Some tips for strongSwan.
- Workaround for CRL retrieval timeout
In /etc/strongswan/strongswan.conf, append the following line after load_modular = yes
1half_open_timeout = 300
- Deal with ca-bundle or intermediate certificates
In short, you should extract each of these certificates as one per file.
Take the following issuer chain as an example:
The intermediate certificates to be extracted are COMODORSADomainValidationSecureServerCA.pem and COMODORSACertificationAuthority.pem (bottom-up).
Then, put these files to ../ipsec.d/aacerts/ and restart the daemon.
Finally, the loaded certificates can be checked by ipsec listcacerts.
- To be continued…