[strongSwan] Empty CRL cache
Andreas Steffen
andreas.steffen at strongswan.org
Tue Sep 13 17:40:32 CEST 2016
Hi Fabrice,
I don't know what your problem might be. In our KVM scenario running
strongswan 5.5.0 under Debian 8, the CRL is written to a file:
https://www.strongswan.org/testing/testresults/ikev2/crl-to-cache/
Best regards
Andreas
On 13.09.2016 14:15, Fabrice Barconnière wrote:
> Hello,
>
> I still have problem with CRL cache with strongSwan 5.3.5 and Ubuntu 16.04.
>
> Certificates status are checked with CRL as we can see in log file.
> ipsec listcrls output command gives:
>
> List of X.509 CRLs:
>
> issuer: "C=FR, O=Education Nationale, OU=0002 110043015, CN=AC EN
> Scolarite et Formation"
> serial: 09:43
> revoked: 13 certificates
> updates: this Sep 13 00:00:06 2016
> next Sep 20 00:00:06 2016, ok (expires in 6 days)
> authkey: cc:2e:37:0f:06:b2:b9:b5:e9:2d:ff:be:52:37:c6:1d:b4:b7:07:17
>
> But ll /etc/ipsec.d/crls/ gives :
> total 8
> drwxr-xr-x 2 root root 4096 avril 5 15:44 ./
> drwxr-xr-x 11 root root 4096 août 30 21:01 ../
>
> With ubuntu 14.04 and strongSwan 5.1.2 (after apparmor profile correction)
>
> ll /etc/ipsec.d/crls/ gives :
> total 12
> drwxr-xr-x 2 root root 4096 sept. 13 09:18 ./
> drwxr-xr-x 11 root root 4096 sept. 10 01:04 ../
> -rw-r--r-- 1 root root 1307 sept. 13 09:18
> cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl
>
> What can i check other ?
>
>
>
> Le 09/09/2016 à 14:50, Fabrice Barconnière a écrit :
>> Hi all,
>>
>> /etc/ipsec.d/crls directory is still empty after established connections.
>>
>> OS: Ubuntu 16.04
>> Version: 5.3.5-1ubuntu3
>>
>>
>> * ipsec.conf :
>>
>> config setup
>> uniqueids = yes
>> cachecrls = yes
>> strictcrlpolicy = no
>> ...
>> ...
>>
>>
>> * ipsec statusall :
>>
>> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-36-generic,
>> x86_64):
>> uptime: 17 minutes, since Sep 09 14:13:12 2016
>> malloc: sbrk 5275648, mmap 532480, used 1125024, free 4150624
>> worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 6
>> loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1
>> sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1
>> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg
>> fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql
>> sqlite attr kernel-netlink resolve socket-default farp stroke updown
>> eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
>> eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
>> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
>> xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
>> tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr
>> addrblock unity
>> Listening IP addresses:
>> 192.168.0.11
>> 172.30.101.11
>> Connections:
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
>> 192.168.0.11...192.168.0.31 IKEv1/2, dpddelay=120s
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
>> local: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015,
>> CN=sphynx.ac-test.fr] uses public key authentication
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
>> cert: "C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015,
>> CN=sphynx.ac-test.fr"
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
>> remote: [C=FR, L=Toulouse, O=Education Nationale, OU=ac-toulouse,
>> OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr] uses public key
>> authentication
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
>> child: 172.30.101.0/24 === 10.1.1.0/24 TUNNEL, dpdaction=clear
>> Security Associations (1 up, 0 connecting):
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]:
>> ESTABLISHED 10 minutes ago, 192.168.0.11[C=FR, L=Dijon, O=Education
>> Nationale, OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR,
>> L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015,
>> CN=0120101V-01-TEST.ac-toulouse.fr]
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]:
>> IKEv2 SPIs: b858dddc617a4ac3_i d7697a226ce94911_r*, public key
>> reauthentication in 2 hours
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]:
>> IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}:
>> INSTALLED, TUNNEL, reqid 2, ESP SPIs: c84807a5_i c234d7e7_o
