Test ikev2/ocsp-timeouts-good

strongSwan KVM Tests / ikev2 / ocsp-timeouts-good

Test ikev2/ocsp-timeouts-good

Description

This scenario is based on ikev2/ocsp-signer-cert and tests the timeouts of the libcurl library used for http-based OCSP fetching by adding an ocsp_uris entry in moon's strongswan authority section that cannot be resolved by DNS and an ocsp_uris entry in carol's strongswan authority section on which no OCSP server is listening. Thanks to timeouts the connection can nevertheless be established successfully by contacting a valid OCSP URI contained in carol's certificate.

As an additional test the OCSP response is delayed by a few seconds in order to check the correct handling of retransmitted IKE_AUTH messages.

console.log

moon

swanctl.conf
swanctl --list-conns
swanctl --list-certs
strongswan.conf
ipsec.sql

swanctl --list-sas|--list-pols
swanctl --list-pools
swanctl --list-authorities
swanctl --stats|--list-algs
auth.log
daemon.log

ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L
iptables-save

carol

swanctl.conf
swanctl --list-conns
swanctl --list-certs
strongswan.conf
ipsec.sql

swanctl --list-sas|--list-pols
swanctl --list-pools
swanctl --list-authorities
swanctl --stats|--list-algs
auth.log
daemon.log

ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L
iptables-save