Test ikev2/ocsp-local-cert

strongSwan KVM Tests / ikev2 / ocsp-local-cert

Test ikev2/ocsp-local-cert

Description

By setting revocation = strict, a strict CRL policy is enforced on both roadwarrior carol and gateway moon. The online certificate status is checked via the OCSP server winnetou which possesses a self-signed OCSP signer certificate that must be imported locally by the peers into the /etc/swanctl/x509ocsp/ directory. A strongswan authorities section in swanctl.conf defines an OCSP URI pointing to winnetou.

carol can successfully initiate an IPsec connection to moon since the status of both certificates is good.

console.log

moon

swanctl.conf
swanctl --list-conns
swanctl --list-certs
strongswan.conf
ipsec.sql

swanctl --list-sas|--list-pols
swanctl --list-pools
swanctl --list-authorities
swanctl --stats|--list-algs
auth.log
daemon.log

ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L
iptables-save

carol

swanctl.conf
swanctl --list-conns
swanctl --list-certs
strongswan.conf
ipsec.sql

swanctl --list-sas|--list-pols
swanctl --list-pools
swanctl --list-authorities
swanctl --stats|--list-algs
auth.log
daemon.log

ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L
iptables-save