[strongSwan] strict crl policy

Modster, Anthony Anthony.Modster at Teledyne.com
Mon Sep 27 18:09:34 CEST 2021


Teledyne Confidential; Commercially Sensitive Business Data

-----Original Message-----
From: Users <users-bounces at lists.strongswan.org> On Behalf Of Andreas Steffen
Sent: Sunday, September 26, 2021 12:25 AM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] strict crl policy

---External Email---

Hi Anthony,

strict CRL policy still works.

The problem with your setup is that you define


in ipsec.conf which is loaded via starter and the stroke interface only whereas your log shows that you load the configuration via the vici interface:

2021 Sep 24 04:26:47+00:00 wglng-17 charon [info]
   14[CFG]   remote:
   14[CFG]    class = public key
   14[CFG]    id = C=CA, O=Carillon Information Security Inc., ...
   14[CFG] added vici connection: sgateway1-radio0

There is no

   revocation = GOOD

entry in the remote authentication section log of the vici transfer, so

   revocation = strict

hasn't been set in the remote section of the configuration definition in swanctl.conf and thus no strict CRL policy is enforced

Best regards


On 24.09.21 22:14, Modster, Anthony wrote:
> Hello
> Does setting strict CRL policy to yes still work ?
> The CRL's for TA and SCA are removed.
> Was expecting the VPN tunnel not to make a connection.
> strongSwan 5.8.2
> # ipsec.conf - strongSwan IPsec configuration file # basic 
> configuration config setup
>                  charondebug="ike 2,cfg 2"
>                  strictcrlpolicy=yes
>                  # uniqueids = no
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland) ======================================================================

More information about the Users mailing list