Test ikev2/ocsp-local-cert

Description

By setting strictcrlpolicy=yes, a strict CRL policy is enforced on both roadwarrior carol and gateway moon. The online certificate status is checked via the OCSP server winnetou which possesses a self-signed OCSP signer certificate that must be imported locally by the peers into /etc/ipsec.d/ocspcerts/. A strongswan ca section in ipsec.conf defines an OCSP URI pointing to winnetou.

carol can successfully initiate an IPsec connection to moon since the status of both certificates is good.

console.log

moon

ipsec.conf
ipsec.secrets
ipsec.sql
strongswan.conf

ipsec statusall
ipsec listall
auth.log
daemon.log

ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L

carol

ipsec.conf
ipsec.secrets
ipsec.sql
strongswan.conf

ipsec statusall
ipsec listall
auth.log
daemon.log

ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L

Back