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}:
>> AES_GCM_16_128, 336 bytes_i (4 pkts, 6s ago), 336 bytes_o (4 pkts, 6s
>> ago), rekeying in 32 minutes
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}:
>> 172.30.101.0/24 === 10.1.1.0/24
>>
>>
>> * Logs :
>>
>> 2016-09-09T14:35:48.169931+02:00 sphynx.ac-test.lan charon: 00[DMN]
>> Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-36-generic,
>> x86_64)
>> 2016-09-09T14:35:48.220738+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> disabling load-tester plugin, not configured
>> 2016-09-09T14:35:48.221002+02:00 sphynx.ac-test.lan charon: 00[LIB]
>> plugin 'load-tester': failed to load - load_tester_plugin_create
>> returned NULL
>> 2016-09-09T14:35:48.229358+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> dnscert plugin is disabled
>> 2016-09-09T14:35:48.229716+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> ipseckey plugin is disabled
>> 2016-09-09T14:35:48.230376+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> attr-sql plugin: database URI not set
>> 2016-09-09T14:35:48.230648+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> loading ca certificates from '/etc/ipsec.d/cacerts'
>> 2016-09-09T14:35:48.230799+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> loaded ca certificate "C=FR, O=Education Nationale, OU=0002 110043015,
>> CN=AC EN Scolarite et Formation" from '/etc/ipsec.d/cacerts/AC EN
>> Scolarite et Formation.pem'
>> 2016-09-09T14:35:48.230997+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> loaded ca certificate "C=FR, O=Education Nationale, L=Dijon, OU=0002
>> 110043015, CN=CA-sphynx-RVP" from '/etc/ipsec.d/cacerts/CA-sphynx-RVP.pem'
>> 2016-09-09T14:35:48.231144+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> loaded ca certificate "C=FR, O=Education Nationale, OU=0002 110043015,
>> CN=AC Education Nationale" from '/etc/ipsec.d/cacerts/AC Education
>> Nationale.pem'
>> 2016-09-09T14:35:48.231622+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> loaded ca certificate "C=FR, O=Ministere Education Nationale
>> Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR" from
>> '/etc/ipsec.d/cacerts/AC Racine Ministere ENESR.pem'
>> 2016-09-09T14:35:48.231793+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> loading aa certificates from '/etc/ipsec.d/aacerts'
>> 2016-09-09T14:35:48.231918+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
>> 2016-09-09T14:35:48.232078+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> loading attribute certificates from '/etc/ipsec.d/acerts'
>> 2016-09-09T14:35:48.232214+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> loading crls from '/etc/ipsec.d/crls'
>> 2016-09-09T14:35:48.232356+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> loading secrets from '/etc/ipsec.secrets'
>> 2016-09-09T14:35:48.232522+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> loaded RSA private key from '/etc/ipsec.d/private/privsphynx.ac-test.fr.pem'
>> 2016-09-09T14:35:48.232664+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or
>> directory
>> 2016-09-09T14:35:48.232805+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> eap-simaka-sql database URI missing
>> 2016-09-09T14:35:48.233119+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> loaded 0 RADIUS server configurations
>> 2016-09-09T14:35:48.233315+02:00 sphynx.ac-test.lan charon: 00[CFG] no
>> threshold configured for systime-fix, disabled
>> 2016-09-09T14:35:48.233515+02:00 sphynx.ac-test.lan charon: 00[CFG]
>> coupling file path unspecified
>> 2016-09-09T14:35:48.233706+02:00 sphynx.ac-test.lan charon: 00[LIB]
>> loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1
>> sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1
>> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg
>> fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql
>> sqlite attr kernel-netlink resolve socket-default farp stroke updown
>> eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
>> eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
>> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
>> xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
>> tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr
