Cisco Cisco Packet Data Gateway (PDG)
IPSec Certificates
Online Certificate Status Protocol (OCSP) ▀
IPSec Reference, StarOS Release 16 ▄
125
Revoked OCSP Response
Figure 24. Call Flow: Revoked OCSP Response
In this case fallback to CRL would be implemented for validating the user certificate. If this fails then the IKE_AUTH is
aborted and a notification message is sent indicating authentication failure.
aborted and a notification message is sent indicating authentication failure.
External Interface
The OCSP client to the OCSP responder interaction occurs over HTTP. A TCP socket connection is established to the
OCSP responder. This connection is taken down once the OCSP response is received. The connection is also taken
down as part of the cleanup after the setup timer expires.
OCSP responder. This connection is taken down once the OCSP response is received. The connection is also taken
down as part of the cleanup after the setup timer expires.
CLI Commands
Important:
The commands described below appear in the CLI for this release. However, they have not been
qualified for use with any current Cisco StarOS gateway products.
Context Configuration Mode
OCSP must be enabled in a crypto map or crypto template.
For a crypto map the configuration sequence is:
configure
context <ctxt_name>
crypto map template_name { ikev2-ipv4 | ikev2-ipv6 }