> Hi Martin,
>
> Thanks for the explanations.
>
> I don't see an authorityKeyIdentifier in my CRL, but my openssl.cnf
> contains :
>
> [ crl_ext ]
> authorityKeyIdentifier = keyid:always,issuer:always
I found the problem. I was missing the 'crl_extensions = crl_ext' line
in my openssl.cnf.
It work
On 09/05/2012 03:11 PM, Martin Willi wrote:
> Hi Claude,
>
>> crluri=VPNCA-crl.pem
>> fetching crl from 'VPNCA-crl.pem' ...
>> crl fetching failed
> crluri takes an URI, not a file name (see ipsec.conf (5)). It might have
> worked with pluto, but it certainly does not with charon.
>
>> fetching crl
Hi Claude,
> crluri=VPNCA-crl.pem
> fetching crl from 'VPNCA-crl.pem' ...
> crl fetching failed
crluri takes an URI, not a file name (see ipsec.conf (5)). It might have
worked with pluto, but it certainly does not with charon.
> fetching crl from
> 'file:///usr/local/strongswan/etc/ipsec.d/crl
Hi,
On strongswan < 5, I was using certificates with IKEv1 and specifically
strictcrlpolicy=yes always worked fine.
My config was something like :
ca vpnca
cacert=VPNCA-cacert.pem
crluri=VPNCA-crl.pem
auto=add
config setup
strictcrlpolicy=yes
...
Now with strongswan 5.0.0.