>> addrblock unity
>> 2016-09-09T14:35:48.234163+02:00 sphynx.ac-test.lan charon: 00[LIB]
>> dropped capabilities, running as uid 0, gid 0
>> 2016-09-09T14:35:48.234345+02:00 sphynx.ac-test.lan charon: 00[JOB]
>> spawning 32 worker threads
>> 2016-09-09T14:35:48.247156+02:00 sphynx.ac-test.lan charon: 06[CFG]
>> received stroke: add connection
>> 'aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1'
>> 2016-09-09T14:35:48.247447+02:00 sphynx.ac-test.lan charon: 06[CFG]
>> loaded certificate "C=FR, L=Dijon, O=Education Nationale, OU=0002
>> 110043015, CN=sphynx.ac-test.fr" from 'sphynx.ac-test.fr.pem'
>> 2016-09-09T14:35:48.247635+02:00 sphynx.ac-test.lan charon: 06[CFG]
>> added configuration
>> 'aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1'
>> 2016-09-09T14:35:48.247825+02:00 sphynx.ac-test.lan charon: 08[CFG]
>> received stroke: initiate
>> 'aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1'
>> 2016-09-09T14:35:48.248034+02:00 sphynx.ac-test.lan charon: 08[IKE]
>> initiating IKE_SA
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1]
>> to 192.168.0.31
>> 2016-09-09T14:35:48.248224+02:00 sphynx.ac-test.lan charon: 08[IKE]
>> initiating IKE_SA
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1]
>> to 192.168.0.31
>> 2016-09-09T14:35:48.259508+02:00 sphynx.ac-test.lan charon: 08[ENC]
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> N(HASH_ALG) ]
>> 2016-09-09T14:35:48.259817+02:00 sphynx.ac-test.lan charon: 08[NET]
>> sending packet: from 192.168.0.11[500] to 192.168.0.31[500] (1252 bytes)
>> 2016-09-09T14:35:48.264907+02:00 sphynx.ac-test.lan charon: 10[NET]
>> received packet: from 192.168.0.31[500] to 192.168.0.11[500] (517 bytes)
>> 2016-09-09T14:35:48.265160+02:00 sphynx.ac-test.lan charon: 10[ENC]
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
>> 2016-09-09T14:35:48.278316+02:00 sphynx.ac-test.lan charon: 10[IKE]
>> received cert request for "C=FR, O=Ministere Education Nationale
>> Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR"
>> 2016-09-09T14:35:48.278600+02:00 sphynx.ac-test.lan charon: 10[IKE]
>> received cert request for "C=FR, O=Education Nationale, OU=0002
>> 110043015, CN=AC EN Scolarite et Formation"
>> 2016-09-09T14:35:48.278825+02:00 sphynx.ac-test.lan charon: 10[IKE]
>> received cert request for "C=FR, O=Education Nationale, OU=0002
>> 110043015, CN=AC Education Nationale"
>> 2016-09-09T14:35:48.279014+02:00 sphynx.ac-test.lan charon: 10[IKE]
>> received cert request for "C=FR, O=Education Nationale, L=Dijon, OU=0002
>> 110043015, CN=CA-sphynx-RVP"
>> 2016-09-09T14:35:48.279201+02:00 sphynx.ac-test.lan charon: 10[IKE]
>> sending cert request for "C=FR, O=Education Nationale, OU=0002
>> 110043015, CN=AC EN Scolarite et Formation"
>> 2016-09-09T14:35:48.279419+02:00 sphynx.ac-test.lan charon: 10[IKE]
>> sending cert request for "C=FR, O=Education Nationale, L=Dijon, OU=0002
>> 110043015, CN=CA-sphynx-RVP"
>> 2016-09-09T14:35:48.279590+02:00 sphynx.ac-test.lan charon: 10[IKE]
>> sending cert request for "C=FR, O=Education Nationale, OU=0002
>> 110043015, CN=AC Education Nationale"
>> 2016-09-09T14:35:48.279791+02:00 sphynx.ac-test.lan charon: 10[IKE]
>> sending cert request for "C=FR, O=Ministere Education Nationale
>> Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR"
>> 2016-09-09T14:35:48.283674+02:00 sphynx.ac-test.lan charon: 10[IKE]
>> authentication of 'C=FR, L=Dijon, O=Education Nationale, OU=0002
>> 110043015, CN=sphynx.ac-test.fr' (myself) with RSA signature successful
>> 2016-09-09T14:35:48.283936+02:00 sphynx.ac-test.lan charon: 10[IKE]
>> sending end entity cert "C=FR, L=Dijon, O=Education Nationale, OU=0002
>> 110043015, CN=sphynx.ac-test.fr"
>> 2016-09-09T14:35:48.284141+02:00 sphynx.ac-test.lan charon: 10[IKE]
>> establishing CHILD_SA
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1
>> 2016-09-09T14:35:48.284333+02:00 sphynx.ac-test.lan charon: 10[IKE]
>> establishing CHILD_SA
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1
>> 2016-09-09T14:35:48.284487+02:00 sphynx.ac-test.lan charon: 10[ENC]
>> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
>> AUTH SA TSi TSr N(EAP_ONLY) ]
