[strongSwan] Strongswan caching CRL's when setting is set to "no"

Eric Germann ekgermann at semperen.com
Sun May 29 22:56:27 CEST 2022

I’m gradually rolling out spokes to a number of remote sites using pfSense (at the core) and strongwan at the end of the spokes.  I am trying to achieve dynamic CRL checks and not having much luck.  The CRL is hosted in AWS S3 and successfully is fetched the first time around.  When IKE reauthenticates the log says it is loading crl from the directory (which has nothing in it).  Also forcing “rereadcrls” doesn’t cause a new fetch.  “files” and “curl” plugins are loaded. 

 Thoughts?  Pertinent config is

config setup
    cachecrls           = no
    uniqueids           = yes
    strictcrlpolicy     = yes

ca IPSecCA
    auto                = add
    crluri               = <S3 hosting URL which works>
    cacert              = "semperen-ca.crt"

Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann <https://www.linkedin.com/in/ericgermann>
Medium: https://ekgermann.medium.com <https://ekgermann.medium.com/> 
Twitter: @ekgermann
Telegram || Signal || Skype || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220529/4bbc2150/attachment.html>

More information about the Users mailing list