFG]
> loaded ca certificate "C=FR, O=Education Nationale, L=Dijon, OU=0002
> 110043015, CN=CA-sphynx-RVP" from '/etc/ipsec.d/cacerts/CA-sphynx-RVP.pem'
> 2016-09-09T14:35:48.231144+02:00 sphynx.ac-test.lan charon: 00[CFG]
> loaded ca certificate "C=FR, O=Education Nationale, OU=0002 110043015,
> CN=AC Education Nationale" from '/etc/ipsec.d/cacerts/AC Education
> Nationale.pem'
> 2016-09-09T14:35:48.231622+02:00 sphynx.ac-test.lan charon: 00[CFG]
> loaded ca certificate "C=FR, O=Ministere Education Nationale
> Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR" from
> '/etc/ipsec.d/cacerts/AC Racine Ministere ENESR.pem'
> 2016-09-09T14:35:48.231793+02:00 sphynx.ac-test.lan charon: 00[CFG]
> loading aa certificates from '/etc/ipsec.d/aacerts'
> 2016-09-09T14:35:48.231918+02:00 sphynx.ac-test.lan charon: 00[CFG]
> loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 2016-09-09T14:35:48.232078+02:00 sphynx.ac-test.lan charon: 00[CFG]
> loading attribute certificates from '/etc/ipsec.d/acerts'
> 2016-09-09T14:35:48.232214+02:00 sphynx.ac-test.lan charon: 00[CFG]
> loading crls from '/etc/ipsec.d/crls'
> 2016-09-09T14:35:48.232356+02:00 sphynx.ac-test.lan charon: 00[CFG]
> loading secrets from '/etc/ipsec.secrets'
> 2016-09-09T14:35:48.232522+02:00 sphynx.ac-test.lan charon: 00[CFG]
> loaded RSA private key from '/etc/ipsec.d/private/privsphynx.ac-test.fr.pem'
> 2016-09-09T14:35:48.232664+02:00 sphynx.ac-test.lan charon: 00[CFG]
> opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or
> directory
> 2016-09-09T14:35:48.232805+02:00 sphynx.ac-test.lan charon: 00[CFG]
> eap-simaka-sql database URI missing
> 2016-09-09T14:35:48.233119+02:00 sphynx.ac-test.lan charon: 00[CFG]
> loaded 0 RADIUS server configurations
> 2016-09-09T14:35:48.233315+02:00 sphynx.ac-test.lan charon: 00[CFG] no
> threshold configured for systime-fix, disabled
> 2016-09-09T14:35:48.233515+02:00 sphynx.ac-test.lan charon: 00[CFG]
> coupling file path unspecified
> 2016-09-09T14:35:48.233706+02:00 sphynx.ac-test.lan charon: 00[LIB]
> loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1
> sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1
> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg
> fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql
> sqlite attr kernel-netlink resolve socket-default farp stroke updown
> eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
> eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
> tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr
> addrblock unity
> 2016-09-09T14:35:48.234163+02:00 sphynx.ac-test.lan charon: 00[LIB]
> dropped capabilities, running as uid 0, gid 0
> 2016-09-09T14:35:48.234345+02:00 sphynx.ac-test.lan charon: 00[JOB]
> spawning 32 worker threads
> 2016-09-09T14:35:48.247156+02:00 sphynx.ac-test.lan charon: 06[CFG]
> received stroke: add connection
> 'aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1'
> 2016-09-09T14:35:48.247447+02:00 sphynx.ac-test.lan charon: 06[CFG]
> loaded certificate "C=FR, L=Dijon, O=Education Nationale, OU=0002
> 110043015, CN=sphynx.ac-test.fr" from 'sphynx.ac-test.fr.pem'
> 2016-09-09T14:35:48.247635+02:00 sphynx.ac-test.lan charon: 06[CFG]
> added configuration
> 'aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1'
> 2016-09-09T14:35:48.247825+02:00 sphynx.ac-test.lan charon: 08[CFG]
> received stroke: initiate
> 'aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1'
> 2016-09-09T14:35:48.248034+02:00 sphynx.ac-test.lan charon: 08[IKE]
> initiating IKE_SA
