[strongSwan] CRL ignored in Strongswan 5.0.1

[kgardenia42]

Hi,

What I suspect will turn out to be a dumb question to follow:

I placed a CRL file in /etc/ipsec.d/crls/

I can see from the logs that it gets loaded by charon on startup.

I have no special config in ipsec.conf or strongswan.conf to load the
CRL.  My understanding is that this happens implicitly.  On strongswan
4.x the same CRL and config has the desired effect on a client cert I
wish to ban.

I have not set "strictcrlpolicy" on either version.  My understading
of strictpolicy is that every known client cert has to be referenced
in in the CRL.  Is that correct?

When I set (speculatively) set strictcrlpolicy Strongswan 5.0.1 the logs say:

charon: 12[CFG] constraint check failed: RULE_CRL_VALIDATION is
SKIPPED, but requires at least GOOD

.. then the client is not allowed in. But I suspect (although I
haven't verified) that any client would be banned.

is there any gotchas I need to be aware of?  missing config?   chmod?
Loading plugins or whatever?

Thanks.