]> git.ipfire.org Git - thirdparty/strongswan.git/blame - README.md
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gitignore: Don't ignore proposal_keywords.c
[thirdparty/strongswan.git] / README.md
CommitLineData
891d332b
TB		 1# strongSwan Configuration #
2
3## Overview ##
4
5strongSwan is an OpenSource IPsec-based VPN solution.
a477d280 6
7272fa0c
AS		 7This document is just a short introduction of the strongSwan **swanctl** command
8which uses the modern [**vici**](src/libcharon/plugins/vici/README.md) *Versatile
9IKE Configuration Interface*. The deprecated **ipsec** command using the legacy
10**stroke** configuration interface is described [**here**](README_LEGACY.md).
b2cf5af1
AS		 11For more detailed information consult the man pages, our new
12[**documentation site**](https://docs.strongswan.org) and the legacy
13[**wiki**](https://wiki.strongswan.org).
a477d280 14
a477d280 15
891d332b 16## Quickstart ##
a477d280 17
891d332b 18Certificates for users, hosts and gateways are issued by a fictitious
7272fa0c
AS		 19strongSwan CA. In our example scenarios the CA certificate `strongswanCert.pem`
20must be present on all VPN endpoints in order to be able to authenticate the
21peers. For your particular VPN application you can either use certificates from
22any third-party CA or generate the needed private keys and certificates yourself
23with the strongSwan **pki** tool, the use of which will be explained in one of
24the sections following below.
a477d280
TB		 25
26
7272fa0c 27### Site-to-Site Case ###
a477d280 28
891d332b
TB		 29In this scenario two security gateways _moon_ and _sun_ will connect the
30two subnets _moon-net_ and _sun-net_ with each other through a VPN tunnel
a477d280
TB		 31set up between the two gateways:
32
33 10.1.0.0/16 -- | 192.168.0.1 | === | 192.168.0.2 | -- 10.2.0.0/16
34 moon-net moon sun sun-net
35
891d332b 36Configuration on gateway _moon_:
a477d280 37
7272fa0c
AS		 38 /etc/swanctl/x509ca/strongswanCert.pem
39 /etc/swanctl/x509/moonCert.pem
9587c1bf 40 /etc/swanctl/private/moonKey.pem
7272fa0c
AS		 41
42 /etc/swanctl/swanctl.conf:
43
44 connections {
45 net-net {
46 remote_addrs = 192.168.0.2
47
48 local {
49 auth = pubkey
50 certs = moonCert.pem
51 }
52 remote {
53 auth = pubkey
54 id = "C=CH, O=strongSwan, CN=sun.strongswan.org"
55 }
56 children {
57 net-net {
58 local_ts = 10.1.0.0/16
59 remote_ts = 10.2.0.0/16
60 start_action = trap
aad9021f 61 }
7272fa0c
AS		 62 }
63 }
64 }
a477d280 65
7272fa0c 66Configuration on gateway _sun_:
a477d280 67
7272fa0c
AS		 68 /etc/swanctl/x509ca/strongswanCert.pem
69 /etc/swanctl/x509/sunCert.pem
9587c1bf 70 /etc/swanctl/private/sunKey.pem
a477d280 71
7272fa0c 72 /etc/swanctl/swanctl.conf:
a477d280 73
7272fa0c
AS		 74 connections {
75 net-net {
76 remote_addrs = 192.168.0.1
a477d280 77
7272fa0c
AS		 78 local {
79 auth = pubkey
80 certs = sunCert.pem
81 }
82 remote {
83 auth = pubkey
84 id = "C=CH, O=strongSwan, CN=moon.strongswan.org"
85 }
86 children {
87 net-net {
88 local_ts = 10.2.0.0/16
89 remote_ts = 10.1.0.0/16
90 start_action = trap
aad9021f 91 }
7272fa0c
AS		 92 }
93 }
94 }
a477d280 95
7272fa0c
AS		 96The local and remote identities used in this scenario are the
97*subjectDistinguishedNames* contained in the end entity certificates.
