Test ikev2/ocsp-timeouts-unknown

strongSwan KVM Tests / ikev2 / ocsp-timeouts-unknown

Test ikev2/ocsp-timeouts-unknown

Description

This scenario is based on ikev2/ocsp-signer-cert and tests the timeouts of the libcurl library used for http-based OCSP fetching by adding two ocsp_uris in moon's strongswan authorities section on the first of which no OCSP server is listening and the second URI cannot be resolved by DNS. Since the certificate status is unknown the connection setup is aborted by moon with an AUTHORIZATION_FAILED notification sent to carol.

console.log

moon

swanctl.conf
swanctl --list-conns
swanctl --list-certs
strongswan.conf
ipsec.sql

swanctl --list-sas|--list-pols
swanctl --list-pools
swanctl --list-authorities
swanctl --stats|--list-algs
auth.log
daemon.log

ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L
iptables-save

carol

swanctl.conf
swanctl --list-conns
swanctl --list-certs
strongswan.conf
ipsec.sql

swanctl --list-sas|--list-pols
swanctl --list-pools
swanctl --list-authorities
swanctl --stats|--list-algs
auth.log
daemon.log

ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L
iptables-save

Test ikev2/ocsp-timeouts-unknown

Description

moon

carol

tcpdump