Re: [strongSwan] CRL check: how to fail over to local CRL if fetch fails

Tobias, You tipped me off to the problem. When I generate CRLs, authKeyIdentifier wasn't included. The [crl_ext] was commented out by default from the CA section of my openssl config file. Other services were fine with it though, so I never realized it was missing. The local CRL now gets checked.

Re: [strongSwan] DPD issues when using multiple interfaces to same Gateway

Hi Anthony, >> 1- Are DPD rules apply to individual tunnels? If one tunnel cannot >> communicate with the Gateway but other are, what happen if DPD timer >> expires in only one of them? > > Yes, they apply to each IKE_SA individually. > A.M. DpdAction=clear, and multiple interfaces, after

Re: [strongSwan] CRL check: how to fail over to local CRL if fetch fails

Hi Zach, > Why is the CRL loaded from /etc/ipsec.d/crls/, but not consulted? It is either not valid or does not apply when verifying the validity of the peer's certificate. The lookup for cached CRLs is based on the subjectKeyIdentifier in the issuer certificate - which must match the

Re: [strongSwan] CRL check: how to fail over to local CRL if fetch fails

Noel, No, I don't seem to have the files plugin. I see that it is new as of strongswan 5.3.0. I'm running Debian Jessie which ships strongswan 5.2.1. I don't see any package providing this plugin. Shouldn't fetching from file:/// work prior to 5.3.0? I see examples in google searches of CRLs

Re: [strongSwan] CRL check: how to fail over to local CRL if fetch fails

Hello Zach, Make sure you have the "files"[1] plugin. [1] https://wiki.strongswan.org/projects/strongswan/wiki/PluginList Kind regards, Noel Am 21.04.2017 um 19:32 schrieb Zach Cutlip: > I'm not sure why the CRL loaded from from /etc/ipsec.d/crls isn't > being checked during authentication.

Re: [strongSwan] CRL check: how to fail over to local CRL if fetch fails

I'm not sure why the CRL loaded from from /etc/ipsec.d/crls isn't being checked during authentication. It's definitely cached in memory according to 'ipsec listcrls' However, I've added a ca section to ipsec.conf, listing the exact same crl, but with a file:/// url: crluri =

Re: [strongSwan] DPD issues when using multiple interfaces to same Gateway

Hello Tobias Also, we are using VICI -Original Message- From: Modster, Anthony Sent: Friday, April 21, 2017 9:24 AM To: 'Tobias Brunner' ; Marc Obbad ; Users@lists.strongswan.org Subject: RE: [strongSwan] DPD issues when using multiple

Re: [strongSwan] CRL check: how to fail over to local CRL if fetch fails

Tobias, Anything in particular I should be looking for in the logs? I definitely see the CRL getting loaded from disk when I start the service. I also see in the logs the remote CRL fetch failing. Nothing is mentioned in the logs about the local CRL. Thanks On Fri, Apr 21, 2017 at 12:20 AM,

Re: [strongSwan] DPD issues when using multiple interfaces to same Gateway

Hello Tobias See below -Original Message- From: Users [mailto:users-boun...@lists.strongswan.org] On Behalf Of Tobias Brunner Sent: Friday, April 21, 2017 12:24 AM To: Marc Obbad ; Users@lists.strongswan.org Subject: Re: [strongSwan] DPD issues when using multiple

Re: [strongSwan] How to retrieve remote certificates

Hello Noel. The debian strongswan-standard-plugins package was missing (because of some earlier upgrade issues), i've reinstalled it and this fixed the problem. 2017-02-16 21:59 GMT+01:00 Noel Kuntze : > Hello John, > > > In the meantime my experiments has shown that the

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Okey, one correction left=%hostname is working for one of my tunnels, but not the other. See below. The working: sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" authentication of 'hostname' (myself) with pre-shared key establishing CHILD_SA Azure generating

[strongSwan] Tunnels with dynamic IP and another route issue

Hi! I have some issues, please read on. 1. I have one side of the IP-sec tunnel with dynamic IP (associated with a dynamic hostname), I would like not need to change the "left"-parameter in both ipsec.conf and ipsec.secrets whenever the local WAN IP changes, so I have tried putting "left =

Re: [strongSwan] DPD issues when using multiple interfaces to same Gateway

Hi Marc, > 1- Are DPD rules apply to individual tunnels? If one tunnel cannot > communicate with the Gateway but other are, what happen if DPD timer > expires in only one of them? Yes, they apply to each IKE_SA individually. > 2- When we set DPD action as restart, do we need to terminate the

Re: [strongSwan] CRL check: how to fail over to local CRL if fetch fails

Hi Zach, > Alternatively, is there a way to just ignore embedded CRL distribution > points, and always use the local CRL? If the revocation plugin finds a cached CRL (either previously fetched or loaded manually) that's still valid it will use that and not fetch any remote CRLs. Check the log