PRE-TEST winnetou# /etc/init.d/slapd start * Starting ldap-server ... [ ok ] adding new entry "o=Linux strongSwan, c=CH" adding new entry "cn=Manager,o=Linux strongSwan, c=CH" adding new entry "cn=strongSwan Root CA, o=Linux strongSwan, c=CH" adding new entry "ou=Research, o=Linux strongSwan, c=CH" adding new entry "cn=Research CA, ou=Research, o=Linux strongSwan, c=CH" adding new entry "ou=Sales, o=Linux strongSwan, c=CH" adding new entry "cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH" moon# /etc/init.d/iptables start 2> /dev/null * Caching service dependencies ... [ ok ] * Starting firewall ... [ ok ] carol# /etc/init.d/iptables start 2> /dev/null * Caching service dependencies ... [ ok ] * Starting firewall ... [ ok ] moon# ipsec start Starting strongSwan 4.3.6 IPsec [starter]... carol# ipsec start Starting strongSwan 4.3.6 IPsec [starter]... carol# sleep 2 carol# ipsec up home 002 "home" #1: initiating Main Mode 104 "home" #1: STATE_MAIN_I1: initiate 003 "home" #1: ignoring Vendor ID payload [strongSwan] 003 "home" #1: received Vendor ID payload [XAUTH] 003 "home" #1: received Vendor ID payload [Dead Peer Detection] 106 "home" #1: STATE_MAIN_I2: sent MI2, expecting MR2 002 "home" #1: we have a cert and are sending it upon request 108 "home" #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 "home" #1: ignoring informational payload, type INVALID_KEY_INFORMATION 010 "home" #1: STATE_MAIN_I3: retransmission; will wait 20s for response 002 "home" #1: Peer ID is ID_FQDN: 'moon.strongswan.org' 002 "home" #1: X.509 certificate rejected 003 "home" #1: no public key known for 'moon.strongswan.org' 217 "home" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION 002 "home" #1: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.0.1:500 010 "home" #1: STATE_MAIN_I3: retransmission; will wait 40s for response 002 "home" #1: Peer ID is ID_FQDN: 'moon.strongswan.org' 002 "home" #1: ISAKMP SA established 004 "home" #1: STATE_MAIN_I4: ISAKMP SA established 002 "home" #2: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} 112 "home" #2: STATE_QUICK_I1: initiate 002 "home" #2: sent QI2, IPsec SA established {ESP=>0xa1dfb249 <0xa61e0e61} 004 "home" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xa1dfb249 <0xa61e0e61} carol# sleep 3 TEST moon# cat /var/log/auth.log | grep 'loaded crl from' [YES] Feb 27 22:44:41 moon pluto[9070]: loaded crl from '5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl' carol# cat /var/log/auth.log | grep 'loaded crl from' [YES] Feb 27 22:44:41 carol pluto[7910]: loaded crl from '5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl' moon# cat /var/log/auth.log | grep 'crl is stale' [YES] Feb 27 22:44:45 moon pluto[9070]: | crl is stale: since Jul 20 23:40:37 2005 carol# cat /var/log/auth.log | grep 'crl is stale' [YES] Feb 27 22:44:55 carol pluto[7910]: | crl is stale: since Jul 20 23:40:37 2005 moon# cat /var/log/auth.log | grep 'X.509 certificate rejected' [YES] Feb 27 22:44:45 moon pluto[9070]: "rw"[1] 192.168.0.100 #1: X.509 certificate rejected carol# cat /var/log/auth.log | grep 'X.509 certificate rejected' [YES] Feb 27 22:44:55 carol pluto[7910]: "home" #1: X.509 certificate rejected moon# cat /var/log/auth.log | grep 'ignoring informational payload, type INVALID_KEY_INFORMATION' [YES] Feb 27 22:44:55 moon pluto[9070]: "rw"[2] 192.168.0.100 #1: ignoring informational payload, type INVALID_KEY_INFORMATION carol# cat /var/log/auth.log | grep 'ignoring informational payload, type INVALID_KEY_INFORMATION' [YES] Feb 27 22:44:45 carol pluto[7910]: "home" #1: ignoring informational payload, type INVALID_KEY_INFORMATION moon# cat /var/log/auth.log | grep 'fetching crl from .*ldap://ldap.strongswan.org' [YES] Feb 27 22:44:45 moon pluto[9070]: fetching crl from 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList' ... carol# cat /var/log/auth.log | grep 'fetching crl from .*ldap://ldap.strongswan.org' [YES] Feb 27 22:44:55 carol pluto[7910]: fetching crl from 'ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList' ... moon# ipsec status | grep 'rw.*STATE_QUICK_R2.*IPsec SA established' [YES] 000 #2: "rw"[2] 192.168.0.100 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1106s; newest IPSEC; eroute owner carol# ipsec status | grep 'home.*STATE_QUICK_I2.*IPsec SA established' [YES] 000 #2: "home" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 945s; newest IPSEC; eroute owner moon# cat /var/log/auth.log | grep 'written crl file' [YES] Feb 27 22:44:45 moon pluto[9070]: written crl file '/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl' (976 bytes) carol# cat /var/log/auth.log | grep 'written crl file' [YES] Feb 27 22:44:55 carol pluto[7910]: written crl file '/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl' (976 bytes) moon# ipsec listcrls | grep ' ok' [YES] 000 next Mar 29 23:27:26 2010 ok carol# ipsec listcrls | grep ' ok' [YES] 000 next Mar 29 23:27:26 2010 ok POST-TEST moon# ipsec stop Stopping strongSwan IPsec... carol# ipsec stop Stopping strongSwan IPsec... winnetou# /etc/init.d/slapd stop * Stopping ldap-server ... [ ok ] moon# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] carol# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] moon# rm /etc/ipsec.d/crls/* carol# rm /etc/ipsec.d/crls/*