On Tue, 17 Dec 2019 22:29:10 +0530 Utkarsh Kumar <[email protected]> wrote:
> Hi Everyone, > I have a application where I am establishing IPSEC connection > between two linux machines using libreswan which is happening > successfully. Please, use swan@ lists in for usage issues like this. > I have enabled strict crl check in config with interval of 60 sec. > > crl-strict=yes > crlcheckinterval=1m 1m is all too often. Use something sensible like hours. CRL lifetimes are days so you don't need to hammer crl distribution point every minute. > End Certificate: > [image: Screen Shot 2019-12-17 at 10.23.45 PM.png] Unfortunately this image didn't show what crypto library thinks about crl distribution point. Also note you must be able to fetch that crl without IPsec when IPsec is enabled - so distribution point must not be behind your tunnel when you use strict crl checking. Or at least you must make sure you can get tunnel up without strict checking to get crl first time into nss database. > But the CRL list is not updating automatically. In the logs I am > seeing following error. Can anyone please help me with the solution > here. > Error: > > Dec 17 18:46:05: | *time to check crls > Dec 17 18:46:05: | attempting to add a new CRL fetch request > Dec 17 18:46:05: | could not find CRL URI ext -8157 CRL url must be in end certificate or issuer certificate. In either case crl fetching happens - your (too big) picture didn't reveal the true information about the certificate so it's quite hard to help. And it must be fetchable without IPsec and with IPsec. -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
