[strongSwan] CRLs over IPsec tunnels
Martin Willi
martin at strongswan.org
Wed Oct 3 14:27:46 CEST 2012
Hi,
> Can you help please to determine if there are any issues at
> initialization and during the life of an IPsec tunnel if CRLs are
> retrieved via this same IPsec tunnel?
Fetching a CRL inside the tunnel to check the certificate status for the
same tunnel does not work: it is a hen-egg problem. With a strict CRL
policy, you can't establish the tunnel, because you have no CRL. And you
can't fetch a CRL, because you don't have a tunnel yet.
If the CRL can't be published outside the IPsec tunnel, the preferable
option would be to switch to OCSP and use in-band OCSP checking,
RFC4806. strongSwan currently doesn't support it, though.
Regards
Martin
More information about the Users
mailing list