]> git.ipfire.org Git - thirdparty/strongswan.git/blame - README.md
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Version bump to 5.7.2
[thirdparty/strongswan.git] / README.md
CommitLineData
891d332b
TB		 1# strongSwan Configuration #
2
3## Overview ##
4
5strongSwan is an OpenSource IPsec-based VPN solution.
a477d280 6
7272fa0c
AS		 7This document is just a short introduction of the strongSwan **swanctl** command
8which uses the modern [**vici**](src/libcharon/plugins/vici/README.md) *Versatile
9IKE Configuration Interface*. The deprecated **ipsec** command using the legacy
10**stroke** configuration interface is described [**here**](README_LEGACY.md).
11For more detailed information consult the man pages and
e4a3ef2e 12[**our wiki**](https://wiki.strongswan.org).
a477d280 13
a477d280 14
891d332b 15## Quickstart ##
a477d280 16
891d332b 17Certificates for users, hosts and gateways are issued by a fictitious
7272fa0c
AS		 18strongSwan CA. In our example scenarios the CA certificate `strongswanCert.pem`
19must be present on all VPN endpoints in order to be able to authenticate the
20peers. For your particular VPN application you can either use certificates from
21any third-party CA or generate the needed private keys and certificates yourself
22with the strongSwan **pki** tool, the use of which will be explained in one of
23the sections following below.
a477d280
TB		 24
25
7272fa0c 26### Site-to-Site Case ###
a477d280 27
891d332b
TB		 28In this scenario two security gateways _moon_ and _sun_ will connect the
29two subnets _moon-net_ and _sun-net_ with each other through a VPN tunnel
a477d280
TB		 30set up between the two gateways:
31
32 10.1.0.0/16 -- | 192.168.0.1 | === | 192.168.0.2 | -- 10.2.0.0/16
33 moon-net moon sun sun-net
34
891d332b 35Configuration on gateway _moon_:
a477d280 36
7272fa0c
AS		 37 /etc/swanctl/x509ca/strongswanCert.pem
38 /etc/swanctl/x509/moonCert.pem
9587c1bf 39 /etc/swanctl/private/moonKey.pem
7272fa0c
AS		 40
41 /etc/swanctl/swanctl.conf:
42
43 connections {
44 net-net {
45 remote_addrs = 192.168.0.2
46
47 local {
48 auth = pubkey
49 certs = moonCert.pem
50 }
51 remote {
52 auth = pubkey
53 id = "C=CH, O=strongSwan, CN=sun.strongswan.org"
54 }
55 children {
56 net-net {
57 local_ts = 10.1.0.0/16
58 remote_ts = 10.2.0.0/16
59 start_action = trap
aad9021f 60 }
7272fa0c
AS		 61 }
62 }
63 }
a477d280 64
7272fa0c 65Configuration on gateway _sun_:
a477d280 66
7272fa0c
AS		 67 /etc/swanctl/x509ca/strongswanCert.pem
68 /etc/swanctl/x509/sunCert.pem
9587c1bf 69 /etc/swanctl/private/sunKey.pem
a477d280 70
7272fa0c 71 /etc/swanctl/swanctl.conf:
a477d280 72
7272fa0c
AS		 73 connections {
74 net-net {
75 remote_addrs = 192.168.0.1
a477d280 76
7272fa0c
AS		 77 local {
78 auth = pubkey
79 certs = sunCert.pem
80 }
81 remote {
82 auth = pubkey
83 id = "C=CH, O=strongSwan, CN=moon.strongswan.org"
84 }
85 children {
86 net-net {
87 local_ts = 10.2.0.0/16
88 remote_ts = 10.1.0.0/16
89 start_action = trap
aad9021f 90 }
7272fa0c
AS		 91 }
92 }
93 }
a477d280 94
7272fa0c
AS		 95The local and remote identities used in this scenario are the
96*subjectDistinguishedNames* contained in the end entity certificates.
97The certificates and private keys are loaded into the **charon** daemon with
98the command
a477d280 99
7272fa0c 100 swanctl --load-creds
a477d280 101
7272fa0c 102whereas
a477d280 103
7272fa0c 104 swanctl --load-conns
a477d280 105
7272fa0c
AS		 106loads the connections defined in `swanctl.conf`. With `start_action = trap` the
107IPsec connection is automatically set up with the first plaintext payload IP
108packet wanting to go through the tunnel.
a477d280 109
7272fa0c 110### Host-to-Host Case ###
a477d280
TB		 111
112This is a setup between two single hosts which don't have a subnet behind
113them. Although IPsec transport mode would be sufficient for host-to-host
114connections we will use the default IPsec tunnel mode.
