Another alternative would be for the VPN gateway to send the CRL in-band via an IKEv2 Certificate Payload of type CRL as defined in
http://tools.ietf.org/html/rfc5996#section-3.6 Unfortunately strongSwan doesn't support this yet, either. Regards Andreas On 03.10.2012 14:27, Martin Willi wrote: > Hi, > >> Can you help please to determine if there are any issues at >> initialization and during the life of an IPsec tunnel if CRLs are >> retrieved via this same IPsec tunnel? > > Fetching a CRL inside the tunnel to check the certificate status for the > same tunnel does not work: it is a hen-egg problem. With a strict CRL > policy, you can't establish the tunnel, because you have no CRL. And you > can't fetch a CRL, because you don't have a tunnel yet. > > If the CRL can't be published outside the IPsec tunnel, the preferable > option would be to switch to OCSP and use in-band OCSP checking, > RFC4806. strongSwan currently doesn't support it, though. > > Regards > Martin ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
