- •Table of Contents
- •Preface
- •What This Book Covers
- •What You Need for This Book
- •Conventions
- •Reader Feedback
- •Customer Support
- •Errata
- •Questions
- •The Need for Cryptography
- •Privacy
- •Security
- •A History of the Internet
- •Holding the Internet Together
- •The Creation of ICANN
- •ICANN Bypassed
- •The Root Name Servers
- •Running the Top-Level Domains
- •History of Internet Engineering
- •The Internet Engineering Task Force (IETF)
- •RFCs—Requests For Comments
- •IETF and Crypto
- •The War on Crypto
- •Dual Use
- •Public Cryptography
- •The Escrowed Encryption Standard
- •Export Laws
- •The Summer of '97
- •The EFF DES Cracker
- •Echelon
- •The End of the Export Restrictions
- •Free Software
- •Free as in Verifiable
- •The Open Source Movement
- •The History of Openswan
- •IETF Troubles over DNS
- •Super FreeS/WAN
- •The Arrival of Openswan
- •NETKEY
- •Further Reading
- •Using Openswan
- •Copyright and License Conditions
- •Writing and Contributing Code
- •Legality of Using Openswan
- •International Agreements
- •International Law and Hosting Openswan
- •Unrecognized International Claims
- •Patent Law
- •Expired and Bogus Patents
- •Useful Legal Links
- •Summary
- •A Very Brief Overview of Cryptography
- •Valid Packet Rewriting
- •Ciphers
- •Algorithms
- •Uniqueness
- •Public-Key Algorithms
- •Exchanging Public Keys
- •Digital Signatures
- •Diffie-Hellman Key Exchange
- •Avoiding the Man in the Middle
- •Session Keys
- •Crypto Requirements for IPsec
- •IPsec: A Suite of Protocols
- •Kernel Mode: Packet Handling
- •Authentication Header (AH)
- •Encapsulated Security Payload (ESP)
- •Transport and Tunnel Mode
- •Choosing the IPsec Mode and Type
- •The Kernel State
- •Encryption Details
- •Manual Keying
- •Final Note on Protocols and Ports
- •Usermode: Handling the Trust Relationships
- •The IKE Protocol
- •Phase 1: Creating the ISAKMP SA
- •Phase 2: Quick Mode
- •The NAT Problem
- •Summary
- •Linux Distributions
- •Debian
- •SuSE
- •Slackware
- •Gentoo
- •Linux 'Router' Distributions
- •Deciding on the Userland
- •Pluto
- •Racoon
- •Isakmpd
- •More Reasons to Pick Pluto
- •Choosing the Kernel IPsec Stack
- •KLIPS, the Openswan Stack
- •ipsecX Interfaces
- •First Packet Caching
- •Path MTU Discovery
- •KLIPS' Downside
- •NETKEY, the 2.6 IPsec Stack
- •The USAGI / SuSE IPsec Stack
- •Making the Choice
- •GPL Compliance and KLIPS
- •Binary Installation of the Openswan Userland
- •Checking for Old Versions
- •Installing the Binary Package for Openswan
- •Building from Source
- •Using RPM-based Distributions
- •Rebuilding the Openswan Userland
- •Building src.rpm from Scratch
- •Openswan Options
- •Building the Openswan Userland from Source
- •Downloading the Source Code
- •Configuring the Userland Tools
- •Optional Features
- •Compile Flags
- •File Path Options
- •Obscure Pluto Options
- •Compiling and Installing
- •Binary Installation of KLIPS
- •Building KLIPS from Source
- •Kernel Prerequisites
- •Identifying your Kernel's Abilities
- •Using Both KLIPS and NETKEY
- •The Kernel Build Options
- •Required Kernel Options
- •Desired Options
- •NETKEY Stack Options
- •KLIPS Stack Options
- •L2TP Options
- •Patching the Kernel
