[strongSwan] CRLs over IPsec tunnels

Andreas Steffen andreas.steffen at strongswan.org
Wed Oct 3 15:16:53 CEST 2012


Another alternative would be for the VPN gateway to send the
CRL in-band via an IKEv2 Certificate Payload of type CRL
as defined in

http://tools.ietf.org/html/rfc5996#section-3.6

Unfortunately strongSwan doesn't support this yet, either.

Regards

Andreas

On 03.10.2012 14:27, Martin Willi wrote:
> Hi,
> 
>> Can you help please to determine if there are any issues at
>> initialization and during the life of an IPsec tunnel if CRLs are
>> retrieved via this same IPsec tunnel?
> 
> Fetching a CRL inside the tunnel to check the certificate status for the
> same tunnel does not work: it is a hen-egg problem. With a strict CRL
> policy, you can't establish the tunnel, because you have no CRL. And you
> can't fetch a CRL, because you don't have a tunnel yet.
> 
> If the CRL can't be published outside the IPsec tunnel, the preferable
> option would be to switch to OCSP and use in-band OCSP checking,
> RFC4806. strongSwan currently doesn't support it, though.
> 
> Regards
> Martin

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4502 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121003/f384ae29/attachment.bin>


More information about the Users mailing list