>> 2016-09-09T14:35:48.284681+02:00 sphynx.ac-test.lan charon: 10[NET]
>> sending packet: from 192.168.0.11[500] to 192.168.0.31[500] (2416 bytes)
>> 2016-09-09T14:35:48.698280+02:00 sphynx.ac-test.lan charon: 11[NET]
>> received packet: from 192.168.0.31[500] to 192.168.0.11[500] (2112 bytes)
>> 2016-09-09T14:35:48.698782+02:00 sphynx.ac-test.lan charon: 11[ENC]
>> parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
>> 2016-09-09T14:35:48.699000+02:00 sphynx.ac-test.lan charon: 11[IKE]
>> received end entity cert "C=FR, L=Toulouse, O=Education Nationale,
>> OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr"
>> 2016-09-09T14:35:48.699199+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> using certificate "C=FR, L=Toulouse, O=Education Nationale,
>> OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr"
>> 2016-09-09T14:35:48.699435+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> using trusted intermediate ca certificate "C=FR, O=Education Nationale,
>> OU=0002 110043015, CN=AC EN Scolarite et Formation"
>> 2016-09-09T14:35:48.699629+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> checking certificate status of "C=FR, L=Toulouse, O=Education Nationale,
>> OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr"
>> 2016-09-09T14:35:48.699828+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> fetching crl from
>> 'http://crl.pncn.education.gouv.fr/ac-men-scolarite-et-formation.crl' ...
>> 2016-09-09T14:35:48.739498+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> using trusted intermediate ca certificate "C=FR, O=Education Nationale,
>> OU=0002 110043015, CN=AC Education Nationale"
>> 2016-09-09T14:35:48.739798+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> reached self-signed root ca with a path length of 0
>> 2016-09-09T14:35:48.740023+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> using trusted certificate "C=FR, O=Education Nationale, OU=0002
>> 110043015, CN=AC EN Scolarite et Formation"
>> 2016-09-09T14:35:48.740227+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> crl correctly signed by "C=FR, O=Education Nationale, OU=0002 110043015,
>> CN=AC EN Scolarite et Formation"
>> 2016-09-09T14:35:48.740439+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> crl is valid: until Sep 16 00:00:05 2016
>> 2016-09-09T14:35:48.740651+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> certificate status is good
>> 2016-09-09T14:35:48.740875+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> using trusted intermediate ca certificate "C=FR, O=Education Nationale,
>> OU=0002 110043015, CN=AC Education Nationale"
>> 2016-09-09T14:35:48.741131+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> checking certificate status of "C=FR, O=Education Nationale, OU=0002
>> 110043015, CN=AC EN Scolarite et Formation"
>> 2016-09-09T14:35:48.741452+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> requesting ocsp status from 'http://ocsp.pncn.education.gouv.fr/men' ...
>> 2016-09-09T14:35:48.866481+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> ocsp response correctly signed by "C=FR, O=Education Nationale, OU=0002
>> 110043015, CN=Signature OCSP - AC MEN"
>> 2016-09-09T14:35:48.866895+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> ocsp response is valid: until Sep 09 14:35:58 2016
>> 2016-09-09T14:35:48.867158+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> certificate status is good
>> 2016-09-09T14:35:48.867391+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> using trusted ca certificate "C=FR, O=Ministere Education Nationale
>> Enseignement Superieur Recherche, CN=AC Racine Ministere ENESR"
>> 2016-09-09T14:35:48.867598+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> checking certificate status of "C=FR, O=Education Nationale, OU=0002
>> 110043015, CN=AC Education Nationale"
>> 2016-09-09T14:35:48.867803+02:00 sphynx.ac-test.lan charon: 11[CFG] ocsp
>> response verification failed, no signer certificate 'C=FR, O=Education
>> Nationale, OU=0002 110043015, CN=Signature OCSP - AC MEN' found
>> 2016-09-09T14:35:48.868006+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> requesting ocsp status from 'http://ocsp.pncn.education.gouv.fr/menesr' ...