115
116 | 192.168.0.1 | === | 192.168.0.2 |
117 moon sun
118
aad9021f 119Configuration on host _moon_:
7272fa0c
AS		 120
121 /etc/swanctl/x509ca/strongswanCert.pem
122 /etc/swanctl/x509/moonCert.pem
9587c1bf 123 /etc/swanctl/private/moonKey.pem
7272fa0c
AS		 124
125 /etc/swanctl/swanctl.conf:
126
127 connections {
128 host-host {
129 remote_addrs = 192.168.0.2
130
131 local {
132 auth=pubkey
133 certs = moonCert.pem
134 }
135 remote {
136 auth = pubkey
137 id = "C=CH, O=strongSwan, CN=sun.strongswan.org"
138 }
139 children {
140 net-net {
141 start_action = trap
142 }
143 }
144 }
145 }
a477d280 146
891d332b 147Configuration on host _sun_:
a477d280 148
7272fa0c
AS		 149 /etc/swanctl/x509ca/strongswanCert.pem
150 /etc/swanctl/x509/sunCert.pem
9587c1bf 151 /etc/swanctl/private/sunKey.pem
a477d280 152
7272fa0c 153 /etc/swanctl/swanctl.conf:
a477d280 154
7272fa0c
AS		 155 connections {
156 host-host {
157 remote_addrs = 192.168.0.1
a477d280 158
7272fa0c
AS		 159 local {
160 auth = pubkey
161 certs = sunCert.pem
162 }
163 remote {
164 auth = pubkey
165 id = "C=CH, O=strongSwan, CN=moon.strongswan.org"
166 }
167 children {
168 host-host {
169 start_action = trap
aad9021f 170 }
7272fa0c
AS		 171 }
172 }
173 }
a477d280 174
a477d280 175
7272fa0c 176### Roadwarrior Case ###
a477d280
TB		 177
178This is a very common case where a strongSwan gateway serves an arbitrary
179number of remote VPN clients usually having dynamic IP addresses.
180
181 10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x |
182 moon-net moon carol
183
891d332b 184Configuration on gateway _moon_:
a477d280 185
7272fa0c
AS		 186 /etc/swanctl/x509ca/strongswanCert.pem
187 /etc/swanctl/x509/moonCert.pem
9587c1bf 188 /etc/swanctl/private/moonKey.pem
7272fa0c
AS		 189
190 /etc/swanctl/swanctl.conf:
191
192 connections {
193 rw {
194 local {
195 auth = pubkey
196 certs = moonCert.pem
197 id = moon.strongswan.org
198 }
199 remote {
200 auth = pubkey
201 }
202 children {
203 net-net {
204 local_ts = 10.1.0.0/16
205 }
206 }
207 }
208 }
a477d280 209
891d332b 210Configuration on roadwarrior _carol_:
a477d280 211
7272fa0c
AS		 212 /etc/swanctl/x509ca/strongswanCert.pem
213 /etc/swanctl/x509/carolCert.pem
9587c1bf 214 /etc/swanctl/private/carolKey.pem
7272fa0c
AS		 215
216 /etc/swanctl/swanctl.conf:
217
aad9021f 218 connections {
7272fa0c
AS		 219 home {
220 remote_addrs = moon.strongswan.org
221
222 local {
223 auth = pubkey
224 certs = carolCert.pem
225 id = carol@strongswan.org
226 }
227 remote {
228 auth = pubkey
229 id = moon.strongswan.org
230 }
231 children {
232 home {
233 local_ts = 10.1.0.0/16
234 start_action = start
235 }
236 }
237 }
238 }
239
240For `remote_addrs` the hostname `moon.strongswan.org` was chosen which will be
241resolved by DNS at runtime into the corresponding IP destination address.
242In this scenario the identity of the roadwarrior `carol` is the email address
243`carol@strongswan.org` which must be included as a *subjectAlternativeName* in
244the roadwarrior certificate `carolCert.pem`.
