[strongSwan] How to disable 'CRL' in strongswan.conf?

Yong Choo yhc at alcatel-lucent.com
Tue Jan 10 13:47:35 CET 2012

Thanks Much! Yes it would be sufficient for 'dynamic purpose' in our 

So to be sure:
charon {
    load = revocation
    } --> charon would load the 'revocation' plugin

charon {
    } --> charon would NOT load the 'revocation' plugin


The statement in the release note was what got me confused, i.e. I 
thought that without 'load', the statement led me to believe that the 
revocation plugin is automatically loaded in :)
_"OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, 
enabled by default."_

-Yong Choo

On 1/9/2012 10:43 PM, Andreas Steffen wrote:
> Hello Yong Choo,
> you can do that with an explicit load statement in strongswan.conf.
> Just prepare two versions of strongswan.conf - one with the
> revocation plugin in the load statement and one without it.
> Depending on the situation you either start strongSwan with
> one strongswan.conf or the second one. Is this dynamical enough?
> Regards
> Andreas
> On 09.01.2012 20:59, Yong Choo wrote:
>> Searching in database, I came up on the following in
>> http://www.mail-archive.com/users@lists.strongswan.org/msg03918.html
>> So, the question is 'how not to load the revocation plugin when it is
>> already enabled by default?'
>> -----Original Message-----
>> From: Andreas Steffen [mailto:andreas.stef... at strongswan.org]
>> Sent: jeudi 24 novembre 2011 12:51
>> Cc: users at lists.strongswan.org; SCARAZZINI, FABRICE (FABRICE); Pisano, Stephen
>> Subject: Re: [strongSwan] How to bypass CRL checks?
>> Hello Mugur,
>> with IKEv2 revocation checks can be easily disabled by not loading the
>> revocation plugin. What is not possible is to disable CRL checking on a per
>> connection definition basis.
>> Regards
>> Andreas
>> On 1/9/2012 12:30 PM, Yong Choo wrote:
>>> Hi,
>>> Looking at http://wiki.strongswan.org/projects/1/wiki/441,
>>> OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
>>> enabled
>>> by default. Plase update manual load directives in strongswan.conf.
>>> How can I disable this plugin dynamically? We have a need of
>>> dynamically controlling the loading of plugin at run-time.
>>> Thanks Much,
>>> -Yong Choo
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120110/e576ed79/attachment.html>

More information about the Users mailing list