- •NAT-Traversal Patch
- •KLIPS Compile Shortcut
- •Activating KLIPS
- •Determining the Stack in Use
- •Building KLIPS into the Linux Kernel Source Tree
- •Building a Standard Kernel
- •NAT Traversal
- •Patching KLIPS into the Linux Kernel
- •Verifying the Installation
- •Summary
- •Manual versus Automatic
- •PSK versus RSA
- •Pitfalls of Debugging IPsec
- •Pre-Flight Check
- •The ipsec verify Command
- •NAT and Masquerading
- •Checking External Commands
- •Opportunistic Encryption
- •The ipsec livetest Command
- •Configuration of Openswan
- •The ipsec.conf File
- •Host-to-Host Tunnel
- •Left and Right
- •The type Options
- •The auto Option
- •The rsasigkey Options
- •Bringing Up the IPsec Tunnels
- •Listing IPsec Connections
- •Testing the IPsec Tunnel
- •Connecting Subnets Through an IPsec Connection
- •Testing Subnet Connections
- •Testing Properly
- •Encrypting the Host and the Network Behind It
- •Employing Advanced Routing
- •Creating More Tunnels
- •Avoiding Duplication
- •The Also Keyword
- •KLIPS and the ipsecX Interfaces
- •Pre-Shared Keys (PSKs)
- •Proper Secrets
- •Dynamic IP Addresses
- •Hostnames
- •Roadwarriors
- •Multiple Roadwarrior Connections
- •Dynamic IP and PSKs
- •Mixing PSK and RSA
- •Connection Management
- •Subnet Extrusion
- •NAT Traversal
- •Deprecated Syntax
- •Confirming a Functional NAT-T
- •Dead Peer Detection
- •DPD Works Both Ways
- •Configuring DPD
- •Buggy Cisco Routers
- •Ciphers and Algorithms
- •Using ike= to Specify Phase 1 Parameters
- •Using esp= to Specify Phase 2 Parameters
- •Defaults and Strictness
- •Unsupported Ciphers and Algorithms
- •Aggressive Mode
- •XAUTH
- •XAUTH Gateway (Server Side)
- •XAUTH Client (Supplicant Side)
- •Fine Tuning
- •Perfect Forward Secrecy
- •Rekeying
- •Key Rollover
- •Summary
- •X.509 Certificates Explained
- •X.509 Objects
- •X.509 Packing
- •Types of Certificates
- •Passphrases, PIN Codes, and Interactivity
- •IKE and Certificates
- •Using the Certificate DN as ID for Openswan
- •Generating Certificates with OpenSSL
- •Setting the Time
- •Configuring OpenSSL
- •Be Consistent with All Certificates
- •OpenSSL Commands for Common Certificate Actions
- •Configuring Apache for IPsec X.509 Files
- •Creating X.509-based Connections
- •Using a Certificate Authority
- •Using Multiple CAs
- •Sending and Receiving Certificate Information
- •Creating your own CA using OpenSSL
- •Creating Host Certificates with Your Own CA
- •Host Certificates for Microsoft Windows (PKCS#12)
- •Certificate Revocation
- •Dynamic CRL Fetching
- •Configuring CRL
- •Online Certificate Status Protocol (OCSP)
- •Summary
- •History of Opportunistic Encryption
- •Trusting Third Parties
- •Trusting the DNS?
- •OE in a Nutshell
- •An OE Security Gateway
- •DNS Key Records
- •Forward and Reverse Zones
- •The OE DNS Records
- •Different Types of OE
- •Policy Groups
- •Internal States
- •Configuring OE
- •Configuring Policies
- •Full OE or Initiate-Only
- •Generating Correct DNS Records
- •Name Server Updates
- •Verifying Your OE Setup
- •Testing Your OE Setup
- •The trap eroute
- •The pass eroute
- •The hold eroute
- •Manipulating OE Connections Manually
- •Advanced OE Setups
- •Caveats
- •Summary
- •Where to Firewall?