98The certificates and private keys are loaded into the **charon** daemon with
99the command
a477d280 100
7272fa0c 101 swanctl --load-creds
a477d280 102
7272fa0c 103whereas
a477d280 104
7272fa0c 105 swanctl --load-conns
a477d280 106
7272fa0c
AS		 107loads the connections defined in `swanctl.conf`. With `start_action = trap` the
108IPsec connection is automatically set up with the first plaintext payload IP
109packet wanting to go through the tunnel.
a477d280 110
7272fa0c 111### Host-to-Host Case ###
a477d280
TB		 112
113This is a setup between two single hosts which don't have a subnet behind
114them. Although IPsec transport mode would be sufficient for host-to-host
115connections we will use the default IPsec tunnel mode.
116
117 | 192.168.0.1 | === | 192.168.0.2 |
118 moon sun
119
aad9021f 120Configuration on host _moon_:
7272fa0c
AS		 121
122 /etc/swanctl/x509ca/strongswanCert.pem
123 /etc/swanctl/x509/moonCert.pem
9587c1bf 124 /etc/swanctl/private/moonKey.pem
7272fa0c
AS		 125
126 /etc/swanctl/swanctl.conf:
127
128 connections {
129 host-host {
130 remote_addrs = 192.168.0.2
131
132 local {
133 auth=pubkey
134 certs = moonCert.pem
135 }
136 remote {
137 auth = pubkey
138 id = "C=CH, O=strongSwan, CN=sun.strongswan.org"
139 }
140 children {
141 net-net {
142 start_action = trap
143 }
144 }
145 }
146 }
a477d280 147
891d332b 148Configuration on host _sun_:
a477d280 149
7272fa0c
AS		 150 /etc/swanctl/x509ca/strongswanCert.pem
151 /etc/swanctl/x509/sunCert.pem
9587c1bf 152 /etc/swanctl/private/sunKey.pem
a477d280 153
7272fa0c 154 /etc/swanctl/swanctl.conf:
a477d280 155
7272fa0c
AS		 156 connections {
157 host-host {
158 remote_addrs = 192.168.0.1
a477d280 159
7272fa0c
AS		 160 local {
161 auth = pubkey
162 certs = sunCert.pem
163 }
164 remote {
165 auth = pubkey
166 id = "C=CH, O=strongSwan, CN=moon.strongswan.org"
167 }
168 children {
169 host-host {
170 start_action = trap
aad9021f 171 }
7272fa0c
AS		 172 }
173 }
174 }
a477d280 175
a477d280 176
7272fa0c 177### Roadwarrior Case ###
a477d280
TB		 178
179This is a very common case where a strongSwan gateway serves an arbitrary
180number of remote VPN clients usually having dynamic IP addresses.
181
182 10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x |
183 moon-net moon carol
184
891d332b 185Configuration on gateway _moon_:
a477d280 186
7272fa0c
AS		 187 /etc/swanctl/x509ca/strongswanCert.pem
188 /etc/swanctl/x509/moonCert.pem
9587c1bf 189 /etc/swanctl/private/moonKey.pem
7272fa0c
AS		 190
191 /etc/swanctl/swanctl.conf:
192
193 connections {
194 rw {
195 local {
196 auth = pubkey
197 certs = moonCert.pem
198 id = moon.strongswan.org
199 }
200 remote {
201 auth = pubkey
202 }
203 children {
204 net-net {
205 local_ts = 10.1.0.0/16
206 }
207 }
208 }
209 }
a477d280 210
891d332b 211Configuration on roadwarrior _carol_:
a477d280 212
7272fa0c
AS		 213 /etc/swanctl/x509ca/strongswanCert.pem
214 /etc/swanctl/x509/carolCert.pem
9587c1bf 215 /etc/swanctl/private/carolKey.pem
7272fa0c
AS		 216
217 /etc/swanctl/swanctl.conf:
218
aad9021f 219 connections {
7272fa0c
AS		 220 home {
221 remote_addrs = moon.strongswan.org
222
223 local {
224 auth = pubkey
225 certs = carolCert.pem
226 id = carol@strongswan.org
227 }
228 remote {
229 auth = pubkey
230 id = moon.strongswan.org
231 }
232 children {
233 home {
234 local_ts = 10.1.0.0/16
235 start_action = start
236 }
237 }
238 }
239 }
240
241For `remote_addrs` the hostname `moon.strongswan.org` was chosen which will be
242resolved by DNS at runtime into the corresponding IP destination address.
243In this scenario the identity of the roadwarrior `carol` is the email address
244`carol@strongswan.org` which must be included as a *subjectAlternativeName* in
245the roadwarrior certificate `carolCert.pem`.
