Does "<conn>.reauth_time” and leaving “break_before_make” alone force a reauth and certificate validity check on IKE/ISAKMP from non-cached crl’s?
Apologies for all the questions. Eric > On Jun 1, 2022, at 10:43 AM, Tobias Brunner <tob...@strongswan.org> wrote: > > Hi Eric, > >> 16[IKE] received end entity cert "CN=pfsense.semperen.net >> <http://pfsense.semperen.net>, C=US, ST=OH, L=Van Wert, O=The Semperen >> Group, OU=Network Operations" >> 16[CFG] using certificate "CN=pfsense.semperen.net >> <http://pfsense.semperen.net>, C=US, ST=OH, L=Van Wert, O=The Semperen >> Group, OU=Network Operations" >> 16[CFG] using trusted ca certificate "CN=semperen-ipsec-ca, C=US, ST=OH, >> L=Van Wert, O=The Semperen Group, OU=Network Operations" >> 16[CFG] checking certificate status of "CN=pfsense.semperen.net >> <http://pfsense.semperen.net>, C=US, ST=OH, L=Van Wert, O=The Semperen >> Group, OU=Network Operations" >> >>>>> 16[CFG] fetching crl from >> >>>>> 'https://ipsec-crl.s3.us-east-2.amazonaws.com/Semperen%2BIPSec%2BSigning%2BAuthority%2BCRL.crl >> >>>>> >> >>>>> <https://ipsec-crl.s3.us-east-2.amazonaws.com/Semperen%2BIPSec%2BSigning%2BAuthority%2BCRL.crl>' >> >>>>> … <<<< >> 16[CFG] using trusted certificate "CN=semperen-ipsec-ca, C=US, ST=OH, >> L=Van Wert, O=The Semperen Group, OU=Network Operations" >> 16[CFG] crl correctly signed by "CN=semperen-ipsec-ca, C=US, ST=OH, L=Van >> Wert, O=The Semperen Group, OU=Network Operations" >> 16[CFG] crl is valid: until Oct 13 19:33:11 2049 >> 16[CFG] certificate status is good >> 16[CFG] reached self-signed root ca with a path length of 0 > > This happens on demand when the peer certificate is verified, not when the > daemon is started. > > Regards, > Tobias