- •Allowing IPsec Traffic
- •NAT and IPsec Passthrough
- •Configuring the Firewall on the Openswan Host
- •Firewalling and KLIPS
- •Firewalling and NETKEY
- •Packet Size
- •Summary
- •Microsoft Windows
- •Layer 2 Tunneling Protocol (L2TP)
- •Assigning an IP for VPN Access
- •L2TP Properties
- •Pure IPsec versus L2TP/IPsec
- •Client and Server Configurations for L2TP/IPsec
- •The L2TP Openswan Server
- •Configuring Openswan for L2TP/IPsec
- •Linux Kernel Runtime Parameters for L2TP/IPsec
- •Protecting the L2TP Daemon with IPsec using iptables
- •Choosing an L2TP Daemon
- •Configuring L2TPD
- •Configuring User Authentication for pppd
- •Microsoft Windows XP L2TP Configuration
- •Microsoft Windows 2000 L2TP Configuration
- •Apple Mac OS X L2TP Configuration
- •Server Configuration for X.509 IPsec without L2TP
- •Openswan Configuration for X.509 without L2TP
- •Client Configuration for X.509 IPsec without L2TP
- •Microsoft's IKE Daemon
- •Microsoft's Certificate Store
- •Clients using Microsoft Native IPsec Implementation
- •The ipsec.exe Wrapper
- •The Linsys IPsec Tool (lsipsectool)
- •Securepoint IPsec Client
- •TauVPN (iVPN)
- •The WaveSEC Client
- •Third-Party Replacement Clients for Windows
- •The GreenBow VPN Client
- •Astaro Secure Client
- •Mac OS X IPSecuritas
- •VPNtracker
- •Manual Racoon Configuration
- •Importing X.509 Certificates into Windows
- •Importing X.509 Certificates on Mac OS X (Tiger)
- •Summary
- •Openswan as a Client to an Appliance
- •Preparing the Interop
- •The Human Factor
- •Terminology
- •Preparation
- •IPsec Passthrough
- •Tunnel Limitations
- •Anticipate Known Problems
- •Update the Firmware
- •GUI Issues
- •Keepalives
- •ISP Filtering
- •Frequently used VPN Gateways
- •Webmin with Openswan
- •Cisco VPN 3000
- •Cisco PIX Concentrator
- •Nortel Contivity
- •Checkpoint
- •WatchGuard Firebox
- •Symantec
- •Frequently used VPN Client Appliances
- •ZyXEL
- •DrayTek Vigor
- •The Vigor Web Interface
- •Windows Logon Issues
- •Other Vigorisms
- •Unresolved Issues
- •NetScreen
- •Known Issues
- •SonicWALL
- •BinTec
- •LANCOM
- •Linksys
- •Lucent Brick
- •NETGEAR
- •KAME/Racoon
- •Aftercare
- •Summary
- •Methods of Encryption
- •Host-to-Host Mesh
- •Host-to-Gateway Setup
- •Single IP Extrusiautomation or L2TP
- •Opportunistic Encryption in the LAN
- •Non-OE-Capable Machines
- •Designing a Solution for Encrypting the LAN
- •Design Goals
- •Separation of WiFi and Crypto
- •Link Layer Protection
- •The Logical Choice: IPsec
- •Hotspot
- •WaveSEC
- •Full WaveSEC
- •Catch 22 Traffic
- •Building a WaveSEC Server
- •DHCP Server Setup
- •DNS Server Setup
- •Openswan Server Setup
- •Catch 22 Traffic Setup
- •Building a WaveSEC Client
- •DH Client Setup
- •Openswan Setup
- •Testing the WaveSEC
- •Starting the WaveSEC Connection
- •Known Issues with WaveSEC
- •WaveSEC for Windows
- •Design Limitations
- •Building a WaveSEC for Windows Server
- •Obtaining the Certificate and Client Software
- •Our Prototype Experiences
- •Openswan Issues
- •Windows Kernel Issues
- •Summary
- •Cipher Performance
- •Handling Thousands of Tunnels
- •Managing Large Configuration Files
- •Standard Naming Convention
- •The also= Parameter
- •The include Parameter
- •Openswan Startup Time
- •Limitations of the Random Device
- •Other Performance-Enhancing Factors
- •Logging to Disk
- •Disable Dead Peer Detection
- •Reducing the Number of Tunnels
- •OSPF Setup
- •BGPv4 Setup
- •High Availability
- •Heartbeat
- •Xen Migration
- •Using Anycast
- •Summary
- •Do Not Lock Yourself Out!
