Hi, > Can you help please to determine if there are any issues at > initialization and during the life of an IPsec tunnel if CRLs are > retrieved via this same IPsec tunnel?
Fetching a CRL inside the tunnel to check the certificate status for the same tunnel does not work: it is a hen-egg problem. With a strict CRL policy, you can't establish the tunnel, because you have no CRL. And you can't fetch a CRL, because you don't have a tunnel yet. If the CRL can't be published outside the IPsec tunnel, the preferable option would be to switch to OCSP and use in-band OCSP checking, RFC4806. strongSwan currently doesn't support it, though. Regards Martin _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users