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1]
> to 192.168.0.31
> 2016-09-09T14:35:48.248224+02:00 sphynx.ac-test.lan charon: 08[IKE]
> initiating IKE_SA
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1]
> to 192.168.0.31
> 2016-09-09T14:35:48.259508+02:00 sphynx.ac-test.lan charon: 08[ENC]
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(HASH_ALG) ]
> 2016-09-09T14:35:48.259817+02:00 sphynx.ac-test.lan charon: 08[NET]
> sending packet: from 192.168.0.11[500] to 192.168.0.31[500] (1252 bytes)
> 2016-09-09T14:35:48.264907+02:00 sphynx.ac-test.lan charon: 10[NET]
> received packet: from 192.168.0.31[500] to 192.168.0.11[500] (517 bytes)
> 2016-09-09T14:35:48.265160+02:00 sphynx.ac-test.lan charon: 10[ENC]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> 2016-09-09T14:35:48.278316+02:00 sphynx.ac-test.lan charon: 10[IKE]
> received cert request for "C=FR, O=Ministere Education Nationale
> Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR"
> 2016-09-09T14:35:48.278600+02:00 sphynx.ac-test.lan charon: 10[IKE]
> received cert request for "C=FR, O=Education Nationale, OU=0002
> 110043015, CN=AC EN Scolarite et Formation"
> 2016-09-09T14:35:48.278825+02:00 sphynx.ac-test.lan charon: 10[IKE]
> received cert request for "C=FR, O=Education Nationale, OU=0002
> 110043015, CN=AC Education Nationale"
> 2016-09-09T14:35:48.279014+02:00 sphynx.ac-test.lan charon: 10[IKE]
> received cert request for "C=FR, O=Education Nationale, L=Dijon, OU=0002
> 110043015, CN=CA-sphynx-RVP"
> 2016-09-09T14:35:48.279201+02:00 sphynx.ac-test.lan charon: 10[IKE]
> sending cert request for "C=FR, O=Education Nationale, OU=0002
> 110043015, CN=AC EN Scolarite et Formation"
> 2016-09-09T14:35:48.279419+02:00 sphynx.ac-test.lan charon: 10[IKE]
> sending cert request for "C=FR, O=Education Nationale, L=Dijon, OU=0002
> 110043015, CN=CA-sphynx-RVP"
> 2016-09-09T14:35:48.279590+02:00 sphynx.ac-test.lan charon: 10[IKE]
> sending cert request for "C=FR, O=Education Nationale, OU=0002
> 110043015, CN=AC Education Nationale"
> 2016-09-09T14:35:48.279791+02:00 sphynx.ac-test.lan charon: 10[IKE]
> sending cert request for "C=FR, O=Ministere Education Nationale
> Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR"
> 2016-09-09T14:35:48.283674+02:00 sphynx.ac-test.lan charon: 10[IKE]
> authentication of 'C=FR, L=Dijon, O=Education Nationale, OU=0002
> 110043015, CN=sphynx.ac-test.fr' (myself) with RSA signature successful
> 2016-09-09T14:35:48.283936+02:00 sphynx.ac-test.lan charon: 10[IKE]
> sending end entity cert "C=FR, L=Dijon, O=Education Nationale, OU=0002
> 110043015, CN=sphynx.ac-test.fr"
> 2016-09-09T14:35:48.284141+02:00 sphynx.ac-test.lan charon: 10[IKE]
> establishing CHILD_SA
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1
> 2016-09-09T14:35:48.284333+02:00 sphynx.ac-test.lan charon: 10[IKE]
> establishing CHILD_SA
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1
> 2016-09-09T14:35:48.284487+02:00 sphynx.ac-test.lan charon: 10[ENC]
> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
> AUTH SA TSi TSr N(EAP_ONLY) ]
> 2016-09-09T14:35:48.284681+02:00 sphynx.ac-test.lan charon: 10[NET]
> sending packet: from 192.168.0.11[500] to 192.168.0.31[500] (2416 bytes)
> 2016-09-09T14:35:48.698280+02:00 sphynx.ac-test.lan charon: 11[NET]
> received packet: from 192.168.0.31[500] to 192.168.0.11[500] (2112 bytes)
> 2016-09-09T14:35:48.698782+02:00 sphynx.ac-test.lan charon: 11[ENC]
> parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