245
246
247### Roadwarrior Case with Virtual IP ###
a477d280
TB		 248
249Roadwarriors usually have dynamic IP addresses assigned by the ISP they are
891d332b
TB		 250currently attached to. In order to simplify the routing from _moon-net_ back
251to the remote access client _carol_ it would be desirable if the roadwarrior had
252an inner IP address chosen from a pre-defined pool.
a477d280
TB		 253
254 10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x | -- 10.3.0.1
255 moon-net moon carol virtual IP
256
257In our example the virtual IP address is chosen from the address pool
7272fa0c 258`10.3.0.0/16` which can be configured by adding the section
a477d280 259
7272fa0c
AS		 260 pools {
261 rw_pool {
262 addrs = 10.3.0.0/16
263 }
264 }
a477d280 265
7272fa0c
AS		 266to the gateway's `swanctl.conf` from where they are loaded into the **charon**
267daemon using the command
a477d280 268
7272fa0c 269 swanctl --load-pools
a477d280 270
7272fa0c
AS		 271To request an IP address from this pool a roadwarrior can use IKEv1 mode config
272or IKEv2 configuration payloads. The configuration for both is the same
a477d280 273
7272fa0c 274 vips = 0.0.0.0
a477d280 275
7272fa0c 276Configuration on gateway _moon_:
a477d280 277
7272fa0c
AS		 278 /etc/swanctl/x509ca/strongswanCert.pem
279 /etc/swanctl/x509/moonCert.pem
9587c1bf 280 /etc/swanctl/private/moonKey.pem
7272fa0c
AS		 281
282 /etc/swanctl/swanctl.conf:
283
284 connections {
285 rw {
286 pools = rw_pool
287
288 local {
289 auth = pubkey
290 certs = moonCert.pem
291 id = moon.strongswan.org
292 }
293 remote {
294 auth = pubkey
295 }
296 children {
297 net-net {
298 local_ts = 10.1.0.0/16
299 }
300 }
301 }
302 }
303
304 pools {
305 rw_pool {
306 addrs = 10.30.0.0/16
307 }
308 }
a477d280 309
891d332b 310Configuration on roadwarrior _carol_:
a477d280 311
7272fa0c
AS		 312 /etc/swanctl/x509ca/strongswanCert.pem
313 /etc/swanctl/x509/carolCert.pem
9587c1bf 314 /etc/swanctl/private/carolKey.pem
7272fa0c
AS		 315
316 /etc/swanctl/swanctl.conf:
317
aad9021f 318 connections {
7272fa0c
AS		 319 home {
320 remote_addrs = moon.strongswan.org
321 vips = 0.0.0.0
322
323 local {
324 auth = pubkey
325 certs = carolCert.pem
326 id = carol@strongswan.org
327 }
328 remote {
329 auth = pubkey
330 id = moon.strongswan.org
331 }
332 children {
333 home {
334 local_ts = 10.1.0.0/16
335 start_action = start
336 }
337 }
338 }
339 }
340
341
342### Roadwarrior Case with EAP Authentication ###
a477d280 343
7272fa0c
AS		 344This is a very common case where a strongSwan gateway serves an arbitrary
345number of remote VPN clients which authenticate themselves via a password
346based *Extended Authentication Protocol* as e.g. *EAP-MD5* or *EAP-MSCHAPv2*.
