Tuesday, November 5, 2019

IPSec Certificate based authentication, CRL clarification

Hoping someone knows the answer to this, as I'm struggling with my google-fu.

Currently testing IPSec deployment using certificate based authentication with SCEP. Enrolling the cert with SCEP works fine and IKEv2 authentication is working with the certs.

The issue I am having is, if I revoke a certificate and the firewalls updates the CRL it knows the remote peer certificate is now invalid. But, what I have observed is the tunnels still remain up, my thinking was the tunnels should go down.

It's when I do a reset of the ipsec tunnel (clearing the SA), the IKE authentication then fails because it sees the remote cert is in the CRL.

I'm testing on Huawei USGs, but even checking cisco and juniper docs it doesn't give me any clues if the tunnels should go down dynamically.



No comments:

Post a Comment