Test ikev2/ocsp-rfc4806-both

strongSwan KVM Tests / ikev2 / ocsp-rfc4806-both

Test ikev2/ocsp-rfc4806-both

Description

By setting revocation = strict in swanctl.conf, a strict CRL policy is enforced on both roadwarrior carol and gateway moon.

Based on RFC 4806, both carol and moon send an OCSP request via an IKEv2 CERTREQ payload to their peer which in turn requests online status information on its own certificate from the OCSP server winnetou on behalf of the other peer. The OCSP server winnetou possesses an OCSP signer certificate containing an OCSPSigning Extended Key Usage (EKU) flag issued by the strongSwan CA.

carol's certificate includes an OCSP URI in an authority information access extension pointing to winnetou. Therefore no special authorities section information is needed in carol's swanctl.conf.

carol can successfully initiate an IPsec connection to moon since the status of both certificates is good.

console.log

moon

swanctl.conf
swanctl --list-conns
swanctl --list-certs
strongswan.conf
ipsec.sql

swanctl --list-sas|--list-pols
swanctl --list-pools
swanctl --list-authorities
swanctl --stats|--list-algs
auth.log
daemon.log

ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L
iptables-save

carol

swanctl.conf
swanctl --list-conns
swanctl --list-certs
strongswan.conf
ipsec.sql

swanctl --list-sas|--list-pols
swanctl --list-pools
swanctl --list-authorities
swanctl --stats|--list-algs
auth.log
daemon.log

ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L
iptables-save