a477d280 347
7272fa0c
AS		 348 10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x |
349 moon-net moon carol
a477d280 350
7272fa0c 351Configuration on gateway _moon_:
a477d280 352
7272fa0c
AS		 353 /etc/swanctl/x509ca/strongswanCert.pem
354 /etc/swanctl/x509/moonCert.pem
9587c1bf 355 /etc/swanctl/private/moonKey.pem
7272fa0c
AS		 356
357 /etc/swanctl/swanctl.conf:
358
359 connections {
360 rw {
361 local {
362 auth = pubkey
363 certs = moonCert.pem
364 id = moon.strongswan.org
365 }
366 remote {
367 auth = eap-md5
368 }
369 children {
370 net-net {
371 local_ts = 10.1.0.0/16
372 }
373 }
374 send_certreq = no
375 }
376 }
377
378The `swanctl.conf` file additionally contains a `secrets` section defining all
379client credentials
380
aad9021f
TB		 381 secrets {
382 eap-carol {
383 id = carol@strongswan.org
384 secret = Ar3etTnp
385 }
386 eap-dave {
387 id = dave@strongswan.org
388 secret = W7R0g3do
389 }
390 }
a477d280 391
7272fa0c 392Configuration on roadwarrior _carol_:
a477d280 393
7272fa0c
AS		 394 /etc/swanctl/x509ca/strongswanCert.pem
395
396 /etc/swanctl/swanctl.conf:
397
aad9021f 398 connections {
7272fa0c
AS		 399 home {
400 remote_addrs = moon.strongswan.org
401
402 local {
403 auth = eap
404 id = carol@strongswan.org
405 }
406 remote {
407 auth = pubkey
408 id = moon.strongswan.org
409 }
410 children {
411 home {
412 local_ts = 10.1.0.0/16
413 start_action = start
414 }
415 }
416 }
417 }
418
aad9021f
TB		 419 secrets {
420 eap-carol {
421 id = carol@strongswan.org
422 secret = Ar3etTnp
423 }
424 }
7272fa0c
AS		 425
426
427### Roadwarrior Case with EAP Identity ###
428
429Often a client EAP identity is exchanged via EAP which differs from the
430external IKEv2 identity. In this example the IKEv2 identity defaults to
431the IPv4 address of the client.
a477d280 432
7272fa0c
AS		 433 10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x |
434 moon-net moon carol
a477d280 435
7272fa0c 436Configuration on gateway _moon_:
a477d280 437
7272fa0c
AS		 438 /etc/swanctl/x509ca/strongswanCert.pem
439 /etc/swanctl/x509/moonCert.pem
9587c1bf 440 /etc/swanctl/private/moonKey.pem
7272fa0c
AS		 441
442 /etc/swanctl/swanctl.conf:
443
444 connections {
445 rw {
446 local {
447 auth = pubkey
448 certs = moonCert.pem
449 id = moon.strongswan.org
450 }
451 remote {
452 auth = eap-md5
453 eap_id = %any
454 }
455 children {
456 net-net {
457 local_ts = 10.1.0.0/16
458 }
459 }
460 send_certreq = no
461 }
462 }
463
aad9021f
TB		 464 secrets {
465 eap-carol {
466 id = carol
467 secret = Ar3etTnp
468 }
469 eap-dave {
470 id = dave
471 secret = W7R0g3do
472 }
473 }
a477d280 474
7272fa0c 475Configuration on roadwarrior _carol_:
a477d280 476
7272fa0c 477 /etc/swanctl/x509ca/strongswanCert.pem
a477d280 478
7272fa0c 479 /etc/swanctl/swanctl.conf:
a477d280 480
aad9021f 481 connections {
7272fa0c
AS		 482 home {
483 remote_addrs = moon.strongswan.org
a477d280 484
7272fa0c
AS		 485 local {
486 auth = eap
487 eap_id = carol
488 }
489 remote {
490 auth = pubkey
491 id = moon.strongswan.org
492 }
493 children {
494 home {
495 local_ts = 10.1.0.0/16
496 start_action = start
497 }
498 }
499 }
500 }
a477d280 501
aad9021f
TB		 502 secrets {
503 eap-carol {
504 id = carol
505 secret = Ar3etTnp
506 }
507 }
a477d280
TB		 508
509
7272fa0c 510## Generating Certificates and CRLs ##
a477d280 511
7272fa0c
AS		 512This section is not a full-blown tutorial on how to use the strongSwan **pki**
513tool. It just lists a few points that are relevant if you want to generate your
514own certificates and CRLs for use with strongSwan.
