<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Does "<span style="color: rgb(51, 51, 51); font-family: Roboto, sans-serif; font-size: 14.9999px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); text-decoration-thickness: initial;" class=""><conn>.reauth_time” and leaving “break_before_make” alone force a reauth and certificate validity check on IKE/ISAKMP from non-cached crl’s?</span><div class=""><span style="background-color: rgb(255, 255, 255);" class=""><br class=""></span></div><div class=""><span style="background-color: rgb(255, 255, 255);" class="">Apologies for all the questions.</span></div><div class=""><span style="background-color: rgb(255, 255, 255);" class=""><br class=""></span></div><div class=""><span style="background-color: rgb(255, 255, 255);" class="">Eric<br class=""></span><div class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class="Apple-interchange-newline"></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On Jun 1, 2022, at 10:43 AM, Tobias Brunner <<a href="mailto:tobias@strongswan.org" class="">tobias@strongswan.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Hi Eric,<br class=""><br class=""><blockquote type="cite" class="">16[IKE] received end entity cert "CN=<a href="http://pfsense.semperen.net" class="">pfsense.semperen.net</a> <<a href="http://pfsense.semperen.net" class="">http://pfsense.semperen.net</a>>, C=US, ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations"<br class="">16[CFG]   using certificate "CN=<a href="http://pfsense.semperen.net" class="">pfsense.semperen.net</a> <<a href="http://pfsense.semperen.net" class="">http://pfsense.semperen.net</a>>, C=US, ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations"<br class="">16[CFG]   using trusted ca certificate "CN=semperen-ipsec-ca, C=US, ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations"<br class="">16[CFG] checking certificate status of "CN=<a href="http://pfsense.semperen.net" class="">pfsense.semperen.net</a> <<a href="http://pfsense.semperen.net" class="">http://pfsense.semperen.net</a>>, C=US, ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations"<br class=""> >>>>> 16[CFG]   fetching crl from '<a href="https://ipsec-crl.s3.us-east-2.amazonaws.com/Semperen%2BIPSec%2BSigning%2BAuthority%2BCRL.crl" class="">https://ipsec-crl.s3.us-east-2.amazonaws.com/Semperen%2BIPSec%2BSigning%2BAuthority%2BCRL.crl</a> <<a href="https://ipsec-crl.s3.us-east-2.amazonaws.com/Semperen%2BIPSec%2BSigning%2BAuthority%2BCRL.crl" class="">https://ipsec-crl.s3.us-east-2.amazonaws.com/Semperen%2BIPSec%2BSigning%2BAuthority%2BCRL.crl</a>>' … <<<<<br class="">16[CFG]   using trusted certificate "CN=semperen-ipsec-ca, C=US, ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations"<br class="">16[CFG]   crl correctly signed by "CN=semperen-ipsec-ca, C=US, ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations"<br class="">16[CFG]   crl is valid: until Oct 13 19:33:11 2049<br class="">16[CFG] certificate status is good<br class="">16[CFG]   reached self-signed root ca with a path length of 0<br class=""></blockquote><br class="">This happens on demand when the peer certificate is verified, not when the daemon is started.<br class=""><br class="">Regards,<br class="">Tobias<br class=""></div></div></blockquote></div><br class=""></div></body></html>