- •Narrowing Down the Problem
- •Host Issues
- •Configuration Problems
- •Connection Names
- •Interoperability
- •Hunting Ghosts
- •Rekey Problems (After an Hour)
- •Openswan Error Messages
- •IKE: Unknown VendorIDs
- •Network Issues
- •Firewalls
- •MTU and Fragmentation Issues
- •Debugging IPsec on Apple Mac OS X
- •Debugging IPsec on Microsoft Windows
- •Oakley Debugging
- •Debugging ipsec.exe
- •Microsoft L2TP Errors
- •You Suddenly Cannot Log in Anymore over the VPN
- •Software Bugs
- •Userland Issues: Assertion Failed or Segmentation Faults
- •Kernel Issues: Crashes and Oopses
- •Memory Issues
- •Common IKE Error Messages
- •Common Kernel-Related Error Messages
- •Common Errors when Upgrading
- •Using tcpdump to Debug IPsec
- •Situation A: No Communication on Port 500
- •Situation B: Failure at Third Exchange
- •Situation C: QUICK Mode Initiates, but Never Completes
- •Situation D: All IKE Messages Occur, but no Traffic Flows
- •A Final tcpdump Example
- •User Mode Linux Testing
- •Preparing the Openswan for the UML Build Process
- •Running the UMLs
- •Writing a UML Test Case
- •Debugging the Kernel with GDB
- •Asking the Openswan Community for Help
- •Internet Relay Chat (IRC)
- •The Openswan Mailing Lists
- •Posting to the Lists
- •Research First, Ask Later
- •Free, as in Beer
- •Do not Anonymize
- •Summary
- •Linux Kernel Developments
- •Kernel API Changes between 2.6.12 and 2.6.14
- •Red Hat Kernel Developments
- •Fedora Kernel Source/Headers Packaging Change
- •MD5 Insecurities
- •Discontinuation of Openswan 1 by the End of 2005
- •Update on UML Testing Suite Installation
- •Openswan GIT Repositories
- •Openswan on Windows and Mac OS X Updates
- •Known Outstanding Bugs
- •Vulnerability Fixes in Openswan 2.4.4
- •The OSI Model and the IP Model
- •No Layers, Just Packets
- •The Protocol
- •IP Network Overview
- •IP Address Management
- •The Old IP Classes
- •Classless IP Networks
- •The Definition of a Subnet
- •Calculating with Subnets: The Subnet Mask
- •The Rest of the Network
- •Linux Networking Commands
- •Routing
- •Routing Decisions
- •Peering
- •Network Address Translation
- •Port Forwarding
- •Openswan Links
- •Community Documentation
- •Generic Linux Distributions Containing Openswan
- •Specialized Linux Distributions Containing Openswan
- •Overview RFCs
- •Basic Protocols
- •Key Management
- •Procedural and Operational RFCs
- •Detailed RFCs on Specific Cryptographic Algorithms and Ciphers
- •Dead Peer Detection RFCs
- •NAT-Traversal and UDP Encapsulation RFCs
- •RFCs for Secure DNS Service, which IPSEC May Use
- •RFCs Related to L2TP, Often Used in Combination with IPsec
- •RFCs on IPsec in Relation to Other Protocols
- •RFCs Not in Use or Implemented across Multiple Vendors
- •Index
Chapter 5
Since the .p12 file created by this command contains the private key, it should be protected by a passphrase. This is the export password you see in the output above. You can add -passout pass:NewPassphrase if you wish to automate this command in some script.
Certificate Revocation
When a certificate is lost or stolen, it should be revoked, so that it can no longer be used to set up an IPsec connection. Since the CA signed the now-lost certificate, we need a special exemption to deny such lost certificates even though they have been signed by our trusted CA. Revoked certificates are stored in the file crl.pem, which should be placed on the gateway in the directory
/etc/ipsec.d/crls/.
An empty CRL file should be created if no certificates have been revoked yet, using:
# openssl ca -gencrl -crldays 15 -out crl.pem -keyfile caKey.pem -cert caCert.pem
To revoke a certificate, the public certificate file is needed. You should always keep a copy of these on the signing machine. This machine should be well protected or perhaps not even be connected to the Internet at all. To revoke a certificate, use:
# openssl ca -revoke fileCert.pem -keyfile caKey.pem -cert caCert.pem
The crl.pem file will need to be updated after a new certificate has been added to the revocation list:
# openssl crl -in crl.pem -noout -text
This file should be copied onto the gateway machine, in the directory /etc/ipsec.d/crls. Openswan should then be notified to re-read the new CRL file:
# ipsec auto --rereadcrls
Mar 19 23:54:16 peace pluto[16986]: Changing to directory '/etc/ipsec.d/crls' Mar 19 23:54:16 peace pluto[16986]: loaded crl file 'crl.pem' (589 bytes)
Revoking a certificate will not cause the Openswan server to drop any connections using that certificate. That IPsec connection will stay up until the next rekey, or the next (re)connect, when the now revoked certificate will be properly rejected.