a477d280 515
a477d280 516
7272fa0c 517### Generating a CA Certificate ###
a477d280 518
7272fa0c 519The pki statement
a477d280 520
7272fa0c 521 pki --gen --type ed25519 --outform pem > strongswanKey.pem
a477d280 522
7272fa0c
AS		 523generates an elliptic Edwards-Curve key with a cryptographic strength of 128
524bits. The corresponding public key is packed into a self-signed CA certificate
525with a lifetime of 10 years (3652 days)
a477d280 526
7272fa0c
AS		 527 pki --self --ca --lifetime 3652 --in strongswanKey.pem \
528 --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
529 --outform pem > strongswanCert.pem
a477d280 530
7272fa0c 531which can be listed with the command
a477d280 532
7272fa0c 533 pki --print --in strongswanCert.pem
a477d280 534
7272fa0c
AS		 535 subject: "C=CH, O=strongSwan, CN=strongSwan Root CA"
536 issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
537 validity: not before May 18 08:32:06 2017, ok
538 not after May 18 08:32:06 2027, ok (expires in 3651 days)
539 serial: 57:e0:6b:3a:9a:eb:c6:e0
540 flags: CA CRLSign self-signed
541 subjkeyId: 2b:95:14:5b:c3:22:87:de:d1:42:91:88:63:b3:d5:c1:92:7a:0f:5d
542 pubkey: ED25519 256 bits
543 keyid: a7:e1:6a:3f:e7:6f:08:9d:89:ec:23:92:a9:a1:14:3c:78:a8:7a:f7
544 subjkey: 2b:95:14:5b:c3:22:87:de:d1:42:91:88:63:b3:d5:c1:92:7a:0f:5d
a477d280 545
7272fa0c
AS		 546If you prefer the CA private key and X.509 certificate to be in binary DER format
547then just omit the `--outform pem` option. The directory `/etc/swanctl/x509ca`
548contains all required CA certificates either in binary DER or in Base64 PEM
549format. Irrespective of the file suffix the correct format will be determined
550by strongSwan automagically.
a477d280 551
a477d280 552
7272fa0c 553### Generating a Host or User End Entity Certificate ###
a477d280 554
7272fa0c 555Again we are using the command
a477d280 556
7272fa0c 557 pki --gen --type ed25519 --outform pem > moonKey.pem
a477d280 558
7272fa0c
AS		 559to generate an Ed25519 private key for the host `moon`. Alternatively you could
560type
a477d280 561
7272fa0c 562 pki --gen --type rsa --size 3072 > moonKey.der
a477d280 563
7272fa0c
AS		 564to generate a traditional 3072 bit RSA key and store it in binary DER format.
565As an alternative a **TPM 2.0** *Trusted Platform Module* available on every
566recent Intel platform could be used as a virtual smartcard to securely store an
567RSA or ECDSA private key. For details, refer to the TPM 2.0
568[HOWTO](https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin).
a477d280 569
7272fa0c 570In a next step the command
a477d280 571
7272fa0c
AS		 572 pki --req --type priv --in moonKey.pem \
573 --dn "C=CH, O=strongswan, CN=moon.strongswan.org \
92001d1e 574 --san moon.strongswan.org --outform pem > moonReq.pem
a477d280 575
7272fa0c
AS		 576creates a PKCS#10 certificate request that has to be signed by the CA.
577Through the [multiple] use of the `--san` parameter any number of desired
578*subjectAlternativeNames* can be added to the request. These can be of the
579form
a477d280 580
7272fa0c
AS		 581 --san sun.strongswan.org # fully qualified host name
582 --san carol@strongswan.org # RFC822 user email address
583 --san 192.168.0.1 # IPv4 address
584 --san fec0::1 # IPv6 address
a477d280 585
7272fa0c
AS		 586Based on the certificate request the CA issues a signed end entity certificate
587with the following command
a477d280 588
7272fa0c
AS		 589 pki --issue --cacert strongswanCert.pem --cakey strongswanKey.pem \
590 --type pkcs10 --in moonReq.pem --serial 01 --lifetime 1826 \
591 --outform pem > moonCert.pem
a477d280 592
7272fa0c
AS		 593If the `--serial` parameter with a hexadecimal argument is omitted then a random
594serial number is generated. Some third party VPN clients require that a VPN
595gateway certificate contains the *TLS Server Authentication* Extended Key Usage
596(EKU) flag which can be included with the following option
a477d280 597
7272fa0c 598 --flag serverAuth
a477d280 599
7272fa0c
AS		 600If you want to use the dynamic CRL fetching feature described in one of the
601following sections then you may include one or several *crlDistributionPoints*
