[strongSwan] strict crl policy

Andreas Steffen andreas.steffen at strongswan.org
Sun Sep 26 09:24:50 CEST 2021


Hi Anthony,

strict CRL policy still works.

The problem with your setup is that you define

   strictcrlpolicy=yes

in ipsec.conf which is loaded via starter and the stroke interface
only whereas your log shows that you load the configuration via the
vici interface:

2021 Sep 24 04:26:47+00:00 wglng-17 charon [info]
   ...
   14[CFG]   remote:
   14[CFG]    class = public key
   14[CFG]    id = C=CA, O=Carillon Information Security Inc., ...
   14[CFG] added vici connection: sgateway1-radio0

There is no

   revocation = GOOD

entry in the remote authentication section log of the vici transfer,
so

   revocation = strict

hasn't been set in the remote section of the configuration definition
in swanctl.conf and thus no strict CRL policy is enforced

Best regards

Andreas

On 24.09.21 22:14, Modster, Anthony wrote:
> Hello
> 
> Does setting strict CRL policy to yes still work ?
> The CRL’s for TA and SCA are removed.
> Was expecting the VPN tunnel not to make a connection.
> 
> strongSwan 5.8.2
> 
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
>                  charondebug="ike 2,cfg 2"
>                  strictcrlpolicy=yes
>                  # uniqueids = no
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
======================================================================


More information about the Users mailing list