[strongSwan] strict crl policy

Andreas Steffen andreas.steffen at strongswan.org
Sun Sep 26 09:24:50 CEST 2021

Hi Anthony,

strict CRL policy still works.

The problem with your setup is that you define


in ipsec.conf which is loaded via starter and the stroke interface
only whereas your log shows that you load the configuration via the
vici interface:

2021 Sep 24 04:26:47+00:00 wglng-17 charon [info]
   14[CFG]   remote:
   14[CFG]    class = public key
   14[CFG]    id = C=CA, O=Carillon Information Security Inc., ...
   14[CFG] added vici connection: sgateway1-radio0

There is no

   revocation = GOOD

entry in the remote authentication section log of the vici transfer,

   revocation = strict

hasn't been set in the remote section of the configuration definition
in swanctl.conf and thus no strict CRL policy is enforced

Best regards


On 24.09.21 22:14, Modster, Anthony wrote:
> Hello
> Does setting strict CRL policy to yes still work ?
> The CRL’s for TA and SCA are removed.
> Was expecting the VPN tunnel not to make a connection.
> strongSwan 5.8.2
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
>                  charondebug="ike 2,cfg 2"
>                  strictcrlpolicy=yes
>                  # uniqueids = no
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)

More information about the Users mailing list