Thanks
Teledyne Confidential; Commercially Sensitive Business Data -----Original Message----- From: Users <users-boun...@lists.strongswan.org> On Behalf Of Andreas Steffen Sent: Sunday, September 26, 2021 12:25 AM To: Modster, Anthony <anthony.mods...@teledyne.com>; users@lists.strongswan.org Subject: Re: [strongSwan] strict crl policy ---External Email--- Hi Anthony, strict CRL policy still works. The problem with your setup is that you define strictcrlpolicy=yes in ipsec.conf which is loaded via starter and the stroke interface only whereas your log shows that you load the configuration via the vici interface: 2021 Sep 24 04:26:47+00:00 wglng-17 charon [info] ... 14[CFG] remote: 14[CFG] class = public key 14[CFG] id = C=CA, O=Carillon Information Security Inc., ... 14[CFG] added vici connection: sgateway1-radio0 There is no revocation = GOOD entry in the remote authentication section log of the vici transfer, so revocation = strict hasn't been set in the remote section of the configuration definition in swanctl.conf and thus no strict CRL policy is enforced Best regards Andreas On 24.09.21 22:14, Modster, Anthony wrote: > Hello > > Does setting strict CRL policy to yes still work ? > The CRL's for TA and SCA are removed. > Was expecting the VPN tunnel not to make a connection. > > strongSwan 5.8.2 > > # ipsec.conf - strongSwan IPsec configuration file # basic > configuration config setup > charondebug="ike 2,cfg 2" > strictcrlpolicy=yes > # uniqueids = no ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org strongSec GmbH, 8952 Schlieren (Switzerland) ======================================================================