StrongSwan: strict CRL policy
-
Is it possible to implement a support for strict CRL policy option for StrongSwan?
it is supposed to be in ipsec.conf file, though i obviously do not want to put it there manually, it will be overwritten.However, i do want to integrate our RSA authenticated IPSec tunnels into our enterprise PKI infrastructure, with strict crl checking. In case CRL distribution point is unavailable - IPSec connection should be refused.
-
Sorry, question is irrelevant now. After some careful thinking, i realized that this will be impossible.
At first, i thought i will need to make CRLs from endpoint service CA, which i installed specifically for IPSec certificates publishing, available from WAN for checking, which i can do.
But i realized, that in case of strict check, StrongSwan will require all CRLs available - from root and intermediate CAs too. Those i don`t want to publish to WAN.