[strongSwan] CRLs over IPsec tunnels

Martin Willi martin at strongswan.org
Wed Oct 3 14:27:46 CEST 2012


Hi,

> Can you help please to determine if there are any issues at
> initialization and during the life of an IPsec tunnel if CRLs are
> retrieved via this same IPsec tunnel?

Fetching a CRL inside the tunnel to check the certificate status for the
same tunnel does not work: it is a hen-egg problem. With a strict CRL
policy, you can't establish the tunnel, because you have no CRL. And you
can't fetch a CRL, because you don't have a tunnel yet.

If the CRL can't be published outside the IPsec tunnel, the preferable
option would be to switch to OCSP and use in-band OCSP checking,
RFC4806. strongSwan currently doesn't support it, though.

Regards
Martin





More information about the Users mailing list