An attempt by a revoked certificate to connect will be logged, and the connection will be rejected:
Mar 19 |
23:58:57 |
peace pluto[16986]: "west-roadwarriors"[5] |
193.110.157.17 #11: |
Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, O=Xelerance, |
OU=Support Staff, |
||
CN=revoked.xelerance.com, E=revoke@xelerance.com' |
|
||
Mar 19 |
23:58:57 |
peace pluto[16986]: "west-roadwarriors"[5] |
193.110.157.17 #11: |
certificate was |
revoked on Mar 19 22:54:05 UTC 2005 |
|
|
Mar 19 |
23:58:57 |
peace pluto[16986]: "west-roadwarriors"[5] |
193.110.157.17 #11: |
invalid RSA public key deleted |
|
||
Mar 19 |
23:58:57 |
peace pluto[16986]: "west-roadwarriors"[5] |
193.110.157.17 #11: |
X.509 certificate rejected |
|
||
Mar 19 |
23:58:57 |
peace pluto[16986]: "west-roadwarriors"[6] |
193.110.157.17 #11: |
deleting connection "west-roadwarriors" instance with peer |
193.110.157.17 |
||
{isakmp=#0/ipsec=#0} |
|
||
Mar 19 |
23:58:57 |
peace pluto[16986]: "west-roadwarriors"[6] |
193.110.157.17 #11: |
no RSA |
public key known for 'C=CA, ST=Ontario, O=Xelerance, OU=Support Staff, |
||
CN=revoked.xelerance.com, E=revoke@xelerance.com' |
|
||
|
|
|
125 |
X.509 Certificates
If the certificate was in use when the certificate was revoked, you will notice that after some time the connection will fail to rekey and expire:
Mar 20 00:09:46 peace pluto[17775]: "west-roadwarriors"[2] 193.110.157.17 #1: ISAKMP SA expired (LATEST!)
Versions prior to 2.3.1 did not properly delete both Phase 1 (ISAKMP SA) and Phase 2 (IPsec SA). For version 2.3.1 and up you should also see the rejection of the IPsec SA after the ISAKMP SA expires:
Mar 20 00:44:47 peace pluto[18169]: "west-roadwarriors"[2] 193.110.157.17 #2: IPsec SA expired (LATEST!)
Dynamic CRL Fetching
When deploying X.509 on a large scale, it is not convenient to have a single crl.pem file that needs constant updating and copying to the various IPsec gateways. Openswan supports a few dynamic methods where a server is periodically queried for CRL updates. These updates can come from a crl.pem file on a web server, but can also be obtained by other methods, such as LDAP. Another method is the Online Certificate Store Protocol (OCSP).
To use dynamic CRL fetching, you must ensure Openswan is compiled with support for posix threads, cURL, and optionally LDAP. These can be enabled in Makefile.inc by setting
HAVE_THREADS, USE_LIBCURL, and USE_LDAP to true.
Your CA certificate and all signed host certificates need to be created with an additional CRL distribution section in your openssl.cnf file so that all certificates know about the type and location of the dynamic CRLs. Add the following line to the [usr_cert] section of openssl.cnf:
crlDistributionPoints= @crl_dp
And add a new [crl_dp] section listing the dynamic CRL methods and locations you wish to use:
[ crl_dp ]
URI.1="http://crl.yourorganisation.org/revoked.crl"
URI.2="ldap://ldap.yourorganisation.org/o=Xelerance,
c=CA?certificateRevocationList?base?(objectClass=certificationAuthority)"
Note that the values for URI.1 and URI.2 should each be given on a single line.
The first URI defines a dynamic revocation list on a web server. Openswan will use the curl command to fetch this from the web server. The second URI uses LDAP, which is also fetched using the curl command, which has LDAP support. Note that if you store CRL information in OpenLDAP, you need to use the DER format and not the PEM format. The OpenSSL command can create CRLs in either format. It will use PEM by default. If you need to use DER, add the option -outform der to the OpenSSL commands specified earlier in the chapter. You will need to add the appropriate scripts to update the CRL files or LDAP entry yourself, for instance by using the scp command from the secure signing machine to the web server if your CRL file is on a web server. You can also put this information in a special CA connection section:
ca XeleranceCA cacert=caCert.pem auto=add
# the following lines are optional crluri=http://crl.xelerance.com/revoked.crl' crluri2="ldap:///O=Xelerance, C=CA?certificateRevocationList" ldaphost=ldap.xelerance.com
126
Chapter 5
Using separate CA connection sections, you can specify different CRL servers for different intermediate CA certificates.
