[strongSwan] IKEv2 : Tunnel gets established even when local cert startDate is invalid

Sriram sriram.ec at gmail.com
Thu Feb 16 17:48:00 CET 2017


In one our of linux devices which is the vpn client, the date is not set
properly because of gps issue.

[root at 0005B9xxxxxx /]# date
Wed Feb  8 05:56:43 UTC 2017

0005B9xxxxxx.airvana.com i.e this DNS name represents the linux device
certificate .

[root at 0005B9xxxxxx /]# ipsec listcerts

List of X.509 End Entity Certificates:

  altNames:  0005B9xxxxxx.airvana.com
  subject:  "CN=0005B9xxxxxx, OU=abc 2015 abcLLC., O=abc LLC., C=US"
  issuer:   "CN=abc SubCA1, OU=abc Copyright 2015 abc LLC., O=abc LLC.,
  serial:    69:47:d4:eb:88:7a:0c:66
 * validity:  not before Feb 08 11:09:12 2017, not valid yet (valid in 5
             not after  Feb 08 11:09:12 2018, ok
  pubkey:    RSA 2048 bits, has private key
  keyid:     5b:6f:ff:a6:ad:8c:a8:97:8e:ae:07:d6:90:22:91:74:52:9a:7a:93
  subjkey:   1c:50:4d:46:65:4a:4f:f6:48:2c:0d:98:9f:a8:f2:01:0a:28:1a:43
  authkey:   d8:a4:0d:19:29:8b:66:44:db:76:72:e1:8a:2f:8a:57:be:72:4f:8d


"ipsec listcerts" says that the above (device)cert is not yet valid. Still
tunnel gets established properly.

*Note that the date is set properly in Security Gateway. Security Gateway's
certificate validity is as follows,*
* validity:  not before Oct 19 11:44:56 2015, ok                not after
 Oct 18 11:44:56 2017, ok*

systime-fix plugin is included.  Is this the desired behavior ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170216/1f15b47f/attachment.html>

More information about the Users mailing list