246
247
248### Roadwarrior Case with Virtual IP ###
a477d280
TB		 249
250Roadwarriors usually have dynamic IP addresses assigned by the ISP they are
891d332b
TB		 251currently attached to. In order to simplify the routing from _moon-net_ back
252to the remote access client _carol_ it would be desirable if the roadwarrior had
253an inner IP address chosen from a pre-defined pool.
a477d280
TB		 254
255 10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x | -- 10.3.0.1
256 moon-net moon carol virtual IP
257
258In our example the virtual IP address is chosen from the address pool
7272fa0c 259`10.3.0.0/16` which can be configured by adding the section
a477d280 260
7272fa0c
AS		 261 pools {
262 rw_pool {
263 addrs = 10.3.0.0/16
264 }
265 }
a477d280 266
7272fa0c
AS		 267to the gateway's `swanctl.conf` from where they are loaded into the **charon**
268daemon using the command
a477d280 269
7272fa0c 270 swanctl --load-pools
a477d280 271
7272fa0c
AS		 272To request an IP address from this pool a roadwarrior can use IKEv1 mode config
273or IKEv2 configuration payloads. The configuration for both is the same
a477d280 274
7272fa0c 275 vips = 0.0.0.0
a477d280 276
7272fa0c 277Configuration on gateway _moon_:
a477d280 278
7272fa0c
AS		 279 /etc/swanctl/x509ca/strongswanCert.pem
280 /etc/swanctl/x509/moonCert.pem
9587c1bf 281 /etc/swanctl/private/moonKey.pem
7272fa0c
AS		 282
283 /etc/swanctl/swanctl.conf:
284
285 connections {
286 rw {
287 pools = rw_pool
288
289 local {
290 auth = pubkey
291 certs = moonCert.pem
292 id = moon.strongswan.org
293 }
294 remote {
295 auth = pubkey
296 }
297 children {
298 net-net {
299 local_ts = 10.1.0.0/16
300 }
301 }
302 }
303 }
304
305 pools {
306 rw_pool {
307 addrs = 10.30.0.0/16
308 }
309 }
a477d280 310
891d332b 311Configuration on roadwarrior _carol_:
a477d280 312
7272fa0c
AS		 313 /etc/swanctl/x509ca/strongswanCert.pem
314 /etc/swanctl/x509/carolCert.pem
9587c1bf 315 /etc/swanctl/private/carolKey.pem
7272fa0c
AS		 316
317 /etc/swanctl/swanctl.conf:
318
aad9021f 319 connections {
7272fa0c
AS		 320 home {
321 remote_addrs = moon.strongswan.org
322 vips = 0.0.0.0
323
324 local {
325 auth = pubkey
326 certs = carolCert.pem
327 id = carol@strongswan.org
328 }
329 remote {
330 auth = pubkey
331 id = moon.strongswan.org
332 }
333 children {
334 home {
335 local_ts = 10.1.0.0/16
336 start_action = start
337 }
338 }
339 }
340 }
341
342
343### Roadwarrior Case with EAP Authentication ###
a477d280 344
7272fa0c
AS		 345This is a very common case where a strongSwan gateway serves an arbitrary
346number of remote VPN clients which authenticate themselves via a password
347based *Extended Authentication Protocol* as e.g. *EAP-MD5* or *EAP-MSCHAPv2*.
