[strongSwan] IKEv2 : Tunnel gets established even when local cert startDate is invalid

Tobias Brunner tobias at strongswan.org
Thu Feb 16 18:54:39 CET 2017

Hi Sriram,

> "ipsec listcerts" says that the above (device)cert is not yet valid.
> Still tunnel gets established properly.

strongSwan does use seemingly invalid certificates for its own
authentication, but won't accept invalid remote certificates.  So if the
server certificate was also only valid in the future, which is not the
case here...

> validity:  not before Oct 19 11:44:56 2015, ok

...it wouldn't accept it, unless...

> systime-fix plugin is included.

...this plugin is configured appropriately (see [1] for details).


[1] https://wiki.strongswan.org/projects/strongswan/wiki/SystimeFixPlugin

More information about the Users mailing list