本测试主要验证远程用户carol和网关moon通过HTTP协议获取CRL证书，以及网关moon拒绝carol使用的已撤销证书的功能。保存CRL证书的HTTP服务器为：winnetou（IP地址：192.168.0.150）。本次测试拓扑如下：

讯享网

carol主机配置

carol的配置文件：ikev2/crl-revoked/hosts/carol/etc/ipsec.conf，内容如下，注意其中setup段，strictcrlpolicy字段设置为yes，开启严格的crl检查。

config setup strictcrlpolicy=yes conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 conn home left=PH_IP_CAROL leftcert=carolCert.pem leftid= right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org keyexchange=ikev2 auto=add 

以下ipsec的秘钥文件，其中指定RSA私钥使用carolKey.pem文件，其默认目录为ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/。

讯享网$ cat ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets # /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA carolKey.pem 

以下carol主机的证书文件内容，注意其中的serial number的值8，在撤销证书是，通过指定序号实现。

$ openssl x509 -in ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: sha256WithRSAEncryption Issuer: C = CH, O = strongSwan Project, CN = strongSwan Root CA Validity Not Before: Sep 14 08:37:52 2019 GMT Not After : Sep 14 08:37:52 2027 GMT Subject: C = CH, O = strongSwan Project, OU = Research, CN =  Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (3072 bit) Modulus: ... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:7E:A0:7B:77:A5:91:58:79:DF:35:EB:4E:FC:0F:B6:B8:68:AE:A2:47 X509v3 Subject Alternative Name: email: X509v3 CRL Distribution Points: Full Name: URI:http://crl.strongswan.org/strongswan.crl Signature Algorithm: sha256WithRSAEncryption ... 

carol的strongswan配置文件：ikev2/crl-revoked/hosts/carol/etc/strongswan.conf，内容如下，可见这里增加了revocation插件。

讯享网charon { load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default } 

网关moon的配置文件：ikev2/crl-revoked/hosts/moon/etc/ipsec.conf以及strongswan.conf配置文件，内容与以上carol主机的配置基本相同，不在列出。

测试准备阶段

配置文件：ikev2/crl-revoked/pretest.dat，内容为ipsec连接的启动语句。

moon::ipsec start carol::ipsec start moon::expect-connection rw carol::expect-connection home carol::ipsec up home 

测试阶段

配置文件：ikev2/crl-revoked/evaltest.dat。以下测试语句检查moon网关和carol主机上rw和home连接的状态，本测试中无法建立。以及，在moon网关上strongswan进程的日志中确认证书被撤销的记录，在carol主机上确认strongswan进程日志中认证失败的记录。

讯享网moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO moon:: cat /var/log/daemon.log::certificate was revoked::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES 

以下为在moon网关上strongswan进程的日志文件的部分信息，首先由http服务器获取CRL证书strongswan.crl，再者验证CRL证书的有效性；最后，发现连接对端的证书已经被撤销，返回认证失败（AUTH_FAILED）消息。

moon charon: 11[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... moon charon: 11[CFG] using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" moon charon: 11[CFG] crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA" moon charon: 11[CFG] crl is valid: until Nov 15 03:32:58 2019 moon charon: 11[CFG] certificate was revoked on Sep 18 09:33:15 UTC 2019, reason: key compromise moon charon: 11[IKE] no trusted RSA public key found for '' moon charon: 11[IKE] peer supports MOBIKE moon charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 

以上已经介绍了carol主机的证书序号为8，以下可见在CRL证书中，Revoked Certificates显示序号为8的证书已被撤销，原因是：Key Compromise，以上moon网关的strongswan进程日志中也可看到证书撤销的原因。

讯享网$ openssl crl -inform der -in strongswan.crl -text -noout Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = CH, O = strongSwan Project, CN = strongSwan Root CA Last Update: Oct 31 03:32:58 2019 GMT Next Update: Nov 15 03:32:58 2019 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:AD:B3:64:FB:EA:A3:4E:B9:F2:74:E7:CD:F2:B1:F3:59:E7:90:33:B0 X509v3 CRL Number: 3 Revoked Certificates: Serial Number: 08 Revocation Date: Sep 18 09:33:15 2019 GMT CRL entry extensions: X509v3 CRL Reason Code: Key Compromise 

报文交互过程如下：

strongswan测试版本： 5.8.1

END