[strongSwan] strict crl policy

[Modster, Anthony]

Thanks


Teledyne Confidential; Commercially Sensitive Business Data

-----Original Message-----
From: Users <users-bounces at lists.strongswan.org> On Behalf Of Andreas Steffen
Sent: Sunday, September 26, 2021 12:25 AM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] strict crl policy

---External Email---

Hi Anthony,

strict CRL policy still works.

The problem with your setup is that you define

   strictcrlpolicy=yes

in ipsec.conf which is loaded via starter and the stroke interface only whereas your log shows that you load the configuration via the vici interface:

2021 Sep 24 04:26:47+00:00 wglng-17 charon [info]
   ...
   14[CFG]   remote:
   14[CFG]    class = public key
   14[CFG]    id = C=CA, O=Carillon Information Security Inc., ...
   14[CFG] added vici connection: sgateway1-radio0

There is no

   revocation = GOOD

entry in the remote authentication section log of the vici transfer, so

   revocation = strict

hasn't been set in the remote section of the configuration definition in swanctl.conf and thus no strict CRL policy is enforced

Best regards

Andreas

On 24.09.21 22:14, Modster, Anthony wrote:
> Hello
> 
> Does setting strict CRL policy to yes still work ?
> The CRL's for TA and SCA are removed.
> Was expecting the VPN tunnel not to make a connection.
> 
> strongSwan 5.8.2
> 
> # ipsec.conf - strongSwan IPsec configuration file # basic 
> configuration config setup
>                  charondebug="ike 2,cfg 2"
>                  strictcrlpolicy=yes
>                  # uniqueids = no
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland) ======================================================================