Hello all, I am using StrongSWAN the first time and I am using the tool xca to build a PKI. So far everything works fine (connection from a windows 7 host to a linux strongswan gateway). The Connection get started correctly.
Now I wanted to test the CRLs. And installed a certificate at the windows client which I revoked later. But the CRL I am generating with xca can't be read by charon: Feb 17 00:03:17 vpn charon: 14[CFG] fetching crl from 'http://192.168.1.50/StrongSWAN_Root_CA.crl' ... Feb 17 00:03:17 vpn charon: 14[LIB] L0 - certificateList: ASN1 tag 0x30 expected, but is 0x2d Feb 17 00:03:17 vpn charon: 14[LIB] building CRED_CERTIFICATE - X509_CRL failed, tried 2 builders Feb 17 00:03:17 vpn charon: 14[CFG] crl fetched successfully but parsing failed I generated a CRL with an other tool (gnomint) also, but charon is telling me the same... If I place the CRL directly into /etc/ipsec.d/crls I just see this on the log: Feb 17 00:51:28 vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Feb 17 00:51:28 vpn charon: 00[CFG] loaded crl from '/etc/ipsec.d/crls/StrongSWAN_Root_CA.crl' But the connection get started normaly, so the CRL in this directory is also not read correctly. I'am using RSA certificates with 4096 bit for the CA, and 2048 bit for gateway and client. Hashing algorithm is sha-256. What am I doing wrong? Or is there a bug in both tools (or strongswan)? I really appreciate your help. Best Regards Daniel Riedemann ipsec.conf: config setup crlcheckinterval=600 cachecrls=yes nat_traversal=yes charonstart=yes plutostart=no ca StrongSWAN_Root_CA cacert=StrongSWAN_Root_CA.crt crluri="http://192.168.1.50/StrongSWAN_Root_CA.crl" auto=add conn roadwarrior-ikev2 authby=pubkey auth=esp type=tunnel keyexchange=ikev2 auto=add compress=yes dpddelay=15 dpdtimeout=60 esp=aes256-sha1-modp2048 ike=aes256-sha1-modp2048 rekey=yes ikelifetime=10800 lifetime=3600 reauth=yes margintime=180 pfs=yes left=%defaultroute leftcert=vpn.project.lan.crt leftfirewall=yes left...@vpn.project.lan leftsendcert=ifasked leftsubnet=10.0.0.0/8 right=%any rightsourceip=172.17.0.0/16 _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users