Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC is not using CRL

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    12 Posts 2 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      The IPsec code needs adjusted to add that in, but as you see it wasn't as easy as it is with OpenVPN. It takes some additional hoop jumping there to make it happen like racoon wants.

      Open a feature request on redmine.pfsense.org and if someone can code up a fix it'll make it in. It may be too late to add it and make sure it works for 2.0 though, it may have to wait for 2.1.

      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • M
        MaxHeadroom
        last edited by

        Hi
        The problem is i don't find where pfsense is store all certs and keys especial the CA key (and the description name) on the filesystem

        My workaround is with XCA, export all certs & key and then create a crl with lifetime 10 years and create/import to /var/etc/"hash-of-ca".r0 โ€“> it work perfect.

        Same on the console do like:
        openssl ca -gencrl -crldays xxx -keyfile ca_key -cert ca_crt -out my_crl.pem
        ln -s -f my_crl.pem openssl crl -noout -hash -in my_crl.pem.r0

        regards max

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          They aren't stored separately on the filesystem, they're stored in the config like all other settings.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • M
            MaxHeadroom
            last edited by

            Is there a script which is create and extracting the CA to the filesystem with the name "hash-of-ca".0 and if, what's the name/path of the script

            regards max

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              No there is no script. If there was, we'd probably already have IPsec using it. The code you're after just doesn't exist yet. Someone will either have to write it or sponsor it (either with a bounty or requesting it be done via commercial support), or wait until someone else has enough time to get to it.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • M
                MaxHeadroom
                last edited by

                So how the hell does pfsense create the needing 'ca-hash-name'.0 file if i select the Cert for my ipsec config ?
                racoon is using this file 'ca-hash-name'.0 and also if available a crl with the nameย  'ca-hash-name'.r0
                There must be a helper for this..

                regards max

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  It's in the code that writes out the racoon config. It's not a separate script.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • M
                    MaxHeadroom
                    last edited by

                    So it is possible to write out the CRL (maybe with the same name) at the same time.
                    Only the lifetime for the CRL should be extend.

                    Do you know where is the code that write out that ?
                    regards max

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      The lifetime of the CRL is already handled in the GUI when making the CRL.

                      Just writing out the CRL isn't enough though, because the GUI supports multiple CRLs per CA, and the hash-of-ca method only lets you have one, you can't just write them all out. The GUI will need a field to pick a CRL.

                      But otherwise, yes, it can be written out then.

                      As I said, it's possible, someone just needs to take the time to write the code, or sponsor the code.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • M
                        MaxHeadroom
                        last edited by

                        Hi
                        the lifetime is too short and should be setable :-)
                        see first post:
                        My test to copying the internal generated CRL to /var/etc/'hashed-name-for-ca'.r0
                        ends up with "CRL has expired"

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          And as I said, the lifetime is settable when you make the CRL in the GUI. If that isn't working there is another problem elsewhere. It works with OpenVPN so I'm not sure what racoon is complaining about. Feel free to research it more.

                          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.