[strongSwan] How to bypass CRL checks?

Andreas Steffen andreas.steffen at strongswan.org
Thu Nov 24 12:50:58 CET 2011

Hello Mugur,

with IKEv2 revocation checks can be easily disabled by not loading
the revocation plugin. What is not possible is to disable CRL
checking on a per connection definition basis.



On 11/24/2011 08:50 AM, ABULIUS, MUGUR (MUGUR) wrote:
> Hello,
> Our understanding in case of setting strictcrlpolicy to **no** for charon is
> that strongSwan denies the authentication if the certificate appears in
> the fetched CRL. But,
> if the certificate does not specify an uri or if the CRL can’t be
> fetched the authentication is
> not denied.
> Can you please check our understanding?
> In case our assumption is correct we are looking for a way to set-up
> strongSwan (for some
> specific run scenarios) to bypass any CRL checks (even if
> strictcrlpolicy=no). We are looking
> for this capability even if received certificates specify an uri and the
> corresponding
> CRL can be fetched from CDP.
> Thank you
> Mugur

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list