Hi Anthony, strict CRL policy still works.
The problem with your setup is that you define strictcrlpolicy=yes in ipsec.conf which is loaded via starter and the stroke interface only whereas your log shows that you load the configuration via the vici interface: 2021 Sep 24 04:26:47+00:00 wglng-17 charon [info] ... 14[CFG] remote: 14[CFG] class = public key 14[CFG] id = C=CA, O=Carillon Information Security Inc., ... 14[CFG] added vici connection: sgateway1-radio0 There is no revocation = GOOD entry in the remote authentication section log of the vici transfer, so revocation = strict hasn't been set in the remote section of the configuration definition in swanctl.conf and thus no strict CRL policy is enforced Best regards Andreas On 24.09.21 22:14, Modster, Anthony wrote:
Hello Does setting strict CRL policy to yes still work ? The CRL’s for TA and SCA are removed. Was expecting the VPN tunnel not to make a connection. strongSwan 5.8.2 # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup charondebug="ike 2,cfg 2" strictcrlpolicy=yes # uniqueids = no
====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org strongSec GmbH, 8952 Schlieren (Switzerland) ======================================================================