[strongSwan] strict crl policy
Andreas Steffen
andreas.steffen at strongswan.org
Sun Sep 26 09:24:50 CEST 2021
Hi Anthony,
strict CRL policy still works.
The problem with your setup is that you define
strictcrlpolicy=yes
in ipsec.conf which is loaded via starter and the stroke interface
only whereas your log shows that you load the configuration via the
vici interface:
2021 Sep 24 04:26:47+00:00 wglng-17 charon [info]
...
14[CFG] remote:
14[CFG] class = public key
14[CFG] id = C=CA, O=Carillon Information Security Inc., ...
14[CFG] added vici connection: sgateway1-radio0
There is no
revocation = GOOD
entry in the remote authentication section log of the vici transfer,
so
revocation = strict
hasn't been set in the remote section of the configuration definition
in swanctl.conf and thus no strict CRL policy is enforced
Best regards
Andreas
On 24.09.21 22:14, Modster, Anthony wrote:
> Hello
>
> Does setting strict CRL policy to yes still work ?
> The CRL’s for TA and SCA are removed.
> Was expecting the VPN tunnel not to make a connection.
>
> strongSwan 5.8.2
>
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
> charondebug="ike 2,cfg 2"
> strictcrlpolicy=yes
> # uniqueids = no
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
======================================================================
More information about the Users
mailing list