Project

General

Profile

Feature #700

Updated by Tobias Brunner about 6 years ago

Hi,

I have done below listed steps and founded that the IpSec tunnels are got established despite removal of CA certificate.

1. Loaded same CA certificate and BTS certificate at both ends: Tunnel got established
2. Deleted CA certificate at one: Tunnel got established
3. Removed BTS certificate @ /usr/local/etc/config/keystorage/certs : Tunnel NOT established
4. Loaded only BTS certificate (CA certificate not installed) : Tunnel got established

My requirement is that when CA certificate the tunnel shouldn't have eatablished.

Here is the ipsec.conf that is used

<pre> ----------------------------------------------------------------------------------------
config setup
plutostart=yes
plutodebug=none
nat_traversal=no
uniqueids=no
charonstart=yes
charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc -1, lib -1"

ca rootca0
cacert=rootCaCert_0.pem

conn %default
auto=start
pfs=no
forceencaps=no
keyingtries=%forever
mobike=no

conn conn1
type=tunnel
leftsubnet=20.0.0.1/24
rightsubnet=20.0.0.2/24
left=20.0.0.1
right=20.0.0.2
keyexchange=ikev2
reauth=no
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=83376s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
keylife=86400s
dpdaction=restart
dpddelay=10s
dpdtimeout=120s
leftcert=/etc/ipsec.d/certs/btsCert.pem
rekeyfuzz=50%
rekeymargin=180s
</pre>


-------------------------------------------------------------------

Back