Hi Andreas, simple but powerful solution! ;) It works now:
Feb 17 11:36:02 vpn charon: 13[CFG] checking certificate status of "C=DE, ST=Sachsen, L=Leipzig, O=StrongSWAN Project, OU=StrongSWAN PKI, CN=User003, e=user...@project.lan" Feb 17 11:36:02 vpn charon: 13[CFG] fetching crl from 'http://192.168.1.50/StrongSWAN_Root_CA.crl' ... Feb 17 11:36:02 vpn charon: 13[CFG] using trusted certificate "C=DE, ST=Sachsen, L=Leipzig, O=StrongSWAN Project, OU=StrongSWAN PKI, CN=StrongSWAN Root CA" Feb 17 11:36:02 vpn charon: 13[CFG] crl correctly signed by "C=DE, ST=Sachsen, L=Leipzig, O=StrongSWAN Project, OU=StrongSWAN PKI, CN=StrongSWAN Root CA" Feb 17 11:36:02 vpn charon: 13[CFG] certificate was revoked on Feb 16 23:01:43 UTC 2010, reason: unspecified Feb 17 11:36:02 vpn charon: 13[IKE] no trusted RSA public key found for 'C=DE, ST=Sachsen, L=Leipzig, O=StrongSWAN Project, OU=StrongSWAN PKI, CN=User003, e=user...@project.lan' Feb 17 11:36:02 vpn charon: 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Feb 17 11:36:02 vpn charon: 13[NET] sending packet: from 192.168.1.50[4500] to 192.168.1.7[39668] Thank you very, very much! Best Regards Daniel Am 17.02.2010 07:06, schrieb Andreas Steffen: > Hi Daniel, > > 0x2d is the hyphen character '-'. This means that your CRL is in > PEM encoded format: > > -----BEGIN X509 CRL----- > MIIDKDCCARACAQEwDQYJKoZIhvcNAQEFBQAwQjELMAkGA1UEBhMCQ0gxFzAVBgNV > ... > D5YFfogtCUfUI7/qOdwwoSozPQVe7Ov4FES3peE+ii1Vm3hc07Fsc5zsWw= > -----END X509 CRL----- > > Before putting a CRL onto a web server you must convert it into > binary ASN.1-DER encoded format, e.g. with the command > > openssl crl -in crl.pem -outform der -out strongSwan_Root_CA.crl > > Regards > > Andreas > > Daniel Riedemann wrote: > >> Hello all, >> >> I am using StrongSWAN the first time and I am using the tool xca to >> build a PKI. So far everything works fine (connection from a windows 7 >> host to a linux strongswan gateway). The Connection get started correctly. >> >> Now I wanted to test the CRLs. And installed a certificate at the >> windows client which I revoked later. But the CRL I am generating with >> xca can't be read by charon: >> >> Feb 17 00:03:17 vpn charon: 14[CFG] fetching crl from >> 'http://192.168.1.50/StrongSWAN_Root_CA.crl' ... >> Feb 17 00:03:17 vpn charon: 14[LIB] L0 - certificateList: ASN1 tag 0x30 >> expected, but is 0x2d >> Feb 17 00:03:17 vpn charon: 14[LIB] building CRED_CERTIFICATE - X509_CRL >> failed, tried 2 builders >> Feb 17 00:03:17 vpn charon: 14[CFG] crl fetched successfully but parsing >> failed >> >> I generated a CRL with an other tool (gnomint) also, but charon is >> telling me the same... >> >> If I place the CRL directly into /etc/ipsec.d/crls I just see this on >> the log: >> >> Feb 17 00:51:28 vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' >> Feb 17 00:51:28 vpn charon: 00[CFG] loaded crl from >> '/etc/ipsec.d/crls/StrongSWAN_Root_CA.crl' >> >> But the connection get started normaly, so the CRL in this directory is >> also not read correctly. >> >> I'am using RSA certificates with 4096 bit for the CA, and 2048 bit for >> gateway and client. Hashing algorithm is sha-256. >> >> What am I doing wrong? Or is there a bug in both tools (or strongswan)? >> I really appreciate your help. >> >> Best Regards >> Daniel Riedemann >> >> >> ipsec.conf: >> >> config setup >> crlcheckinterval=600 >> cachecrls=yes >> nat_traversal=yes >> charonstart=yes >> plutostart=no >> >> ca StrongSWAN_Root_CA >> cacert=StrongSWAN_Root_CA.crt >> crluri="http://192.168.1.50/StrongSWAN_Root_CA.crl" >> auto=add >> >> conn roadwarrior-ikev2 >> authby=pubkey >> auth=esp >> type=tunnel >> keyexchange=ikev2 >> auto=add >> compress=yes >> dpddelay=15 >> dpdtimeout=60 >> esp=aes256-sha1-modp2048 >> ike=aes256-sha1-modp2048 >> rekey=yes >> ikelifetime=10800 >> lifetime=3600 >> reauth=yes >> margintime=180 >> pfs=yes >> left=%defaultroute >> leftcert=vpn.project.lan.crt >> leftfirewall=yes >> left...@vpn.project.lan >> leftsendcert=ifasked >> leftsubnet=10.0.0.0/8 >> right=%any >> rightsourceip=172.17.0.0/16 >> > ====================================================================== > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users