a477d280 348
7272fa0c
AS		 349 10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x |
350 moon-net moon carol
a477d280 351
7272fa0c 352Configuration on gateway _moon_:
a477d280 353
7272fa0c
AS		 354 /etc/swanctl/x509ca/strongswanCert.pem
355 /etc/swanctl/x509/moonCert.pem
9587c1bf 356 /etc/swanctl/private/moonKey.pem
7272fa0c
AS		 357
358 /etc/swanctl/swanctl.conf:
359
360 connections {
361 rw {
362 local {
363 auth = pubkey
364 certs = moonCert.pem
365 id = moon.strongswan.org
366 }
367 remote {
368 auth = eap-md5
369 }
370 children {
371 net-net {
372 local_ts = 10.1.0.0/16
373 }
374 }
375 send_certreq = no
376 }
377 }
378
379The `swanctl.conf` file additionally contains a `secrets` section defining all
380client credentials
381
aad9021f
TB		 382 secrets {
383 eap-carol {
384 id = carol@strongswan.org
385 secret = Ar3etTnp
386 }
387 eap-dave {
388 id = dave@strongswan.org
389 secret = W7R0g3do
390 }
391 }
a477d280 392
7272fa0c 393Configuration on roadwarrior _carol_:
a477d280 394
7272fa0c
AS		 395 /etc/swanctl/x509ca/strongswanCert.pem
396
397 /etc/swanctl/swanctl.conf:
398
aad9021f 399 connections {
7272fa0c
AS		 400 home {
401 remote_addrs = moon.strongswan.org
402
403 local {
404 auth = eap
405 id = carol@strongswan.org
406 }
407 remote {
408 auth = pubkey
409 id = moon.strongswan.org
410 }
411 children {
412 home {
413 local_ts = 10.1.0.0/16
414 start_action = start
415 }
416 }
417 }
418 }
419
aad9021f
TB		 420 secrets {
421 eap-carol {
422 id = carol@strongswan.org
423 secret = Ar3etTnp
424 }
425 }
7272fa0c
AS		 426
427
428### Roadwarrior Case with EAP Identity ###
429
430Often a client EAP identity is exchanged via EAP which differs from the
431external IKEv2 identity. In this example the IKEv2 identity defaults to
432the IPv4 address of the client.
a477d280 433
7272fa0c
AS		 434 10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x |
435 moon-net moon carol
a477d280 436
7272fa0c 437Configuration on gateway _moon_:
a477d280 438
7272fa0c
AS		 439 /etc/swanctl/x509ca/strongswanCert.pem
440 /etc/swanctl/x509/moonCert.pem
9587c1bf 441 /etc/swanctl/private/moonKey.pem
7272fa0c
AS		 442
443 /etc/swanctl/swanctl.conf:
444
445 connections {
446 rw {
447 local {
448 auth = pubkey
449 certs = moonCert.pem
450 id = moon.strongswan.org
451 }
452 remote {
453 auth = eap-md5
454 eap_id = %any
455 }
456 children {
457 net-net {
458 local_ts = 10.1.0.0/16
459 }
460 }
461 send_certreq = no
462 }
463 }
464
aad9021f
TB		 465 secrets {
466 eap-carol {
467 id = carol
468 secret = Ar3etTnp
469 }
470 eap-dave {
471 id = dave
472 secret = W7R0g3do
473 }
474 }
a477d280 475
7272fa0c 476Configuration on roadwarrior _carol_:
a477d280 477
7272fa0c 478 /etc/swanctl/x509ca/strongswanCert.pem
a477d280 479
7272fa0c 480 /etc/swanctl/swanctl.conf:
a477d280 481
aad9021f 482 connections {
7272fa0c
AS		 483 home {
484 remote_addrs = moon.strongswan.org
a477d280 485
7272fa0c
AS		 486 local {
487 auth = eap
488 eap_id = carol
489 }
490 remote {
491 auth = pubkey
492 id = moon.strongswan.org
493 }
494 children {
495 home {
496 local_ts = 10.1.0.0/16
497 start_action = start
498 }
499 }
500 }
501 }
a477d280 502
aad9021f
TB		 503 secrets {
504 eap-carol {
505 id = carol
506 secret = Ar3etTnp
507 }
508 }
a477d280
TB		 509
510
7272fa0c 511## Generating Certificates and CRLs ##
a477d280 512
7272fa0c
AS		 513This section is not a full-blown tutorial on how to use the strongSwan **pki**
514tool. It just lists a few points that are relevant if you want to generate your
515own certificates and CRLs for use with strongSwan.
