Tobias,
You tipped me off to the problem. When I generate CRLs,
authKeyIdentifier wasn't included. The [crl_ext] was commented out by
default from the CA section of my openssl config file. Other services
were fine with it though, so I never realized it was missing. The
local CRL now gets checked.
Hi Anthony,
>> 1- Are DPD rules apply to individual tunnels? If one tunnel cannot
>> communicate with the Gateway but other are, what happen if DPD timer
>> expires in only one of them?
>
> Yes, they apply to each IKE_SA individually.
> A.M. DpdAction=clear, and multiple interfaces, after
Hi Zach,
> Why is the CRL loaded from /etc/ipsec.d/crls/, but not consulted?
It is either not valid or does not apply when verifying the validity of
the peer's certificate. The lookup for cached CRLs is based on the
subjectKeyIdentifier in the issuer certificate - which must match the
Noel,
No, I don't seem to have the files plugin. I see that it is new as of
strongswan 5.3.0. I'm running Debian Jessie which ships strongswan
5.2.1. I don't see any package providing this plugin.
Shouldn't fetching from file:/// work prior to 5.3.0? I see examples
in google searches of CRLs
Hello Zach,
Make sure you have the "files"[1] plugin.
[1] https://wiki.strongswan.org/projects/strongswan/wiki/PluginList
Kind regards,
Noel
Am 21.04.2017 um 19:32 schrieb Zach Cutlip:
> I'm not sure why the CRL loaded from from /etc/ipsec.d/crls isn't
> being checked during authentication.
I'm not sure why the CRL loaded from from /etc/ipsec.d/crls isn't
being checked during authentication. It's definitely cached in memory
according to 'ipsec listcrls'
However, I've added a ca section to ipsec.conf, listing the exact same
crl, but with a file:/// url:
crluri =
Hello Tobias
Also, we are using VICI
-Original Message-
From: Modster, Anthony
Sent: Friday, April 21, 2017 9:24 AM
To: 'Tobias Brunner' ; Marc Obbad
; Users@lists.strongswan.org
Subject: RE: [strongSwan] DPD issues when using multiple
Tobias,
Anything in particular I should be looking for in the logs? I
definitely see the CRL getting loaded from disk when I start the
service. I also see in the logs the remote CRL fetch failing. Nothing
is mentioned in the logs about the local CRL.
Thanks
On Fri, Apr 21, 2017 at 12:20 AM,
Hello Tobias
See below
-Original Message-
From: Users [mailto:users-boun...@lists.strongswan.org] On Behalf Of Tobias
Brunner
Sent: Friday, April 21, 2017 12:24 AM
To: Marc Obbad ; Users@lists.strongswan.org
Subject: Re: [strongSwan] DPD issues when using multiple
Hello Noel.
The debian strongswan-standard-plugins package was missing (because of
some earlier upgrade issues), i've reinstalled it and this fixed the
problem.
2017-02-16 21:59 GMT+01:00 Noel Kuntze :
> Hello John,
>
> > In the meantime my experiments has shown that the
Okey, one correction
left=%hostname is working for one of my tunnels, but not the other. See
below.
The working:
sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt
Authority X3"
authentication of 'hostname' (myself) with pre-shared key
establishing CHILD_SA Azure
generating
Hi!
I have some issues, please read on.
1. I have one side of the IP-sec tunnel with dynamic IP (associated with
a dynamic hostname), I would like not need to change the
"left"-parameter in both ipsec.conf and ipsec.secrets whenever the local
WAN IP changes, so I have tried putting "left =
Hi Marc,
> 1- Are DPD rules apply to individual tunnels? If one tunnel cannot
> communicate with the Gateway but other are, what happen if DPD timer
> expires in only one of them?
Yes, they apply to each IKE_SA individually.
> 2- When we set DPD action as restart, do we need to terminate the
Hi Zach,
> Alternatively, is there a way to just ignore embedded CRL distribution
> points, and always use the local CRL?
If the revocation plugin finds a cached CRL (either previously fetched
or loaded manually) that's still valid it will use that and not fetch
any remote CRLs. Check the log
14 matches
Mail list logo