Hi Daniel, 0x2d is the hyphen character '-'. This means that your CRL is in PEM encoded format:
-----BEGIN X509 CRL----- MIIDKDCCARACAQEwDQYJKoZIhvcNAQEFBQAwQjELMAkGA1UEBhMCQ0gxFzAVBgNV ... D5YFfogtCUfUI7/qOdwwoSozPQVe7Ov4FES3peE+ii1Vm3hc07Fsc5zsWw= -----END X509 CRL----- Before putting a CRL onto a web server you must convert it into binary ASN.1-DER encoded format, e.g. with the command openssl crl -in crl.pem -outform der -out strongSwan_Root_CA.crl Regards Andreas Daniel Riedemann wrote: > Hello all, > > I am using StrongSWAN the first time and I am using the tool xca to > build a PKI. So far everything works fine (connection from a windows 7 > host to a linux strongswan gateway). The Connection get started correctly. > > Now I wanted to test the CRLs. And installed a certificate at the > windows client which I revoked later. But the CRL I am generating with > xca can't be read by charon: > > Feb 17 00:03:17 vpn charon: 14[CFG] fetching crl from > 'http://192.168.1.50/StrongSWAN_Root_CA.crl' ... > Feb 17 00:03:17 vpn charon: 14[LIB] L0 - certificateList: ASN1 tag 0x30 > expected, but is 0x2d > Feb 17 00:03:17 vpn charon: 14[LIB] building CRED_CERTIFICATE - X509_CRL > failed, tried 2 builders > Feb 17 00:03:17 vpn charon: 14[CFG] crl fetched successfully but parsing > failed > > I generated a CRL with an other tool (gnomint) also, but charon is > telling me the same... > > If I place the CRL directly into /etc/ipsec.d/crls I just see this on > the log: > > Feb 17 00:51:28 vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' > Feb 17 00:51:28 vpn charon: 00[CFG] loaded crl from > '/etc/ipsec.d/crls/StrongSWAN_Root_CA.crl' > > But the connection get started normaly, so the CRL in this directory is > also not read correctly. > > I'am using RSA certificates with 4096 bit for the CA, and 2048 bit for > gateway and client. Hashing algorithm is sha-256. > > What am I doing wrong? Or is there a bug in both tools (or strongswan)? > I really appreciate your help. > > Best Regards > Daniel Riedemann > > > ipsec.conf: > > config setup > crlcheckinterval=600 > cachecrls=yes > nat_traversal=yes > charonstart=yes > plutostart=no > > ca StrongSWAN_Root_CA > cacert=StrongSWAN_Root_CA.crt > crluri="http://192.168.1.50/StrongSWAN_Root_CA.crl" > auto=add > > conn roadwarrior-ikev2 > authby=pubkey > auth=esp > type=tunnel > keyexchange=ikev2 > auto=add > compress=yes > dpddelay=15 > dpdtimeout=60 > esp=aes256-sha1-modp2048 > ike=aes256-sha1-modp2048 > rekey=yes > ikelifetime=10800 > lifetime=3600 > reauth=yes > margintime=180 > pfs=yes > left=%defaultroute > leftcert=vpn.project.lan.crt > leftfirewall=yes > left...@vpn.project.lan > leftsendcert=ifasked > leftsubnet=10.0.0.0/8 > right=%any > rightsourceip=172.17.0.0/16 ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users