Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    StrongSwan: strict CRL policy

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Spi1y
      last edited by

      Is it possible to implement a support for strict CRL policy option for StrongSwan?
      it is supposed to be in ipsec.conf file, though i obviously do not want to put it there manually, it will be overwritten.

      However, i do want to integrate our RSA authenticated IPSec tunnels into our enterprise PKI infrastructure, with strict crl checking. In case CRL distribution point is unavailable - IPSec connection should be refused.

      1 Reply Last reply Reply Quote 0
      • S
        Spi1y
        last edited by

        Sorry, question is irrelevant now. After some careful thinking, i realized that this will be impossible.

        At first, i thought i will need to make CRLs from endpoint service CA, which i installed specifically for IPSec certificates publishing, available from WAN for checking, which i can do.

        But i realized, that in case of strict check, StrongSwan will require all CRLs available - from root and intermediate CAs too. Those i don`t want to publish to WAN.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.