StrongSwan: strict CRL policy



  • Is it possible to implement a support for strict CRL policy option for StrongSwan?
    it is supposed to be in ipsec.conf file, though i obviously do not want to put it there manually, it will be overwritten.

    However, i do want to integrate our RSA authenticated IPSec tunnels into our enterprise PKI infrastructure, with strict crl checking. In case CRL distribution point is unavailable - IPSec connection should be refused.



  • Sorry, question is irrelevant now. After some careful thinking, i realized that this will be impossible.

    At first, i thought i will need to make CRLs from endpoint service CA, which i installed specifically for IPSec certificates publishing, available from WAN for checking, which i can do.

    But i realized, that in case of strict check, StrongSwan will require all CRLs available - from root and intermediate CAs too. Those i don`t want to publish to WAN.