Test ikev2/crl-ldap

Description

By setting revocation = strict a strict CRL policy is enforced on both roadwarrior carol and gateway moon. Thus when carol initiates the connection and only an expired CRL cache file in /etc/swanctl/x509crl is available, an ldap fetch to get the CRL from the LDAP server winnetou is successfully started and the IKE authentication completes. The new CRL is again cached locally as a file in /etc/swanctl/x509crl due to the cache_crls = yes option in /etc/strongswan.conf.

console.log

moon

swanctl.conf
swanctl --list-conns
swanctl --list-certs
strongswan.conf
ipsec.sql

swanctl --list-sas|--list-pols
swanctl --list-pools
swanctl --list-authorities
swanctl --stats|--list-algs
auth.log
daemon.log

ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L
iptables-save

carol

swanctl.conf
swanctl --list-conns
swanctl --list-certs
strongswan.conf
ipsec.sql

swanctl --list-sas|--list-pols
swanctl --list-pools
swanctl --list-authorities
swanctl --stats|--list-algs
auth.log
daemon.log

ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L
iptables-save