[Openswan Users] ocsp & openswan

david david2005.p at gmail.com
Wed Jun 15 19:10:22 CEST 2005 

2005/6/14, Andreas Steffen <andreas.steffen at strongsec.net>:
> Yes, if the certs have an Authority Information Access Entry
> then the OCSP server should be contacted as soon as the
> certificate is received from the peer. Use
> 
>  ipsec auto --listocsp
> 
> to check if any OCSP fetch requests have been generated.
> 
> My OCSP test scenario available from
> 
>  http://www.strongswan.org/uml/testresults/ocsp-strict/
> 
> shows how the OCSP fetching works.
> 
> Regards
> 
> Andreas
>

here are my two configs for the VPN ends:

---------------------------------userB ipsec.conf---------------
config setup
klipsdebug=none
plutodebug=all
crlcheckinterval=600

conn %default
keyingtries=0
authby=rsasig

conn testvpnda
left=195.212.109.202
leftcert=user01desuri.crt
right=%any
auto=add
---------------------------------------------------------


---------------------------------userA ipsec.conf---------------

config setup
klipsdebug=none
plutodebug=none
crlcheckinterval=600

conn %default
keyingtries=0
authby=rsasig

conn testvpnda
left=195.212.109.203
leftcert=user02desuri.crt
right=195.212.109.202
rightid="C=fr, ST=ile-de-france, L=paris, O=toto, CN=user01desuri.....
auto=add
---------------------------------------------------------

1) at this point is there something wrong in my conf ?

2)I tryed to put the following on both ends : 
ca openswan
	cacert=ca.crt
	ocspuri=http://195.212.109.202:8888
	auto=add

like in your how-to. but when I make 
                service ipsec restart
it tells me : 
ipsec_setup: (/etc/ipsec.conf, line 19) section type "ca" not
recognized -- restart aborted

why ?
Is it important ?

3) I have this part about OCSP in my log file on the userB 
 
Jun 15 16:55:10 localhost pluto[5419]: | certificate signature (C=fr,
ST=ile-de-france, L=paris, O=motorola, CN=rootca1024 -> C=fr,
ST=ile-de-france, L=paris, O=motorola, CN=user06desocspuse,
E=ngc1976.m42 at caramail.com) is valid
Jun 15 16:55:10 localhost pluto[5419]: | authcert list unlocked by
'verify_x509cert'
Jun 15 16:55:10 localhost pluto[5419]: | ocsp cache locked by 'verify_by_ocsp'
Jun 15 16:55:10 localhost pluto[5419]: | ocsp cache unlocked by 'verify_by_ocsp'
Jun 15 16:55:10 localhost pluto[5419]: "testvpnda"[1] 195.212.109.203
#1: ocsp status is stale or not in cache
Jun 15 16:55:10 localhost pluto[5419]: | ocsp fetch request list
locked by 'add_ocsp_fetch_request'
Jun 15 16:55:10 localhost pluto[5419]: | new ocsp location added
Jun 15 16:55:10 localhost pluto[5419]: | ocsp fetch request for serial 12 added
Jun 15 16:55:10 localhost pluto[5419]: | ocsp fetch request list
unlocked by 'add_ocsp_fetch_request'
Jun 15 16:55:10 localhost pluto[5419]: | fetch thread wake call by
'verify_by_ocsp'
Jun 15 16:55:10 localhost pluto[5419]: | crl list locked by 'verify_by_crl'
Jun 15 16:55:10 localhost pluto[5419]: | crl list unlocked by 'verify_by_crl'
Jun 15 16:55:10 localhost pluto[5419]: "testvpnda"[1] 195.212.109.203
#1: no crl from issuer "C=fr, ST=ile-de-france, L=paris, O=motorola,
CN=rootca1024" found (strict=yes)
Jun 15 16:55:10 localhost pluto[5419]: "testvpnda"[1] 195.212.109.203
#1: X.509 certificate rejected


what the meaning ?

thx 
david

More information about the Users mailing list