Re: [strongSwan] strict crl policy
Thanks Teledyne Confidential; Commercially Sensitive Business Data -Original Message- From: Users On Behalf Of Andreas Steffen Sent: Sunday, September 26, 2021 12:25 AM To: Modster, Anthony ; users@lists.strongswan.org Subject: Re: [strongSwan] strict crl policy ---External Email--- Hi Anthony, strict CRL policy still works. The problem with your setup is that you define strictcrlpolicy=yes in ipsec.conf which is loaded via starter and the stroke interface only whereas your log shows that you load the configuration via the vici interface: 2021 Sep 24 04:26:47+00:00 wglng-17 charon [info] ... 14[CFG] remote: 14[CFG]class = public key 14[CFG]id = C=CA, O=Carillon Information Security Inc., ... 14[CFG] added vici connection: sgateway1-radio0 There is no revocation = GOOD entry in the remote authentication section log of the vici transfer, so revocation = strict hasn't been set in the remote section of the configuration definition in swanctl.conf and thus no strict CRL policy is enforced Best regards Andreas On 24.09.21 22:14, Modster, Anthony wrote: > Hello > > Does setting strict CRL policy to yes still work ? > The CRL's for TA and SCA are removed. > Was expecting the VPN tunnel not to make a connection. > > strongSwan 5.8.2 > > # ipsec.conf - strongSwan IPsec configuration file # basic > configuration config setup > charondebug="ike 2,cfg 2" > strictcrlpolicy=yes > # uniqueids = no == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org strongSec GmbH, 8952 Schlieren (Switzerland) ==
Re: [strongSwan] strict crl policy
Hi Anthony, strict CRL policy still works. The problem with your setup is that you define strictcrlpolicy=yes in ipsec.conf which is loaded via starter and the stroke interface only whereas your log shows that you load the configuration via the vici interface: 2021 Sep 24 04:26:47+00:00 wglng-17 charon [info] ... 14[CFG] remote: 14[CFG]class = public key 14[CFG]id = C=CA, O=Carillon Information Security Inc., ... 14[CFG] added vici connection: sgateway1-radio0 There is no revocation = GOOD entry in the remote authentication section log of the vici transfer, so revocation = strict hasn't been set in the remote section of the configuration definition in swanctl.conf and thus no strict CRL policy is enforced Best regards Andreas On 24.09.21 22:14, Modster, Anthony wrote: Hello Does setting strict CRL policy to yes still work ? The CRL’s for TA and SCA are removed. Was expecting the VPN tunnel not to make a connection. strongSwan 5.8.2 # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup charondebug="ike 2,cfg 2" strictcrlpolicy=yes # uniqueids = no == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org strongSec GmbH, 8952 Schlieren (Switzerland) ==
Re: [strongSwan] strict crl policy
Hi, Double check two things: 1 - Make sure the revocation plugin is loaded, use "ipsec statusall" 2- Make sure the crl is loaded, use " ipsec listcrls" --Jafar On 9/24/2021 3:14 PM, Modster, Anthony wrote: Hello Does setting strict CRL policy to yes still work ? The CRL’s for TA and SCA are removed. Was expecting the VPN tunnel not to make a connection. strongSwan 5.8.2 # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup charondebug="ike 2,cfg 2" strictcrlpolicy=yes # uniqueids = no Teledyne Confidential; Commercially Sensitive Business Data