> 2016-09-09T14:35:48.699000+02:00 sphynx.ac-test.lan charon: 11[IKE]
> received end entity cert "C=FR, L=Toulouse, O=Education Nationale,
> OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr"
> 2016-09-09T14:35:48.699199+02:00 sphynx.ac-test.lan charon: 11[CFG]
> using certificate "C=FR, L=Toulouse, O=Education Nationale,
> OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr"
> 2016-09-09T14:35:48.699435+02:00 sphynx.ac-test.lan charon: 11[CFG]
> using trusted intermediate ca certificate "C=FR, O=Education Nationale,
> OU=0002 110043015, CN=AC EN Scolarite et Formation"
> 2016-09-09T14:35:48.699629+02:00 sphynx.ac-test.lan charon: 11[CFG]
> checking certificate status of "C=FR, L=Toulouse, O=Education Nationale,
> OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr"
> 2016-09-09T14:35:48.699828+02:00 sphynx.ac-test.lan charon: 11[CFG]
> fetching crl from
> 'http://crl.pncn.education.gouv.fr/ac-men-scolarite-et-formation.crl' ...
> 2016-09-09T14:35:48.739498+02:00 sphynx.ac-test.lan charon: 11[CFG]
> using trusted intermediate ca certificate "C=FR, O=Education Nationale,
> OU=0002 110043015, CN=AC Education Nationale"
> 2016-09-09T14:35:48.739798+02:00 sphynx.ac-test.lan charon: 11[CFG]
> reached self-signed root ca with a path length of 0
> 2016-09-09T14:35:48.740023+02:00 sphynx.ac-test.lan charon: 11[CFG]
> using trusted certificate "C=FR, O=Education Nationale, OU=0002
> 110043015, CN=AC EN Scolarite et Formation"
> 2016-09-09T14:35:48.740227+02:00 sphynx.ac-test.lan charon: 11[CFG]
> crl correctly signed by "C=FR, O=Education Nationale, OU=0002 110043015,
> CN=AC EN Scolarite et Formation"
> 2016-09-09T14:35:48.740439+02:00 sphynx.ac-test.lan charon: 11[CFG]
> crl is valid: until Sep 16 00:00:05 2016
> 2016-09-09T14:35:48.740651+02:00 sphynx.ac-test.lan charon: 11[CFG]
> certificate status is good
> 2016-09-09T14:35:48.740875+02:00 sphynx.ac-test.lan charon: 11[CFG]
> using trusted intermediate ca certificate "C=FR, O=Education Nationale,
> OU=0002 110043015, CN=AC Education Nationale"
> 2016-09-09T14:35:48.741131+02:00 sphynx.ac-test.lan charon: 11[CFG]
> checking certificate status of "C=FR, O=Education Nationale, OU=0002
> 110043015, CN=AC EN Scolarite et Formation"
> 2016-09-09T14:35:48.741452+02:00 sphynx.ac-test.lan charon: 11[CFG]
> requesting ocsp status from 'http://ocsp.pncn.education.gouv.fr/men' ...
> 2016-09-09T14:35:48.866481+02:00 sphynx.ac-test.lan charon: 11[CFG]
> ocsp response correctly signed by "C=FR, O=Education Nationale, OU=0002
> 110043015, CN=Signature OCSP - AC MEN"
> 2016-09-09T14:35:48.866895+02:00 sphynx.ac-test.lan charon: 11[CFG]
> ocsp response is valid: until Sep 09 14:35:58 2016
> 2016-09-09T14:35:48.867158+02:00 sphynx.ac-test.lan charon: 11[CFG]
> certificate status is good
> 2016-09-09T14:35:48.867391+02:00 sphynx.ac-test.lan charon: 11[CFG]
> using trusted ca certificate "C=FR, O=Ministere Education Nationale
> Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR"
> 2016-09-09T14:35:48.867598+02:00 sphynx.ac-test.lan charon: 11[CFG]
> checking certificate status of "C=FR, O=Education Nationale, OU=0002
> 110043015, CN=AC Education Nationale"
> 2016-09-09T14:35:48.867803+02:00 sphynx.ac-test.lan charon: 11[CFG] ocsp
> response verification failed, no signer certificate 'C=FR, O=Education
> Nationale, OU=0002 110043015, CN=Signature OCSP - AC MEN' found
> 2016-09-09T14:35:48.868006+02:00 sphynx.ac-test.lan charon: 11[CFG]
> requesting ocsp status from 'http://ocsp.pncn.education.gouv.fr/menesr' ...
