Test ikev2/ocsp-rfc4806-signer
Description
By setting revocation = strict in swanctl.conf, a strict CRL policy is enforced on both roadwarrior carol and gateway moon.Based on RFC 4806, carol sends an OCSP request via an IKEv2 CERTREQ payload to gateway moon which in turn requests online status information on its own certificate from the OCSP server winnetou on behalf of carol. The OCSP server winnetou possesses an OCSP signer certificate containing an OCSPSigning Extended Key Usage (EKU) flag issued by the strongSwan CA.
Even though carol's certificate includes an OCSP URI in an authority information access extension pointing to winnetou, gateway moon still needs a special authorities section in swanctl.conf in order to be able to request an OCSP response for its own certificate since that is lacking an OCSP URI.
carol can successfully initiate an IPsec connection to moon since the status of both certificates is good.