a477d280 516
a477d280 517
7272fa0c 518### Generating a CA Certificate ###
a477d280 519
7272fa0c 520The pki statement
a477d280 521
7272fa0c 522 pki --gen --type ed25519 --outform pem > strongswanKey.pem
a477d280 523
7272fa0c
AS		 524generates an elliptic Edwards-Curve key with a cryptographic strength of 128
525bits. The corresponding public key is packed into a self-signed CA certificate
526with a lifetime of 10 years (3652 days)
a477d280 527
7272fa0c
AS		 528 pki --self --ca --lifetime 3652 --in strongswanKey.pem \
529 --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
530 --outform pem > strongswanCert.pem
a477d280 531
7272fa0c 532which can be listed with the command
a477d280 533
7272fa0c 534 pki --print --in strongswanCert.pem
a477d280 535
7272fa0c
AS		 536 subject: "C=CH, O=strongSwan, CN=strongSwan Root CA"
537 issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
538 validity: not before May 18 08:32:06 2017, ok
539 not after May 18 08:32:06 2027, ok (expires in 3651 days)
540 serial: 57:e0:6b:3a:9a:eb:c6:e0
541 flags: CA CRLSign self-signed
542 subjkeyId: 2b:95:14:5b:c3:22:87:de:d1:42:91:88:63:b3:d5:c1:92:7a:0f:5d
543 pubkey: ED25519 256 bits
544 keyid: a7:e1:6a:3f:e7:6f:08:9d:89:ec:23:92:a9:a1:14:3c:78:a8:7a:f7
545 subjkey: 2b:95:14:5b:c3:22:87:de:d1:42:91:88:63:b3:d5:c1:92:7a:0f:5d
a477d280 546
7272fa0c
AS		 547If you prefer the CA private key and X.509 certificate to be in binary DER format
548then just omit the `--outform pem` option. The directory `/etc/swanctl/x509ca`
549contains all required CA certificates either in binary DER or in Base64 PEM
550format. Irrespective of the file suffix the correct format will be determined
551by strongSwan automagically.
a477d280 552
a477d280 553
7272fa0c 554### Generating a Host or User End Entity Certificate ###
a477d280 555
7272fa0c 556Again we are using the command
a477d280 557
7272fa0c 558 pki --gen --type ed25519 --outform pem > moonKey.pem
a477d280 559
7272fa0c
AS		 560to generate an Ed25519 private key for the host `moon`. Alternatively you could
561type
a477d280 562
7272fa0c 563 pki --gen --type rsa --size 3072 > moonKey.der
a477d280 564
7272fa0c
AS		 565to generate a traditional 3072 bit RSA key and store it in binary DER format.
566As an alternative a **TPM 2.0** *Trusted Platform Module* available on every
567recent Intel platform could be used as a virtual smartcard to securely store an
568RSA or ECDSA private key. For details, refer to the TPM 2.0
df18934d 569[HOWTO](https://docs.strongswan.org/docs/5.9/tpm/tpm2.html).
a477d280 570
7272fa0c 571In a next step the command
a477d280 572
7272fa0c 573 pki --req --type priv --in moonKey.pem \
266e2dbb 574 --dn "C=CH, O=strongswan, CN=moon.strongswan.org" \
92001d1e 575 --san moon.strongswan.org --outform pem > moonReq.pem
a477d280 576
7272fa0c
AS		 577creates a PKCS#10 certificate request that has to be signed by the CA.
578Through the [multiple] use of the `--san` parameter any number of desired
579*subjectAlternativeNames* can be added to the request. These can be of the
580form
a477d280 581
7272fa0c
AS		 582 --san sun.strongswan.org # fully qualified host name
583 --san carol@strongswan.org # RFC822 user email address
584 --san 192.168.0.1 # IPv4 address
585 --san fec0::1 # IPv6 address
a477d280 586
7272fa0c
AS		 587Based on the certificate request the CA issues a signed end entity certificate
588with the following command
a477d280 589
7272fa0c
AS		 590 pki --issue --cacert strongswanCert.pem --cakey strongswanKey.pem \
591 --type pkcs10 --in moonReq.pem --serial 01 --lifetime 1826 \
592 --outform pem > moonCert.pem
a477d280 593
7272fa0c
AS		 594If the `--serial` parameter with a hexadecimal argument is omitted then a random
595serial number is generated. Some third party VPN clients require that a VPN
596gateway certificate contains the *TLS Server Authentication* Extended Key Usage
597(EKU) flag which can be included with the following option
a477d280 598
7272fa0c 599 --flag serverAuth
a477d280 600
7272fa0c
AS		 601If you want to use the dynamic CRL fetching feature described in one of the
602following sections then you may include one or several *crlDistributionPoints*