>> 2016-09-09T14:35:48.992719+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> ocsp response correctly signed by "C=FR, O=Ministere Education Nationale
>> Enseignement Superieur Recherche, CN=Signature OCSP - AC MENESR"
>> 2016-09-09T14:35:48.993075+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> ocsp response is valid: until Sep 09 14:35:58 2016
>> 2016-09-09T14:35:48.993272+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> certificate status is good
>> 2016-09-09T14:35:48.993484+02:00 sphynx.ac-test.lan charon: 11[CFG]
>> reached self-signed root ca with a path length of 2
>> 2016-09-09T14:35:48.993709+02:00 sphynx.ac-test.lan charon: 11[IKE]
>> authentication of 'C=FR, L=Toulouse, O=Education Nationale,
>> OU=ac-toulouse, OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr'
>> with RSA signature successful
>> 2016-09-09T14:35:48.993915+02:00 sphynx.ac-test.lan charon: 11[IKE]
>> IKE_SA
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1]
>> established between 192.168.0.11[C=FR, L=Dijon, O=Education Nationale,
>> OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR,
>> L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015,
>> CN=0120101V-01-TEST.ac-toulouse.fr]
>> 2016-09-09T14:35:48.994137+02:00 sphynx.ac-test.lan charon: 11[IKE]
>> IKE_SA
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1]
>> established between 192.168.0.11[C=FR, L=Dijon, O=Education Nationale,
>> OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR,
>> L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015,
>> CN=0120101V-01-TEST.ac-toulouse.fr]
>> 2016-09-09T14:35:48.994316+02:00 sphynx.ac-test.lan charon: 11[IKE]
>> scheduling reauthentication in 10146s
>> 2016-09-09T14:35:48.994585+02:00 sphynx.ac-test.lan charon: 11[IKE]
>> maximum IKE_SA lifetime 10686s
>> 2016-09-09T14:35:48.994955+02:00 sphynx.ac-test.lan charon: 11[IKE]
>> CHILD_SA
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{1}
>> established with SPIs ccdd7bb4_i c01e70f1_o and TS 172.30.101.0/24 ===
>> 10.1.1.0/24
>> 2016-09-09T14:35:48.995159+02:00 sphynx.ac-test.lan charon: 11[IKE]
>> CHILD_SA
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{1}
>> established with SPIs ccdd7bb4_i c01e70f1_o and TS 172.30.101.0/24 ===
>> 10.1.1.0/24
>> 2016-09-09T14:35:48.995469+02:00 sphynx.ac-test.lan charon: 11[IKE]
>> received AUTH_LIFETIME of 10248s, scheduling reauthentication in 9708s
>>
>>
>> CRL cache is not empty with Ubuntu 14.04 and strongSwan version
>> 5.1.2-0ubuntu2.4 and the same configuration. I can see this line in log
>> file :
>> 2016-09-09T13:39:42.728748+02:00 amon.etb1.lan charon: 21[CFG] written
>> crl file
>> '/etc/ipsec.d/crls/cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl' (1307
>> bytes)
>> ls -l /etc/ipsec.d/crls/
>> total 4
>> -rw-r--r-- 1 root root 1307 sept. 9 13:39
>> cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl
>>
>>
>> Perhaps, something is wrong in my strongSwan configuration ?
>>
>>
>> Regards,
>> Fabrice Barconnière
>> http://pcll.ac-dijon.fr/eole/
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
> --
> Cordialement,
> Fabrice Barconnière
> Pôle logiciels libres - EOLE
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160913/db453ada/attachment.bin>
More information about the Users
mailing list