Configuring CRL
There are two important options that change the behavior of dynamic CRL fetching. These options should be placed in the config setup section of ipsec.conf:
config setup crlcheckinterval=600 strictcrlpolicy=yes
The crlcheckinterval= period determines how often Openswan will try to fetch a new version of the CRL file. It will only try to fetch a new version if the CRL expires in a time shorter than twice the crlcheckinterval= time. Thus, if you make the CRL valid for a year, which you should never do, you will never see it try to fetch an updated version. A good CRL lifetime is something short.
The shorter you make it, the quicker you can revoke someone's certificate. However, you should make sure that the CRL does not expire. CRLs are not stored between restarts of Openswan, but are fetched again from the specified distribution points.
Openswan uses a default of strictcrlpolicy=no, meaning that if no valid CRL is found, warnings are logged, but connections are not rejected. In this mode, an expired CRL is also treated as a valid CRL, meaning only entries in the expired CRL that have been revoked will actually be treated as revoked. To strictly enforce CRL settings, set strictcrlpolicy=yes. Be aware that if your CRL then expires, no new incoming connections will be accepted. If you access your dynamic CRL over an IPsec tunnel, this also means you are completely dead in the water when that tunnel needs to rekey. Another effect is that at startup, the first few connections might be rejected because a valid CRL has not yet been fetched and loaded.
To view the status of the CRL, issue the following command:
# ipsec auto --listcrls
000
000 List of X.509 CRLs:
000
000 Apr 04 17:27:47 2005, revoked certs: 2
000 issuer: 'C=CA, ST=Ontario, L=Toronto, O=Xelerance, OU=Support Staff, CN=Xelerance Root CA, E=ca@xelerance.com'
000 distPts: 'http://crl.xelerance.com/revoked.crl'
000 updates: this Mar 19 23:54:35 2005
000 next Apr 04 00:54:35 2005 warning (expired)
In this case you can see that the CRL has expired, and if crlstrictmode had been enabled, no new IPsec connections would be allowed. This command would also show any pending CRL transfer attempts.
127
X.509 Certificates
Online Certificate Status Protocol (OCSP)
Defined in RFC 2560, OCSP is an extension for dynamic CRL fetching. Instead of using a CRL, the gateway will now ask an OCSP server for information about a specific X.509 Certificate presented by a remote peer trying to initiate an IPsec connection. Based upon the answer of the OCSP server, Openswan will accept or reject the certificate. Like CRL responses, OCSP responses do not survive a reboot, and will be retrieved again from the OCSP server. OCSP is enabled in a separate CA section:
ca XeleranceCA cacert=caCert.pem
ocspuri=http://ocsp.xelerance.com:81
auto=add
The port number is arbitrary. You can manually load this CA connection using this command:
# ipsec auto --type ca --add XeleranceCA
You can also put options in the special ca %default section, which can also be used if there is only one CA certificate on the server. An example given is below:
ca %default ocspuri=http://ocsp.xelerance.com:81
You will need to run an OCSP server, in our example at ocsp.xelerance.com. The OpenSSL package contains an OCSP server. After creating a key and certificate for the OCSP server, just as they are generated for an IPsec host, the OCSP server can be started with the following commands:
# openssl ocsp -index index.txt -CA caCert.pem -port 81 -rkey ocspKey.pem -rsigner ocspCert.pem -resp_no_certs -nmin 60 -text
You will also need to place a copy of the OCSP public certificate (ocspCert.pem) on the VPN
gateway in the directory /etc/ipsec.d/OCSPcerts/.
It is strongly recommended not to run the OCSP server on the machine that has the CA private key used for signing certificates.
Additional commands for viewing |
Description |
|
and purging OCSP data |
|
|
|
|
|
ipsec auto |
--listocspcerts |
List OCSP information |
ipsec auto |
--purgeocsp |
Purge the OCSP cache and fetching requests |
|
|
|
The OCSP patches have not yet been fully integrated into Openswan. Please take a look at the website for the latest information on OCSP support in Openswan.
128