603in your end entity certificates using the `--crl` parameter
604
605 --crl http://crl.strongswan.org/strongswan.crl
606 --crl "ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan,c=CH?certificateRevocationList"
607
608The issued host certificate can be listed with
609
610 pki --print --in moonCert.pem
611
612 subject: "C=CH, O=strongSwan, CN=moon.strongswan.org"
613 issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
614 validity: not before May 19 10:28:19 2017, ok
615 not after May 19 10:28:19 2022, ok (expires in 1825 days)
616 serial: 01
617 altNames: moon.strongswan.org
618 flags: serverAuth
619 CRL URIs: http://crl.strongswan.org/strongswan.crl
620 authkeyId: 2b:95:14:5b:c3:22:87:de:d1:42:91:88:63:b3:d5:c1:92:7a:0f:5d
621 subjkeyId: 60:9d:de:30:a6:ca:b9:8e:87:bb:33:23:61:19:18:b8:c4:7e:23:8f
622 pubkey: ED25519 256 bits
623 keyid: 39:1b:b3:c2:34:72:1a:01:08:40:ce:97:75:b8:be:ce:24:30:26:29
624 subjkey: 60:9d:de:30:a6:ca:b9:8e:87:bb:33:23:61:19:18:b8:c4:7e:23:8f
625
626Usually, a Windows, OSX, Android or iOS based VPN client needs its private key,
627its host or user certificate and the CA certificate. The most convenient way
891d332b 628to load this information is to put everything into a PKCS#12 container:
a477d280 629
7272fa0c
AS		 630 openssl pkcs12 -export -inkey carolKey.pem \
631 -in carolCert.pem -name "carol" \
632 -certfile strongswanCert.pem -caname "strongSwan Root CA" \
633 -out carolCert.p12
634
635The strongSwan **pki** tool currently is not able to create PKCS#12 containers
636so that **openssl** must be used.
a477d280
TB		 637
638
891d332b 639### Generating a CRL ###
a477d280
TB		 640
641An empty CRL that is signed by the CA can be generated with the command
642
7272fa0c
AS		 643 pki --signcrl --cacert strongswanCert.pem --cakey strongswanKey.pem \
644 --lifetime 30 > strongswan.crl
a477d280 645
7272fa0c
AS		 646If you omit the `--lifetime` option then the default value of 15 days is used.
647CRLs can either be uploaded to a HTTP or LDAP server or put in binary DER or
648Base64 PEM format into the `/etc/swanctl/x509crl` directory from where they are
649loaded into the **charon** daemon with the command
a477d280 650
7272fa0c 651 swanctl --load-creds
a477d280 652
a477d280 653
7272fa0c 654### Revoking a Certificate ###
a477d280 655
7272fa0c 656A specific end entity certificate is revoked with the command
a477d280 657
7272fa0c
AS		 658 pki --signcrl --cacert strongswanCert.pem --cakey strongswanKey.pem \
659 --lifetime 30 --lastcrl strongswan.crl \
660 --reason key-compromise --cert moonCert.pem > new.crl
a477d280 661
7272fa0c
AS		 662Instead of the certificate file (in our example moonCert.pem), the serial number
663of the certificate to be revoked can be indicated using the `--serial`
664parameter. The `pki --signcrl --help` command documents all possible revocation
665reasons but the `--reason` parameter can also be omitted. The content of the new
666CRL file can be listed with the command
891d332b 667
7272fa0c 668 pki --print --type crl --in new.crl
891d332b 669
7272fa0c
AS		 670 issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
671 update: this on May 19 11:13:01 2017, ok
672 next on Jun 18 11:13:01 2017, ok (expires in 29 days)
673 serial: 02
674 authKeyId: 2b:95:14:5b:c3:22:87:de:d1:42:91:88:63:b3:d5:c1:92:7a:0f:5d
675 1 revoked certificate:
676 01: May 19 11:13:01 2017, key compromise
a477d280 677
a477d280 678
7272fa0c 679### Local Caching of CRLs ###
a477d280 680
7272fa0c 681The `strongswan.conf` option
a477d280 682
7272fa0c
AS		 683 charon {
684 cache_crls = yes
685 }
a477d280
TB		 686
687activates the local caching of CRLs that were dynamically fetched from an
7272fa0c
AS		 688HTTP or LDAP server. Cached copies are stored in `/etc/swanctl/x509crl` using a
689unique filename formed from the issuer's *subjectKeyIdentifier* and the
891d332b 690suffix `.crl`.
a477d280
TB		 691
692With the cached copy the CRL is immediately available after startup. When the
7272fa0c
AS		 693local copy has become stale, an updated CRL is automatically fetched from one of
694the defined CRL distribution points during the next IKEv2 authentication.
Unnamed repository; edit this file 'description' to name the repository.