> 2016-09-09T14:35:48.992719+02:00 sphynx.ac-test.lan charon: 11[CFG]
> ocsp response correctly signed by "C=FR, O=Ministere Education Nationale
> Enseignement Superieur Recherche, CN=Signature OCSP - AC MENESR"
> 2016-09-09T14:35:48.993075+02:00 sphynx.ac-test.lan charon: 11[CFG]
> ocsp response is valid: until Sep 09 14:35:58 2016
> 2016-09-09T14:35:48.993272+02:00 sphynx.ac-test.lan charon: 11[CFG]
> certificate status is good
> 2016-09-09T14:35:48.993484+02:00 sphynx.ac-test.lan charon: 11[CFG]
> reached self-signed root ca with a path length of 2
> 2016-09-09T14:35:48.993709+02:00 sphynx.ac-test.lan charon: 11[IKE]
> authentication of 'C=FR, L=Toulouse, O=Education Nationale,
> OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr'
> with RSA signature successful
> 2016-09-09T14:35:48.993915+02:00 sphynx.ac-test.lan charon: 11[IKE]
> IKE_SA
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1]
> established between 192.168.0.11[C=FR, L=Dijon, O=Education Nationale,
> OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR,
> L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015,
> CN=0120101V-01-TEST.ac-toulouse.fr]
> 2016-09-09T14:35:48.994137+02:00 sphynx.ac-test.lan charon: 11[IKE]
> IKE_SA
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1]
> established between 192.168.0.11[C=FR, L=Dijon, O=Education Nationale,
> OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR,
> L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015,
> CN=0120101V-01-TEST.ac-toulouse.fr]
> 2016-09-09T14:35:48.994316+02:00 sphynx.ac-test.lan charon: 11[IKE]
> scheduling reauthentication in 10146s
> 2016-09-09T14:35:48.994585+02:00 sphynx.ac-test.lan charon: 11[IKE]
> maximum IKE_SA lifetime 10686s
> 2016-09-09T14:35:48.994955+02:00 sphynx.ac-test.lan charon: 11[IKE]
> CHILD_SA
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{1}
> established with SPIs ccdd7bb4_i c01e70f1_o and TS 172.30.101.0/24 ===
> 10.1.1.0/24
> 2016-09-09T14:35:48.995159+02:00 sphynx.ac-test.lan charon: 11[IKE]
> CHILD_SA
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{1}
> established with SPIs ccdd7bb4_i c01e70f1_o and TS 172.30.101.0/24 ===
> 10.1.1.0/24
> 2016-09-09T14:35:48.995469+02:00 sphynx.ac-test.lan charon: 11[IKE]
> received AUTH_LIFETIME of 10248s, scheduling reauthentication in 9708s
>
>
> CRL cache is not empty with Ubuntu 14.04 and strongSwan version
> 5.1.2-0ubuntu2.4 and the same configuration. I can see this line in log
> file :
> 2016-09-09T13:39:42.728748+02:00 amon.etb1.lan charon: 21[CFG] written
> crl file
> '/etc/ipsec.d/crls/cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl' (1307
> bytes)
> ls -l /etc/ipsec.d/crls/
> total 4
> -rw-r--r-- 1 root root 1307 sept. 9 13:39
> cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl
>
>
> Perhaps, something is wrong in my strongSwan configuration ?
>
>
> Regards,
> Fabrice Barconnière
> http://pcll.ac-dijon.fr/eole/
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
Cordialement,
Fabrice Barconnière
Pôle logiciels libres - EOLE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160913/b4a3781d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160913/b4a3781d/attachment-0001.sig>
More information about the Users
mailing list