<html><head><style type="text/css">body{font:12px Arial;margin:3px;overflow-y:auto;overflow-x:auto}p{margin:0px;}blockquote, ol, ul{margin-top:0px;margin-bottom:0px;}</style></head>
<body><div style="DISPLAY: block; FONT-SIZE: 12px; FONT-FAMILY: Arial"><P><BR><BR>>><I> When a host download a CRL from my Apache server, I cannot see any copy on the /etc/ipsec.d/crls directory . But if I make a ipsec auto --listall, I can see the downloaded CRL !!<BR></I>>><I><BR></I>>><I> So on the host, where is stored the downloaded copy of the CRL ?<BR></I>>><I> Is It normal that I have no copy on the /etc/ipsec.d/crls directory ?<BR></I><BR>>That is normal. Pluto loads teh data in memory. The CRLs are not persistent<BR>>over restarts/reboots. The ipsec.d/crls direcotry is just another method for<BR>>loading crls into pluto. Since you use http, you do not need files in the<BR>>crls directory.<BR><BR>>Though perhaps it is an idea to savethem there, to gain some sort of<BR>>persistency over rebo
ots.<BR><BR>>Paul</P><br/>
<P> </P><br/>
<P>ok thx Paul,</P><br/>
<P> </P><br/>
<P>1) So when I establish a VPN from a userA to userB only the userB connect itself to my Apache server to download a CRL to check the userA certificate. However the 2 certificates (userA and userB) have the distribution point set :</P><br/>
<P> </P><br/>
<P>X509v3 extensions:<BR>X509v3 CRL Distribution Points:<BR>URI:<A href="http://195.212.109.205/ca.crl" target=_blank>http://195.212.109.205/ca.crl</A></P><br/>
<P> </P><br/>
<P>Why only one of the two try to connect thge Apache server ? why the userB ?</P><br/>
<P> </P><br/>
<P>---------------------------------userB ipsec.conf---------------<BR>config setup<BR>klipsdebug=none<BR>plutodebug=all<BR>crlcheckinterval=600<BR><BR>conn %default<BR>keyingtries=0<BR>authby=rsasig<BR><BR>conn testvpnda<BR>left=195.212.109.202<BR>leftcert=user01desuri.crt<BR>right=%any<BR>auto=add<BR>---------------------------------------------------------</P><br/>
<P> </P><br/>
<P>---------------------------------userA ipsec.conf---------------</P><br/>
<P>config setup<BR>klipsdebug=none<BR>plutodebug=none<BR>crlcheckinterval=600<BR><BR>conn %default<BR>keyingtries=0<BR>authby=rsasig<BR><BR>conn testvpnda<BR>left=195.212.109.203<BR>leftcert=user04desnvaliduri.crt<BR>right=195.212.109.202<BR>rightid="C=fr, ST=ile-de-france, L=paris, O=toto, CN=user01desuri, E=ngc1976.m42@caramail.com"<BR>auto=add<BR>---------------------------------------------------------</P><br/>
<P> </P><br/>
<P>2) When the userB download theCRL from the Apache server, the VPN is established </P><br/>
<P>evenif the userA certificate is revoked !! </P><br/>
<P>however, with this dowloaded CRL , when I make a ipsec auto --listall, I can see the good number of revoked cetificates...</P><br/>
<P>but when I put this CRL in the /etc/ipsec.d/crls directory , the VPN cannot be established.</P><br/>
<P> </P><br/>
<P>what is the matter with the CRL loaded in memory from the Apache server?</P><br/>
<P> </P><br/>
<P>david</P></br><p style="margin-top:11px;padding-top:3px;background-image: url(http://mail.lycos.co.uk/Images/Mail/_content/dot.gif);background-repeat: repeat-x;background-position: 0px 0px;"><a href="http://secure.caramail.lycos.fr/services/content/packs.jsp?id=mobile&TARGETCODE=FR_mail_footer_caramobile" target="_blank"><img src="http://images.lycos-europe.com/m/comc/lycos/cont/btn_cara_mobile.gif"/> <b>18 sonneries</b></a> aux choix sur le catalogue Blingtones + CaraMail Max pour 2,49 euros par mois</div></body></html>