[Openswan Users] crlDistributionPoints

david p david2005.p at gmail.com
Mon Jun 6 13:21:10 CEST 2005


>> When a host download a CRL from my Apache server, I cannot see any
copy on the /etc/ipsec.d/crls directory . But if I make a ipsec auto
--listall, I can see the downloaded CRL !!
>>
>> So on the host, where is stored the downloaded copy of the CRL ?
>> Is It normal that I have no copy on the /etc/ipsec.d/crls directory ?

>That is normal. Pluto loads teh data in memory. The CRLs are not persistent
>over restarts/reboots. The ipsec.d/crls direcotry is just another method for
>loading crls into pluto. Since you use http, you do not need files in the
>crls directory.

>Though perhaps it is an idea to savethem there, to gain some sort of
>persistency over reboots.

>Paul


ok thx Paul,


1) So when I establish a VPN from a userA to userB only the userB
connect itself to my Apache server to download a CRL to check the
userA certificate. However the 2 certificates (userA and userB) have
the distribution point set :


X509v3 extensions:
X509v3 CRL Distribution Points:
URI:http://195.212.109.205/ca.crl


Why only one of the two try to connect thge Apache server ? why the userB ?


---------------------------------userB ipsec.conf---------------
config setup
klipsdebug=none
plutodebug=all
crlcheckinterval=600

conn %default
keyingtries=0
authby=rsasig

conn testvpnda
left=195.212.109.202
leftcert=user01desuri.crt
right=%any
auto=add
---------------------------------------------------------


---------------------------------userA ipsec.conf---------------

config setup
klipsdebug=none
plutodebug=none
crlcheckinterval=600

conn %default
keyingtries=0
authby=rsasig

conn testvpnda
left=195.212.109.203
leftcert=user04desnvaliduri.crt
right=195.212.109.202
rightid="C=fr, ST=ile-de-france, L=paris, O=toto, CN=user01desuri,
E=ngc1976.m42 at caramail.com"
auto=add
---------------------------------------------------------


2) When the userB download theCRL from the Apache server, the VPN is
established evenif the userA certificate is revoked !!
however, with this dowloaded CRL , when I make a ipsec auto --listall,
I can see the good number of revoked cetificates...

but when I put this CRL in the /etc/ipsec.d/crls directory , the VPN
cannot be established.

what is the matter with the CRL loaded in memory from the Apache server?

david


More information about the Users mailing list