602in your end entity certificates using the `--crl` parameter
603
604 --crl http://crl.strongswan.org/strongswan.crl
605 --crl "ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan,c=CH?certificateRevocationList"
606
607The issued host certificate can be listed with
608
609 pki --print --in moonCert.pem
610
611 subject: "C=CH, O=strongSwan, CN=moon.strongswan.org"
612 issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
613 validity: not before May 19 10:28:19 2017, ok
614 not after May 19 10:28:19 2022, ok (expires in 1825 days)
615 serial: 01
616 altNames: moon.strongswan.org
617 flags: serverAuth
618 CRL URIs: http://crl.strongswan.org/strongswan.crl
619 authkeyId: 2b:95:14:5b:c3:22:87:de:d1:42:91:88:63:b3:d5:c1:92:7a:0f:5d
620 subjkeyId: 60:9d:de:30:a6:ca:b9:8e:87:bb:33:23:61:19:18:b8:c4:7e:23:8f
621 pubkey: ED25519 256 bits
622 keyid: 39:1b:b3:c2:34:72:1a:01:08:40:ce:97:75:b8:be:ce:24:30:26:29
623 subjkey: 60:9d:de:30:a6:ca:b9:8e:87:bb:33:23:61:19:18:b8:c4:7e:23:8f
624
625Usually, a Windows, OSX, Android or iOS based VPN client needs its private key,
626its host or user certificate and the CA certificate. The most convenient way
891d332b 627to load this information is to put everything into a PKCS#12 container:
a477d280 628
7272fa0c
AS		 629 openssl pkcs12 -export -inkey carolKey.pem \
630 -in carolCert.pem -name "carol" \
631 -certfile strongswanCert.pem -caname "strongSwan Root CA" \
632 -out carolCert.p12
633
634The strongSwan **pki** tool currently is not able to create PKCS#12 containers
635so that **openssl** must be used.
a477d280
TB		 636
637
891d332b 638### Generating a CRL ###
a477d280
TB		 639
640An empty CRL that is signed by the CA can be generated with the command
641
7272fa0c
AS		 642 pki --signcrl --cacert strongswanCert.pem --cakey strongswanKey.pem \
643 --lifetime 30 > strongswan.crl
a477d280 644
7272fa0c
AS		 645If you omit the `--lifetime` option then the default value of 15 days is used.
646CRLs can either be uploaded to a HTTP or LDAP server or put in binary DER or
647Base64 PEM format into the `/etc/swanctl/x509crl` directory from where they are
648loaded into the **charon** daemon with the command
a477d280 649
7272fa0c 650 swanctl --load-creds
a477d280 651
a477d280 652
7272fa0c 653### Revoking a Certificate ###
a477d280 654
7272fa0c 655A specific end entity certificate is revoked with the command
a477d280 656
7272fa0c
AS		 657 pki --signcrl --cacert strongswanCert.pem --cakey strongswanKey.pem \
658 --lifetime 30 --lastcrl strongswan.crl \
659 --reason key-compromise --cert moonCert.pem > new.crl
a477d280 660
7272fa0c
AS		 661Instead of the certificate file (in our example moonCert.pem), the serial number
662of the certificate to be revoked can be indicated using the `--serial`
663parameter. The `pki --signcrl --help` command documents all possible revocation
664reasons but the `--reason` parameter can also be omitted. The content of the new
665CRL file can be listed with the command
891d332b 666
7272fa0c 667 pki --print --type crl --in new.crl
891d332b 668
7272fa0c
AS		 669 issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
670 update: this on May 19 11:13:01 2017, ok
671 next on Jun 18 11:13:01 2017, ok (expires in 29 days)
672 serial: 02
673 authKeyId: 2b:95:14:5b:c3:22:87:de:d1:42:91:88:63:b3:d5:c1:92:7a:0f:5d
674 1 revoked certificate:
675 01: May 19 11:13:01 2017, key compromise
a477d280 676
a477d280 677
7272fa0c 678### Local Caching of CRLs ###
a477d280 679
7272fa0c 680The `strongswan.conf` option
a477d280 681
7272fa0c
AS		 682 charon {
683 cache_crls = yes
684 }
a477d280
TB		 685
686activates the local caching of CRLs that were dynamically fetched from an
7272fa0c
AS		 687HTTP or LDAP server. Cached copies are stored in `/etc/swanctl/x509crl` using a
688unique filename formed from the issuer's *subjectKeyIdentifier* and the
891d332b 689suffix `.crl`.
a477d280
TB		 690
691With the cached copy the CRL is immediately available after startup. When the
7272fa0c
AS		 692local copy has become stale, an updated CRL is automatically fetched from one of
693the defined CRL distribution points during the next IKEv2 authentication.
Unnamed repository; edit this file 'description' to name the repository.